Skip to main content
API Keys are credentials for calling the Profy Platform API. This page explains how to manage API Keys in the Platform Console.

Creating an API Key

1

Access the Platform Console

Log in at app.profy.cn, then visit platform.profy.cn. Both share the same login session.
2

Navigate to API Keys

Click API Keys in the left sidebar.
3

Create a New Key

Click the Create API Key button and fill in the following:
  • Name: Give the key a descriptive name (e.g., “Production Backend”, “Data Analysis Script”)
  • Scopes: Select the endpoint scopes the key can access
  • Expiration: Choose the key’s expiration period (30 days / 90 days / 1 year / never expires)
4

Save the Key

After confirming, the system will generate an API Key prefixed with sk-pro-.
The API Key is displayed only once at creation time. Once you close the page, you will not be able to view the full key again. Save it immediately in a secure location (such as a password manager, environment variable, or secrets management service).

Scopes

When creating an API Key, you can select its permission scopes:
Follow the principle of least privilege — only grant the permissions the key actually needs.

Viewing API Keys

On the API Keys page, you can see a list of all created keys:

Revoking an API Key

When a key is no longer needed or may have been compromised, revoke it immediately:
1

Find the Target Key

Locate the key you want to revoke in the API Keys list.
2

Click Revoke

Click the delete/revoke button next to the key.
3

Confirm Revocation

Confirm the action. Revocation is irreversible — the revoked key will be invalidated immediately and cannot be restored.
After revoking a key, all requests using that key will immediately return 401 Unauthorized. Make sure to update all services using the key before revoking it.

Secure Storage

Using Environment Variables

Using a Secrets Management Service

For production environments, we recommend using your cloud provider’s secrets management service:
  • AWS Secrets Manager
  • Tencent Cloud SSM
  • HashiCorp Vault

Security Best Practices

Browser-side JavaScript code is visible to users. If your App needs to call the Profy API from the frontend, use the OAuth flow to obtain a user-level token, or proxy requests through your own backend.
Store keys in .env files and add .env to .gitignore. In CI/CD environments, use a secrets management service for injection.
Set a reasonable expiration for your keys. For testing purposes, use 30-day expiration; for production, use 90-day or 1-year expiration with regular rotation.
Periodically review your API Keys list and revoke any that are no longer in use. For long-running services, establish a rotation schedule (e.g., rotate keys quarterly).
Monitor API call volume in the Platform Console’s Usage Stats and Call Logs. An unexpected spike may indicate a key compromise.

Call Logs

Every API Key call is logged. On the Call Logs page of the Platform Console, you can:
  • Filter by key: View call records for a specific key
  • Filter by status code: Find failed calls
  • Filter by endpoint: View calls to a specific API
  • View details: Expand to see request and response summaries

Rate Limits

API Keys are protected by rate limits. When the limit is triggered, the API returns 429 Too Many Requests. We recommend implementing exponential backoff retry in your client:

Desktop Auto-Configuration

The Profy Desktop client automatically creates an API Key named “Profy Desktop” upon first login. This process is transparent to the user and requires no manual action.

Next Steps

Authentication Guide

Learn about API Key vs. OAuth

Platform Console

Explore the full console features