🧠All Things AI
🧠 All Things AI
Intermediate

API Keys & Org Management

Managing API keys and organisation structure is foundational to building secure, cost-controlled applications on OpenAI. Understanding how keys scope to organisations and projects — and applying spend limits before you write a single line of application code — prevents the most common cost and security incidents.

Creating API Keys

API keys are created at platform.openai.com/api-keys:

  1. Log in to the OpenAI Platform
  2. Navigate to API Keys in the left sidebar
  3. Click Create new secret key
  4. Give the key a descriptive name (e.g., "production-search-service")
  5. Optionally scope it to a specific Project
  6. Copy the key immediately — it is shown only once and cannot be retrieved again

If you lose a key before copying it, you must create a new one and rotate all references. There is no way to recover the secret value after the creation dialog closes.

Key Scoping: Organisations and Projects

Every API key exists within a scope hierarchy:

Organisation-scoped keys

Can access all resources across the entire organisation: all projects, all vector stores, all files. Appropriate for admin tooling and internal scripts. Should not be used in production application code — too broad.

Project-scoped keys (recommended for production)

Restricted to the resources of a specific Project — its vector stores, files, and model access. A compromised project-scoped key cannot access your other projects or organisation-level resources. This is the principle of least privilege applied to API credentials.

Organisations

An Organisation is the top-level account structure in OpenAI Platform. It holds billing, usage limits, and all shared resources. Members can have different roles:

  • Owner: Full access — billing, member management, API keys, all settings
  • Member: Can use the API and create keys within their scope; cannot manage billing or add members
  • Reader: Read-only access to usage data and logs

Most teams use a single Organisation. Enterprise customers may have multiple Organisations for different business units or compliance boundaries.

Projects

Projects are sub-namespaces within an Organisation. Each Project has its own:

  • API keys (scoped to that project)
  • Usage tracking and cost breakdown
  • Vector stores and uploaded files
  • Spend limits (independent of org-level limits)

A typical pattern: create a development project and a productionproject. Use project-scoped keys in each. Development cost overruns cannot spill into production budgets, and vice versa.

Spend Limits

Set spend limits before deploying any application. You can configure two levels:

  • Hard limit: API calls are rejected once this monthly spend is reached. Prevents runaway costs absolutely.
  • Soft limit: You receive an email notification when spend reaches this level, but the API continues to work.

Configure these at Settings → Billing → Usage Limits. Set them at both the organisation and project level. A good starting point: set the hard limit at twice your expected monthly spend so genuine traffic is never blocked, but a runaway loop cannot generate catastrophic bills.

Best Practices

Do

  • Store keys in environment variables (OPENAI_API_KEY)
  • Use project-scoped keys in production
  • Set spend limits before any deployment
  • Rotate keys on a regular schedule (e.g., every 90 days)
  • Use different keys per service/application
  • Monitor usage at Platform → Usage

Never Do

  • Hardcode keys in source code
  • Commit keys to git repositories
  • Share keys across multiple unrelated applications
  • Use org-scoped keys in production code
  • Deploy without spend limits configured

Monitoring Usage

The Usage dashboard at platform.openai.com/usage shows costs broken down by model, project, and API key. You can filter by date range and export data for internal reporting. For per-key attribution, ensure each service uses a distinctly named key — this makes cost allocation to teams or features straightforward.

Checklist

  • What happens if you close the API key creation dialog without copying the key?
  • Why should production applications use project-scoped keys rather than org-scoped keys?
  • What is the difference between a hard limit and a soft limit on API spend?
  • How do Projects help with cost attribution and isolation between dev and production?
  • Name three best practices for secure API key management.