Shipping private API keys in your app can lead to bad actors that hack your API account and rack up thousands of dollars in API costs
Backmesh is an open-source, thoroughly tested backend that uses military grade encryption to protect your private API key and offer an API Gatekeeper to let your web or mobile app safely call the API using any SDK without exposing private API keys. Only 2 changes needed in your app:
- Replace the API URL with the Backmesh Gatekeeper URL.
- Replace the API private key with the authenticated user's JWT.
import OpenAI from "openai";
import supabase from "supabase-js";
const BACKMESH_URL =
"https://edge.backmesh.com/v1/proxy/gbBbHCDBxqb8zwMk6dCio63jhOP2/wjlwRswvSXp4FBXwYLZ1/v1";
const jwt = supabase.auth.session().access_token;
const client = new OpenAI({
httpAgent: new HttpsProxyAgent(BACKMESH_URL),
dangerouslyAllowBrowser: true, // no longer dangerous
apiKey: jwt,
});- JWT Authentication: Requests are verified with JWTs from the app's authentication provider so only your users have access to the LLM API via Backmesh.
- Rate limits per user: Configurable per-user rate limits to prevent abuse (e.g. no more than 5 OpenAI API calls per user per hour).
- Resource access control: Sensitive API resources like Files and Threads are protected so only the users that create them can continue to access them.
For more details, see the security documentation.
Get started with Backmesh using our dashboard or if you would like to self host make sure to check out the self hosting guide.
To contribute, visit Contributing.md