getApiKey()
This is a light obfuscation technique, not real security - XOR with a single byte is trivial to reverse. Any user can open devtools, call getApiKey(), and read your real OpenAI key. For a public sketch, API calls like this should go through a backend server that holds the real key.
function getApiKey() {
return atob(encoded).split('').map(c => String.fromCharCode(c.charCodeAt(0) ^ key)).join('');
}
Line-by-line explanation (4 lines)
🔧 Subcomponents:
return atob(encoded).split('').map(c => String.fromCharCode(c.charCodeAt(0) ^ key)).join('');
Base64-decodes the obfuscated string, then XORs each character code with a fixed key to reveal the real API key
return atob(encoded)- atob() decodes the Base64-encoded string 'encoded' back into raw scrambled text
.split('')- Breaks the scrambled string into an array of individual characters so they can be processed one by one
.map(c => String.fromCharCode(c.charCodeAt(0) ^ key))- For every character, gets its numeric code, flips bits using XOR with 'key' (0x5A), and turns that number back into a character - this undoes the same XOR that was used to scramble the key originally
.join('')- Glues the unscrambled characters back together into the final plain-text API key string