Setting up your first OpenAI API key (2025 edition)

1) Create a key

1. Open the API Keys page and click Create new secret key. You’ll only see the full value once—copy it somewhere safe. OpenAI Platform
2. You authenticate by sending this key as a Bearer token in the Authorization header. OpenAI Platform

“Owned by”: You vs Service account

• You — the key is tied to your user and works only while you retain access to the selected project. Good for local dev and personal experiments.
• Service account — a bot identity that belongs to the project, not a person. Ideal for servers/CI and production since it survives team changes; its default is read/write on the project but you can restrict it. OpenAI Help Center

“Permissions”: All, Read only, Restricted

• All — full access to project APIs (default).
• Read only — list/read metadata only; cannot call write-type endpoints (so it won’t generate content).
• Restricted — pick None / Read / Write per endpoint group (e.g., enable embeddings only, deny assistants). This is the safest production posture. OpenAI Help Center

Common endpoint groups you’ll see:

• Model capabilities: /v1/chat/completions, /v1/embeddings, /v1/images, /v1/audio, /v1/moderations
• Assistants: /v1/assistants (+ read on /v1/models)
• Threads: /v1/threads (+ read on /v1/models)
• Files: /v1/files
• Fine-tuning: /v1/fine_tuning
• Responses API: /v1/responses

Recommendation: start Restricted, enable only what your service actually needs, and expand permissions only if you hit a 403/permission error. (You can change a key’s permissions later in API Keys settings.) OpenAI Help Center

2) Store it securely (don’t hard-code)

macOS / Linux

echo 'export OPENAI_API_KEY="sk-REDACTED"' >> ~/.bashrc   # or ~/.zshrc
source ~/.bashrc

Windows (PowerShell)

setx OPENAI_API_KEY "sk-REDACTED"

.env (local dev)

OPENAI_API_KEY=sk-REDACTED

Keep keys server-side and out of client apps and repos. See OpenAI’s key-safety guidance. OpenAI Help Center

3) Make a quick test call

curl

curl https://api.openai.com/v1/chat/completions \
  -H "Authorization: Bearer $OPENAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-4o-mini",
    "messages": [{"role":"user","content":"Say hello in 3 words."}]
  }'

(Bearer header per auth docs.) OpenAI Platform

Node.js

import OpenAI from "openai";
const client = new OpenAI({ apiKey: process.env.OPENAI_API_KEY });

const res = await client.chat.completions.create({
  model: "gpt-4o-mini",
  messages: [{ role: "user", content: "Say hello in 3 words." }],
});
console.log(res.choices[0].message.content);

Python

from openai import OpenAI
import os

client = OpenAI(api_key=os.environ["OPENAI_API_KEY"])
resp = client.chat.completions.create(
    model="gpt-4o-mini",
    messages=[{"role":"user","content":"Say hello in 3 words."}]
)
print(resp.choices[0].message.content)

4) Pick the right combination (cheat-sheet)

5) Projects, usage, and limits

• Keys are scoped to a project; manage them in that project’s settings. OpenAI Platform
• Check your rate limits/tiers and design retries/backoff accordingly. OpenAI Platform+1

6) Backend pattern (the safe way)

1. Frontend calls your endpoint (e.g., /api/chat).
2. Your server reads OPENAI_API_KEY and calls OpenAI.
3. Return only the model output to the client (never the key).

7) Troubleshooting

• 401 Unauthorized → missing/typo’d key or header; ensure Authorization: Bearer … matches the docs. OpenAI Platform
• 403 Forbidden → permission scope too tight; adjust the key under Restricted to include the endpoint you’re calling. OpenAI Help Center
• 429 Rate limit → you’ve hit your tier; implement backoff and check the rate-limits page. OpenAI Platform

TL;DR

• Create a key, choose Owned by (You for local, Service account for servers). OpenAI Help Center
• Prefer Restricted permissions; open only what you need. OpenAI Help Center
• Authenticate with a Bearer header; keep the key server-side.