diff --git a/docs/enterprise/externalsecrets/generators/openai.mdx b/docs/enterprise/externalsecrets/generators/openai.mdx
new file mode 100644
index 0000000..6c5c40e
--- /dev/null
+++ b/docs/enterprise/externalsecrets/generators/openai.mdx
@@ -0,0 +1,126 @@
+---
+title: 'OpenAI Generator'
+description: 'Dynamically manage OpenAI Service Accounts and API Keys.'
+---
+
+
+ The External Secrets Enterprise product suite is a premium product.
+ It requires a specific subscription. Contact us for more information.
+
+
+
+ To use the OpenAI Generator, you must have the Enterprise Distribution of ESO available via [ESI Agent](/docs/enterprise/externalsecrets/esi-agent/quickstart).
+
+
+## Introduction
+
+The OpenAI Generator allows automated management of **OpenAI Service Accounts** and their associated **API Keys** using the OpenAI Admin API. It simplifies the process of provisioning scoped credentials for different applications or environments, enabling secure, automated key rotation without manual intervention.
+
+This approach reduces operational overhead and enhances security posture by providing each workload with its own unique, managed API key.
+
+## Output Keys and Values
+
+| Key | Description |
+| --------- | ---------------------------------------- |
+| `api_key` | The generated OpenAI API key (`sk-...`). |
+
+## Parameters
+
+| Key | Default | Description |
+| -------------------------- | ------------------------------ | --------------------------------------------------------------------------------------------- |
+| `projectId` | **Required** | The ID of the OpenAI project where the service account will be created. |
+| `host` | `"https://api.openai.com/v1"` | Base URL for the OpenAI Admin API. Typically the default endpoint is sufficient. |
+| `openAiAdminKey` | **Required** | Kubernetes secret reference holding the OpenAI Admin API Key used for authentication. |
+| `serviceAccountNamePrefix` | Optional | Prefix for the generated service account name. |
+| `serviceAccountNameSize` | `12` | Length of the randomly generated suffix for the service account name. |
+
+## Set up
+
+### Requirements
+
+- An **OpenAI project** with **Admin API Key**.
+
+### Authentication
+
+The Admin API Key must be stored in a Kubernetes secret and referenced in the `openAiAdminKey` field.
+
+Example secret:
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+ name: openai-admin-secret
+ namespace: default
+type: Opaque
+data:
+ api-key:
+```
+
+### Generator Config
+```yaml
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: OpenAI
+metadata:
+ name: openai-generator
+ namespace: default
+spec:
+ projectId: my-openai-project-id
+ openAiAdminKey:
+ name: openai-admin-secret
+ key: api-key
+ host: https://api.openai.com/v1
+ serviceAccountNamePrefix: app
+ serviceAccountNameSize: 10
+```
+
+### ExternalSecret Config
+```yaml
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+ name: openai-credentials
+ namespace: default
+spec:
+ refreshInterval: 1h
+ dataFrom:
+ - sourceRef:
+ generatorRef:
+ apiVersion: generators.external-secrets.io/v1alpha1
+ kind: OpenAI
+ name: openai-generator
+```
+
+### Using the generated secret
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: my-app
+ namespace: default
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: my-app
+ template:
+ metadata:
+ labels:
+ app: my-app
+ spec:
+ containers:
+ - name: my-container
+ image: my-image:latest
+ env:
+ - name: OPENAI_API_KEY
+ valueFrom:
+ secretKeyRef:
+ name: openai-credentials
+ key: api_key
+```
+
+## Notes and Considerations
+
+* Each time the secret rotates, a new service account and API key are created.
+* Service accounts are deleted during cleanup, ensuring no orphaned resources remain.
+* The generator strictly requires the OpenAI Admin API; standard API keys for model inference are not sufficient.
+* serviceAccountNameSize controls only the suffix length after any optional prefix.
\ No newline at end of file