> ## Documentation Index
> Fetch the complete documentation index at: https://docs.profy.cn/llms.txt
> Use this file to discover all available pages before exploring further.

# API Key Management

> Create, view, and revoke API Keys

API Keys are credentials for calling the Profy Platform API. This page explains how to manage API Keys in the Platform Console.

## Creating an API Key

<Steps>
  <Step title="Access the Platform Console">
    Log in at [app.profy.cn](https://app.profy.cn), then visit [platform.profy.cn](https://platform.profy.cn). Both share the same login session.
  </Step>

  <Step title="Navigate to API Keys">
    Click **API Keys** in the left sidebar.
  </Step>

  <Step title="Create a New Key">
    Click the **Create API Key** button and fill in the following:

    * **Name**: Give the key a descriptive name (e.g., "Production Backend", "Data Analysis Script")
    * **Scopes**: Select the endpoint scopes the key can access
    * **Expiration**: Choose the key's expiration period (30 days / 90 days / 1 year / never expires)
  </Step>

  <Step title="Save the Key">
    After confirming, the system will generate an API Key prefixed with `sk-pro-`.

    <Warning>
      The API Key is **displayed only once at creation time**. Once you close the page, you will not be able to view the full key again. Save it immediately in a secure location (such as a password manager, environment variable, or secrets management service).
    </Warning>
  </Step>
</Steps>

## Scopes

When creating an API Key, you can select its permission scopes:

| Scope          | Description        | Accessible Endpoints                                                 |
| -------------- | ------------------ | -------------------------------------------------------------------- |
| `all`          | Full access        | All `/v1/*` endpoints                                                |
| `events:write` | Event write access | `/v1/agents/run`, `/v1/chat/completions`, `/v1/models`, `/v1/events` |

<Tip>
  Follow the principle of least privilege — only grant the permissions the key actually needs.
</Tip>

## Viewing API Keys

On the API Keys page, you can see a list of all created keys:

| Field          | Description                                                |
| -------------- | ---------------------------------------------------------- |
| **Name**       | Descriptive name of the key                                |
| **Key Prefix** | `sk-pro-xxxx...` (only the first few characters are shown) |
| **Created At** | Date the key was created                                   |
| **Expires At** | Expiration date (if applicable)                            |
| **Status**     | Active / Expired / Revoked                                 |

## Revoking an API Key

When a key is no longer needed or may have been compromised, revoke it immediately:

<Steps>
  <Step title="Find the Target Key">
    Locate the key you want to revoke in the API Keys list.
  </Step>

  <Step title="Click Revoke">
    Click the delete/revoke button next to the key.
  </Step>

  <Step title="Confirm Revocation">
    Confirm the action. **Revocation is irreversible** — the revoked key will be invalidated immediately and cannot be restored.
  </Step>
</Steps>

<Warning>
  After revoking a key, all requests using that key will immediately return `401 Unauthorized`. Make sure to update all services using the key before revoking it.
</Warning>

## Secure Storage

### Using Environment Variables

```bash theme={null}
# .env file (do not commit to version control)
PROFY_API_KEY=sk-pro-your-key-here
```

<CodeGroup>
  ```python Python theme={null}
  import os
  from profy import Profy

  client = Profy(api_key=os.environ["PROFY_API_KEY"])
  ```

  ```typescript TypeScript theme={null}
  import { Profy } from "@profy-ai/sdk";

  const client = new Profy({
    apiKey: process.env.PROFY_API_KEY!,
  });
  ```
</CodeGroup>

### Using a Secrets Management Service

For production environments, we recommend using your cloud provider's secrets management service:

* **AWS Secrets Manager**
* **Tencent Cloud SSM**
* **HashiCorp Vault**

```python theme={null}
import boto3

def get_profy_key():
    client = boto3.client("secretsmanager")
    response = client.get_secret_value(SecretId="profy/api-key")
    return response["SecretString"]
```

## Security Best Practices

<AccordionGroup>
  <Accordion title="Do not use API Keys in frontend code">
    Browser-side JavaScript code is visible to users. If your App needs to call the Profy API from the frontend, use the OAuth flow to obtain a user-level token, or proxy requests through your own backend.
  </Accordion>

  <Accordion title="Do not commit keys to version control">
    Store keys in `.env` files and add `.env` to `.gitignore`. In CI/CD environments, use a secrets management service for injection.
  </Accordion>

  <Accordion title="Set an expiration time">
    Set a reasonable expiration for your keys. For testing purposes, use 30-day expiration; for production, use 90-day or 1-year expiration with regular rotation.
  </Accordion>

  <Accordion title="Audit and rotate regularly">
    Periodically review your API Keys list and revoke any that are no longer in use. For long-running services, establish a rotation schedule (e.g., rotate keys quarterly).
  </Accordion>

  <Accordion title="Monitor for anomalous usage">
    Monitor API call volume in the Platform Console's Usage Stats and Call Logs. An unexpected spike may indicate a key compromise.
  </Accordion>
</AccordionGroup>

## Call Logs

Every API Key call is logged. On the **Call Logs** page of the Platform Console, you can:

* **Filter by key**: View call records for a specific key
* **Filter by status code**: Find failed calls
* **Filter by endpoint**: View calls to a specific API
* **View details**: Expand to see request and response summaries

## Rate Limits

API Keys are protected by rate limits. When the limit is triggered, the API returns `429 Too Many Requests`. We recommend implementing exponential backoff retry in your client:

```python theme={null}
import asyncio
from profy import Profy, ProfyApiError

async def call_with_retry(client, max_retries=3):
    for attempt in range(max_retries):
        try:
            return await client.agents.run("my-expert", "你好")
        except ProfyApiError as e:
            if e.status_code == 429 and attempt < max_retries - 1:
                wait = 2 ** attempt
                await asyncio.sleep(wait)
                continue
            raise
```

## Desktop Auto-Configuration

The Profy Desktop client automatically creates an API Key named "Profy Desktop" upon first login. This process is transparent to the user and requires no manual action.

## Next Steps

<CardGroup cols={2}>
  <Card title="Authentication Guide" icon="lock" href="/en/developers/authentication">
    Learn about API Key vs. OAuth
  </Card>

  <Card title="Platform Console" icon="monitor" href="/en/developers/platform-console">
    Explore the full console features
  </Card>
</CardGroup>
