getApiKey()
This function tries to hide the OpenAI API key from casual viewing of the source by base64-encoding it and XOR-scrambling it. It is a good example of why client-side 'obfuscation' is not real security - anyone can call getApiKey() in the browser console and get the plain key back instantly.
function getApiKey(){return atob(encoded).split('').map(c=>String.fromCharCode(c.charCodeAt(0)^key)).join('');}
Line-by-line explanation (4 lines)
🔧 Subcomponents:
c=>String.fromCharCode(c.charCodeAt(0)^key)
Reverses a simple XOR obfuscation on each decoded character to reconstruct the real API key
atob(encoded)- Decodes the base64-encoded string back into raw obfuscated text
.split('')- Turns that text into an array of individual characters so they can be processed one at a time
.map(c=>String.fromCharCode(c.charCodeAt(0)^key))- For each character, gets its numeric code, XORs it with the secret key number, and turns the result back into a character - this undoes the same XOR operation used to hide the key
.join('')- Glues the decoded characters back into a single string - the real OpenAI API key