Approved users receive the current access code directly. The private app runs server-side and keeps the OpenAI credentials away from the browser.