Is there a way to limit web server access by domain?
Currently, there is no way to use the OpenAI API (ChatGPT) from the frontend without exposing your secret key.
I wonder if there is a way to solve this. My thinking is: I would create a web server that serves as a proxy to OpenAI (let's say gptproxy.com). Then, developers that want to use OpenAI from the frontend, would upload their secret key to my website. They would then call my API directly from their frontend, without exposing their secret.
So for example, example.com is a frontend-only website. It wants to use OpenAI. It creates a secret key and uploads it to gptproxy.com. Now example.com can call gptproxy.com to access OpenAI without exposing their secret.
However, I would need to verify that indeed example.com is the one that is accessing my API, and not someone else who is simply posing as some-website.com to get free access to OpenAI (an attacker could even copy all of the code from example.com since it's frontend only).
So I basically need to verify that some-website.com is making the request and not anyone else by verifying the domain. Is this problem even solvable?
For simplicity, you can assume example.com is running on GitHub Pages using a public GitHub repository.
