Hot Takes

ChatGPT Has Ads Now. Six Brands, Four Encrypted Tokens, And One Familiar Playbook.

April 30, 2026 8 min read

Two weeks ago, OpenAI was a research lab that happened to ship a chatbot. As of this week, OpenAI is a media company that happens to ship a research lab.

The proximate cause: on April 28, 2026, the security research outfit Buchodi’s Threat Intel published a complete reverse-engineering of how ChatGPT now serves ads. It turns out the answer is “very thoroughly, with four Fernet-encrypted tokens, a backend ad bidding domain (bzr.openai.com), a CDN for creatives (bzrcdn.openai.com), and a JavaScript SDK called OAIQ v0.1.3 running on merchant pages so the loop closes.” The whole apparatus is the kind of thing you build when you mean it.

Here’s what’s been quietly turned on, what’s coming next, and why the dev community on Hacker News is reacting somewhere between “of course” and “block these URLs in your hosts file right now.”

What Was Found, Technically

OpenAI is injecting ads into ChatGPT responses as structured Server-Sent Events. Inside the response stream, alongside the actual model output tokens, you’ll find a new event type:

{
  "type": "single_advertiser_ad_unit",
  "advertiser": "Grubhub",
  "creative": { "headline": "...", "image": "https://bzrcdn.openai.com/...", "cta": "..." },
  "tokens": {
    "ads_spam_integrity_payload": "<Fernet-encrypted>",
    "oppref": "<Fernet-encrypted>",
    "olref": "<Fernet-encrypted>",
    "ad_data_token": "<base64(json{...Fernet...})>"
  }
}

That’s not a leak. That’s the production schema. Each ad ships with four cryptographically signed tokens:

  • ads_spam_integrity_payload — server verifies this on click so only OpenAI’s own backend can mint clickable units. Stops third parties from spoofing fake ads through the API.
  • oppref — the forward-attribution token. Lands in a first-party cookie (__oppref) with a 30-day TTL when the user clicks through to the merchant.
  • olref — outbound-impression logging reference, fired on outclick.
  • ad_data_token — base64-wrapped JSON with another Fernet payload inside, used for measurement.

So far, this is just a competent ad system: encrypted tokens, integrity checks, server-side validation. Anyone who’s worked at Google, Meta, or TikTok looked at this and went “yeah, that’s how you’d build it.” But the next part is what makes it a different conversation.

The OAIQ SDK Closes The Loop

When you click an ad in ChatGPT and land on, say, Grubhub’s page, your browser executes a small first-party JavaScript bundle called the OAIQ SDK (version 0.1.3, current as of this writing). The SDK does three things:

  1. Reads the oppref token from the inbound URL.
  2. Probes for the __oaiq_domain_probe cookie to confirm the SDK is running on the right domain.
  3. Sends impression and conversion events back to https://bzr.openai.com/v1/sdk/events with the oppref attached, so OpenAI can stitch ad-click → page-view → purchase into a single attributed flow.

This is the closed-loop attribution model that Google AdSense, Meta Pixel, and TikTok Pixel have been running for fifteen years. OpenAI built one for ChatGPT. They built it well. They built it before they announced any of it.

The Six Brands, Stress-Tested

Buchodi’s analysis observed contextual ad placements for six advertisers. Here they are, with a guess at the prompt category that triggers each:

Advertiser Category Likely prompt trigger
Grubhub Food delivery “what should I order tonight”
GetYourGuide Travel “things to do in [city]”
Axel Flights “cheapest flight to [destination]”
Gametime Events “what concerts are tonight”
Aritzia Fashion “outfit ideas for [occasion]”
Canva Productivity “make me a slide deck”

That’s a tight launch group. It’s not a test deployment. It’s the commerce-intent prompts — the same lookup categories Google has been monetizing since 2003. OpenAI didn’t pick “explain quantum physics” prompts to advertise on, because nobody pays $4 CPM to advertise textbooks. They picked the prompts where the user has commercial intent, the same prompts that made Google Shopping a multi-billion-dollar product.

This is not coincidental. This is OpenAI’s product team mapping the search-ads taxonomy onto chat-ads taxonomy. They are aiming directly at Google’s lunch.

The six launch advertisers Buchodi observed in ChatGPT ads: Grubhub (food), GetYourGuide (travel), Axel (flights), Gametime (events), Aritzia (fashion), Canva (productivity). All commerce-intent prompt categories.
Six brands. All commerce-intent. OpenAI is aiming straight at Google Shopping.

Why The HN Thread Is Spicier Than Usual

The 240-point HN thread is full of ad-tech nerds reading their own code on someone else’s stack. The two most upvoted concerns:

1. The ads are currently visually distinct. They will not stay that way.

User hansvm said the quiet part:

Once the ads are injected directly into the main response is when things get interesting.

Top HN reaction by hansvm: Once the ads are injected directly into the main response is when things get interesting.
The threshold-cross moment, in one HN comment.

This is the threshold. Right now, single_advertiser_ad_unit is a structurally distinct event in the SSE stream — your client renders it as a card, separate from the prose. But the same backend that decides which ad to serve also has access to the model’s reasoning context. The day OpenAI ships inline product placement (“If you’re looking for a quick dinner, you might enjoy Grubhub’s Thai selection — they have a special this week…”) embedded in the model’s natural-language response, the disclosure becomes ambiguous, the trust contract changes, and the FTC starts taking phone calls.

