I was recently experimenting with the new ChatGPT "GPTs" feature. It has an "Actions" feature which supports calling APIs that it reads from an OpenAPI schema. Long story short, it succeeds in authorizing since it supports OAuth, however, it fails to interact with the rest of the API due to the fact that it does not support passing headers into any requests. Is there any possibility to pass those required headers with URL params instead?

While this isn't an official answer I would hazard a guess to say this isn't likely viable to be supported due to how many of the API calls are cached based on the call URL. As in, because adding an API key/version would almost make every call unique to the app rather than the alternative the cache wouldn't be as effective.

I'm not the sharpest in terms of API design but why is that header even required? I assume it's to handle paths which don't need an OAuth token? Seems pretty redundant to me because you already need it alongside the secret to get the OAuth token. I also don't get the api version header being required; defaulting to the latest version unless specified otherwise seems like it would be a better solution?

Unfortunately I don't have answers so would require an official response. I just thought I'd share that I wouldn't rely on that being a possibility based on my personal experience and knowledge with the API so far.

Do you know if the ChatGPT thing is still being iterated on? Perhaps you could see if they might support the headers in some way on that side eventually.

They probably are developing it, but OpenAI is kind of notorious for ignoring such "small" issues so I'm willing to bet it will take like a year for this to get implemented. There are threads about this on their forums from multiple users, no official responses.

We might switch the version to the URL for v3 (although that isn't even in development at this point). The trakt-api-key will need to remain a header along with any OAuth tokens for authenticated requests. As Tyson said, if the API key were added to the URL it would make the Cloudflare caching essentially useless since each URL would be treated uniquely.