Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> The API, API docs and the pointer to them are all fully public.

Yeah, the basic model (because it involves publicly publishing untested instructions, which amount to code) is a security problem for the plugin supplier.

OpenAI not doing server-side validation of the closed-test-groups that it advertises for unreleased plugins magnifies the risk, but eliminating it wouldn't eliminate the fundamental problem entirely.

(The OpenAI failure here isn't failing the end user, its failing what they represent to the plugin supplier.)




You can and should implement auth on those endpoints if you have any concern about them being accessed.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: