getApiKey()
This function reverses a lightweight two-step obfuscation (Base64 + XOR) that was used to hide the OpenAI API key from a casual glance at the source code. It is NOT real security - anyone can open the browser console and call getApiKey() directly to read the key, which is why shipping API keys in client-side code is considered unsafe.
function getApiKey() {
return atob(encoded).split('').map(c => String.fromCharCode(c.charCodeAt(0) ^ key)).join('');
}
Line-by-line explanation (4 lines)
🔧 Subcomponents:
atob(encoded).split('').map(c => String.fromCharCode(c.charCodeAt(0) ^ key)).join('');
Base64-decodes the stored string, then XORs every character with a fixed key to reveal the original API key text
atob(encoded)- atob() decodes a Base64-encoded string back into regular text - this reverses the first layer of obfuscation
.split('')- Turns the decoded string into an array of single characters so each one can be transformed individually
.map(c => String.fromCharCode(c.charCodeAt(0) ^ key))- For every character, gets its numeric character code, flips bits using XOR (^) against the fixed 'key' value, then converts the result back into a character - this reverses a simple XOR cipher
.join('')- Glues the transformed characters back together into a single string - the final decoded API key