Creating an API Key
1
Access the Platform Console
Log in at app.profy.cn, then visit platform.profy.cn. Both share the same login session.
2
Navigate to API Keys
Click API Keys in the left sidebar.
3
Create a New Key
Click the Create API Key button and fill in the following:
- Name: Give the key a descriptive name (e.g., “Production Backend”, “Data Analysis Script”)
- Scopes: Select the endpoint scopes the key can access
- Expiration: Choose the key’s expiration period (30 days / 90 days / 1 year / never expires)
4
Save the Key
After confirming, the system will generate an API Key prefixed with
sk-pro-.Scopes
When creating an API Key, you can select its permission scopes:Viewing API Keys
On the API Keys page, you can see a list of all created keys:Revoking an API Key
When a key is no longer needed or may have been compromised, revoke it immediately:1
Find the Target Key
Locate the key you want to revoke in the API Keys list.
2
Click Revoke
Click the delete/revoke button next to the key.
3
Confirm Revocation
Confirm the action. Revocation is irreversible — the revoked key will be invalidated immediately and cannot be restored.
Secure Storage
Using Environment Variables
Using a Secrets Management Service
For production environments, we recommend using your cloud provider’s secrets management service:- AWS Secrets Manager
- Tencent Cloud SSM
- HashiCorp Vault
Security Best Practices
Do not use API Keys in frontend code
Do not use API Keys in frontend code
Browser-side JavaScript code is visible to users. If your App needs to call the Profy API from the frontend, use the OAuth flow to obtain a user-level token, or proxy requests through your own backend.
Do not commit keys to version control
Do not commit keys to version control
Store keys in
.env files and add .env to .gitignore. In CI/CD environments, use a secrets management service for injection.Set an expiration time
Set an expiration time
Set a reasonable expiration for your keys. For testing purposes, use 30-day expiration; for production, use 90-day or 1-year expiration with regular rotation.
Audit and rotate regularly
Audit and rotate regularly
Periodically review your API Keys list and revoke any that are no longer in use. For long-running services, establish a rotation schedule (e.g., rotate keys quarterly).
Monitor for anomalous usage
Monitor for anomalous usage
Monitor API call volume in the Platform Console’s Usage Stats and Call Logs. An unexpected spike may indicate a key compromise.
Call Logs
Every API Key call is logged. On the Call Logs page of the Platform Console, you can:- Filter by key: View call records for a specific key
- Filter by status code: Find failed calls
- Filter by endpoint: View calls to a specific API
- View details: Expand to see request and response summaries
Rate Limits
API Keys are protected by rate limits. When the limit is triggered, the API returns429 Too Many Requests. We recommend implementing exponential backoff retry in your client:
Desktop Auto-Configuration
The Profy Desktop client automatically creates an API Key named “Profy Desktop” upon first login. This process is transparent to the user and requires no manual action.Next Steps
Authentication Guide
Learn about API Key vs. OAuth
Platform Console
Explore the full console features

