Comment by udbhavs

4 days ago

Next, set your OpenAI API key as an environment variable:

export OPENAI_API_KEY="your-api-key-here"

Note: This command sets the key only for your current terminal session. To make it permanent, add the export line to your shell's configuration file (e.g., ~/.zshrc).

Can't any 3rd party utility running in the same shell session phone home with the API key? I'd ideally want only codex to be able to access this var

10 comments

udbhavs

jsheard 4 days ago

If you let malicious code run unsandboxed on your main account then you probably have bigger problems than an OpenAI API key getting leaked.

mhitza 4 days ago
You mean running npm update at the "wrong time"?

jjmarr 4 days ago

Just don't export it?

    OPENAI_API_KEY="your-api-key-here" codex

aesbetic 4 days ago
Yea that’s not gonna work, you have to export it for it to become part of your shell’s environment and be passed down to subprocesses.
You could however wrap the export variable and codex command in a script and just call that. This way the variable would only be part of that script’s environment.
- PhilipRoman 4 days ago
  
  That code example uses the "VAR=VALUE program" syntax, which exports the variable only for that particular process, so it should work (https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V...)
  
  1 reply →

primitivesuave 4 days ago

You could create a shell function - e.g. `codex() { OPENAI="xyz" codex "$@" }'. To call the original command use `command codex ...`.

People downvoting legitimate questions on HN should be ashamed of themselves.

udbhavs 3 days ago

That's neat! I only asked because I haven't seen API keys used in the context of profile environment variables in shell before - there might be other common cases I'm unaware of