Deleting Users

One of the early decisions I made when designing the AI Horde is that I didn't want to deal with user accounts and the personal data that comes with them. Not only because I didn't want to be responsible for the safety of that data, but also because I didn't want to be dealing with user requests for forgotten passwords and the like.

So the design has always been that you can either create an account using an oauth2 provider like Discord or Google, which would then handle any account recovery, or you could create a completely disposable account for yourself but you take all the responsibility for keeping your API key safe.

On top of that, purposefully the AI Horde does not retain any information about your account, or your generations other than the amount of generations you did and the kudos you've accumulated or spent. This is on purpose so that we don't maintain any personal data which would require extra protections. I.e. even if we were to be completely pwned to the DB level, there's no personal information for each user maintained to be exfiltrated.

Because of this, I never felt the need to create a delete functions for user accounts, as there isn't anything that one would need deleting which couldn't also be handled through an username change and removing any optional contact info voluntarily provided.

Still, I expected that sooner or later someone might explicitly want to delete their account but my plan was to cross that bridge when I came to it, and this week, someone just asked for exactly that. So it was time to see how it would make the most sense to implement.

The main problem facing us is that people only have one API key authenticating them to the AI Horde, and I know many people might be sharing them with others, instead of using our shared key functionality. So allowing instant deletion might cause problems where someone is trolling others who might have shared their account with them.

(But to be clear: Don't share your API keys. This is full access to your account. Use shared keys instead)

So the approach I decided on is two-steps. Someone with an API key can request an account deletion. When this happens, the account will be marked as deleted and cannot be used for generating or for workers, but can still be seen in the API, marked as deleted. In case someone changes their mind, they can undelete their account at any time by using their own API key. Assuming one changes their username and removes any contact details before deleting, this should be sufficient for most. But if one wants to take it to the next level and completely wipe their account, after 30 days of inactivity after deletion, one can perform the same delete operation on the user endpoint, and at this point this will completely wipe the account and make it unrecoverable. This doesn't provide any particular benefits over simply removing any identifying information, but if one wants this option, it now exists.

Of course if you are sharing your actual API key with others, especially random people online, they might decide to delete your account for the lolz, so if this is a concern, make sure you change your API key immediately. But even if someone does that, you can still undelete the account and change your API key (assuming you use oauth2).

As always, let us know if you have any concerns or thoughts about this functionality.