User SchemaLoad framed where this ends:

Invisible ads, influences, and propaganda woven into the content.

That’s the real product. The structurally distinct cards are the *first* version, the safe-launch version, the one you can defend in front of regulators. The version that prints money is the inline one.

2. The ads pipeline is a prompt-injection surface.

User WaxProlix flagged that an ad-bidding system that takes context-dependent input from the model is, by definition, a place where adversarial advertisers could attempt prompt injection. The IAB OpenRTB standard, which web ad networks use, includes free-form contextual fields. Once OpenAI’s ad stack adopts anything resembling OpenRTB (and it almost certainly will, because that’s where the demand-side liquidity lives), you have ad-network metadata flowing into a system prompt-adjacent context. This is a class of attack that has not really existed before. It will exist.

Block List, For The Curious

User lmbbuchodi (presumably the same Buchodi who published the report) posted client-side blocking rules that work in uBlock Origin / Pi-hole:

|bzrcdn.openai.com^
||bzr.openai.com^

Adding those to your blocklist removes the creative loading and disables event reporting. Note that this does not stop OpenAI from picking ads server-side or from logging your selection in their model interaction data — it only stops the visual rendering and the client-side attribution beacon. Ads will still be selected on you. You just won’t see them, and OpenAI gets to call you “ad-unsupported” in their next quarterly investor letter.

The Story Underneath The Story

This is the second monetization shoe dropping in the same week. Three days ago, GitHub announced Copilot code review will start consuming GitHub Actions minutes on June 1. Today, OpenAI quietly shipped a four-token Fernet-encrypted ad system with six launch advertisers and a JavaScript SDK on merchant pages.

The free-or-flat-rate AI tooling era ended last week. We just didn’t know which company would be first to ship the second-stage rocket. Now we do — it’s both of them, in parallel, and the strategy is structurally identical:

  • Phase 1 (2022-2025): subsidize the user. Drive a billion weekly active users on flat or free pricing. Build dependence.
  • Phase 2 (2026): monetize the dependence. Two flavors:

GitHub’s flavor: double-bill the customer in two metering buckets. Be honest about it. Pay the political cost up front. – OpenAI’s flavor: turn the consumer side into an ad-supported platform. Don’t announce it. Let it be reverse-engineered by a security blog. Take the political cost on the back end if it ever shows up.

Pick your poison. Both companies are aiming for the same outcome: make the per-user revenue story work. They cannot run inference on $0.20 per query at $20-per-month flat-rate. The math has never worked. The question was always *when*, and the answer turned out to be *now*.

What This Means For You

If you are a ChatGPT user:

  • Your prompts now have commercial intent classification running on them. Asking ChatGPT what to make for dinner triggers a Grubhub-tier ad placement. This is irreversible — even if you complain, the categorization persists in the data.
  • The ads are currently visually distinct. Trust this distinction for as long as it lasts. The day you can’t tell whether a recommendation came from the model or the ad bidder is the day you stop using ChatGPT for recommendations.
  • Add the two block URLs above to your DNS sinkhole or uBlock list. It buys you a clean visual experience, not privacy.

If you are a builder on the OpenAI API:

  • Nothing in the API has these ads. The consumer product (chat.openai.com) is the testbed. Yet.
  • Watch the SSE event types in API responses going forward. The same engineering team that shipped single_advertiser_ad_unit on the consumer side will quietly evaluate whether the same event type makes sense on the API. Expect a “sponsored response” event field to land in the API spec within twelve months, opt-in at first.

If you are a competitor:

  • Anthropic, Google, and Meta now have a clear comp model. Anthropic in particular has marketed itself as the “no ads, just trust” AI for years. That positioning just got more expensive — every quarter Anthropic refuses to monetize the consumer side, OpenAI eats more of the consumer market with subsidized chat that’s ad-supported. Anthropic’s options narrow.
  • Open weights models (DeepSeek V4, Qwen 3.6, Kimi 2.6) become a more interesting story by default. The local-AI argument is no longer just “privacy.” It’s “the model in your house cannot serve you a Grubhub ad.”

If you are an advertiser:

  • A new ad surface just launched with six brand partners and somewhere between zero and very few competitors. The CPM economics here will be irrational on the way up. If you are in food delivery, travel, events, fashion, or productivity SaaS, your ad ops team should already have a meeting on the calendar.
  • There is exactly one buyer-side platform: OpenAI. There is no AdX, no programmatic exchange, no transparent bidding yet. You are buying directly from OpenAI’s ad sales, with their attribution, their measurement, and their reporting. Plan accordingly.

The Real Question

The technical machinery is fine. Encrypted tokens, server-side integrity, first-party cookies, an SDK on merchant pages — that’s all competent ad infrastructure, and the people who built it knew what they were doing.

The real question is whether the chatbot interface — a place where users type private questions in a tone of voice they would not use with Google — can survive being commercialized at this depth without losing the trust that made it valuable in the first place.

OpenAI is betting that it can. Six brand partners, four encrypted tokens, and one quiet rollout suggest they are committed to the bet. We will know whether they are right when the day comes that ChatGPT recommends a restaurant, and you can no longer tell whether it’s because the model thinks the food is good, or because the bidder paid the highest price.

That day is closer than you think.

Rating: The chatbot became a media company. We told you it would.

Sources: