getApiKey()
XOR is a simple, symmetric bit-flipping operation often used for lightweight obfuscation, but it is NOT real encryption - anyone who opens the browser's dev tools can run this exact function and print the key. This is a good example of why secret keys should never live in client-side JavaScript.
function getApiKey() {
const bytes = atob(encoded).split('').map(c => c.charCodeAt(0) ^ key);
return String.fromCharCode(...bytes);
}
Line-by-line explanation (2 lines)
🔧 Subcomponents:
const bytes = atob(encoded).split('').map(c => c.charCodeAt(0) ^ key);
Base64-decodes the stored string, then flips every character's bits using XOR with a fixed key to reveal the original API key characters
const bytes = atob(encoded).split('').map(c => c.charCodeAt(0) ^ key);- atob() decodes the Base64 string into raw text, .split('') breaks it into individual characters, and .map() converts each character to its numeric code then XORs it with 'key' (0x5A) to undo the original encoding
return String.fromCharCode(...bytes);- Converts the array of XOR-decoded numeric codes back into a readable string - the actual OpenAI API key