Use of NEXT_PUBLIC_ for API key

[halans]

Use of NEXT_PUBLIC_OPENAI_API_KEY throughout, which exposes one's private API Key.

As per NextJs documentation, NEXT_PUBLIC_ is used to bundle environment variables for use through the browser.

So all request send through the api key like:
{"inputCode":"Explain square root","model":"gpt-4","apiKey":"-exposing environment api key-"}
This may be fine when the user provides their own API key, but as you are recommending the use of API key in .env.local,
"If you use .env.local variable for your API key, method which we recommend, use the apiKey variable commented below"
you're providing the following code snippet:
const apiKeyENV = process.env.NEXT_PUBLIC_OPENAI_API_KEY
which is then transmitted in the request to the server.

I would suggest you pick up the api key later, right before sending request to OpenAI API, when setting the Bearer Authorisation header, using
process.env.OPENAI_API_KEY
instead.

[simmmpleweb]

Hello, @halans ! Now the NEXT_PUBLIC_ won't be exposed anymore theoretically.