VibeKit
Enter App
OpenAI API Key Format (sk-proj-, sk-svcacct-, sk-admin-)
OpenAI issues four kinds of API keys, each with its own prefix and purpose. This page breaks down what each prefix means, when to use which, and the OAuth path that lets a ChatGPT Plus subscription stand in for a paid API key.
The four prefixes at a glance
| Prefix | Type | Can call models? | Use when |
|---|---|---|---|
sk-proj- | Project key | Yes | Default — one project, one app or service |
sk-svcacct- | Service-account key | Yes | Ownership shouldn't follow a person leaving |
sk-admin- | Org admin key | No | Managing projects, members, billing via Admin API |
sk- | Legacy user key | Yes | Pre-2024 — still valid, no longer issued |
Anatomy of a key
Total length is around 165 characters — notably longer than Anthropic's ~108-char sk-ant-api03 keys. The body is URL-safe so it can travel in headers and querystrings without escaping, but always pass it via the Authorization: Bearer … header, not a URL parameter.
Project keys vs the legacy sk- format
OpenAI flipped the default to sk-proj- in mid-2024 when they introduced the Projects feature. The change is functional, not just cosmetic: a project key is scoped to a single Project inside your Org, with its own rate limit, billing line, and model access list. Spending caps and rate limits attach to the project, not the key — so rotating a key inside a project preserves its limits.
Older sk- keys are user-scoped (tied to a person's account, billed against the org default project). They still work, but the OpenAI Console no longer issues them. If you're starting fresh, use sk-proj-.
ChatGPT Plus instead of an API key
If you pay for ChatGPT Plus or Pro, OpenAI's Codex CLI gives you an OAuth path that bills against your subscription's Codex quota instead of API credits:
# Install the Codex CLI:
npm i -g @openai/codex
# Authorize against your ChatGPT account:
codex login
# This opens a browser, you log in to ChatGPT,
# and Codex stores a short-lived OAuth token that
# refreshes itself.The Codex OAuth token is accepted anywhere a regular sk-proj- key would be — including VibeKit, which stores it on the same OpenAI BYOK slot. The benefit: AI calls bill against ChatGPT Plus's Codex quota (no per-token charge on top), so if you already pay for Plus and don't hit Codex's daily ceiling, the marginal cost of using the model is zero.
How to generate a key
# For a project API key (sk-proj-…):
1. Sign in to platform.openai.com
2. Dashboard → API keys → "Create new secret key"
3. Pick the project (or create one) and name the key
4. Optionally restrict permissions to specific resources
5. Copy the key once — OpenAI does not show it again
# For a service-account key (sk-svcacct-…):
1. Project Settings → Service accounts → "Create"
2. The key issues automatically — copy once and store
# For an admin key (sk-admin-…):
1. Org Settings → Admin keys (org owner only)
2. Create — limited to Admin API endpoints, can't call modelsValidating a key locally
You can pattern-match the prefix in code without a network call:
function isOpenAIKey(s) {
return /^sk-(proj|svcacct|admin)-[A-Za-z0-9_-]{40,}$/.test(s) ||
/^sk-[A-Za-z0-9_-]{40,}$/.test(s); // legacy
}To confirm it's actually live and the project has credit, hit the cheapest endpoint:
curl -s https://api.openai.com/v1/models \
-H "Authorization: Bearer $KEY"A 200 with a list of models confirms the key works. A 401 means revoked or typoed. A 429 means rate-limited (still a valid key). A 403 on an sk-admin- key trying to hit /chat/completions is expected — admin keys can't call models.
Using a key with a hosted AI agent
If you want to plug an OpenAI key into an agent so you can build apps without writing infrastructure code, VibeKit is BYOK-first: paste your sk-proj- (or your Codex OAuth subscription token) into Profile → AI Provider → OpenAI, and the agent's next request runs through your OpenAI account. Charges go straight to OpenAI; VibeKit doesn't bill on top. Free tier is genuinely free with BYOK — no per-session markup, no token clipping.
Security hygiene
- One project per third-party tool. Easier to revoke and easier to attribute spend.
- Set spending caps on the project. The most common "leaked key" failure mode isn't theft — it's a misconfigured retry loop. A $50 cap is cheap insurance.
- Use service-account keys for production. They don't disappear when the person who created them rotates off the team.
- Encrypt at rest, in memory only at request time. Any host that asks for the plaintext to be stored anywhere persistent isn't doing it right.
Related: Anthropic key format
If you're comparing providers, the Anthropic side mirrors a lot of this — different prefixes, same idea. See Anthropic API key format (sk-ant-api03) for the breakdown of sk-ant-api03 vs the Claude subscription OAuth token sk-ant-oat01.
FAQ
What does sk-proj- mean on an OpenAI key?
It's the prefix on OpenAI's project-scoped keys — the default key type since mid-2024. sk = secret key, proj = scoped to one project under your org. Every new key from platform.openai.com starts sk-proj-.
What's the difference between sk-proj, sk-svcacct, and sk-admin?
sk-proj- is a project key (default, calls models). sk-svcacct- is a service-account key (also calls models, but ownership isn't tied to a person). sk-admin- manages projects/members/billing via the Admin API but cannot call models. Legacy sk- still works but isn't issued anymore.
Can I use ChatGPT Plus instead of paying for API credits?
Yes — through the Codex CLI's OAuth flow. npm i -g @openai/codex, then codex login. The resulting token bills against your ChatGPT Plus Codex quota, not per-token API charges. VibeKit accepts these tokens on the same BYOK slot as a regular sk-proj- key.
Can I use my OpenAI key with VibeKit?
Yes. Paste sk-proj- or a Codex OAuth token into Profile → AI Provider → OpenAI. Requests route through your OpenAI account; VibeKit takes nothing on top. More on BYOK →
Why isn't my OpenAI key working?
Six common causes: key revoked, project out of credit, rate-limited (429), trailing whitespace from copy-paste, you're using sk-admin- against /chat/completions (admin keys can't call models), or the project doesn't have access to the requested model. The curl /v1/models snippet above will tell you which.
Plug your OpenAI key into a Telegram AI agent
Paste your sk-proj- or Codex OAuth token in Telegram. Get a persistent agent + GitHub repo + live URL at name.vibekit.bot. Free tier with BYOK — your key, your OpenAI bill, no markup.