Skip to main content
The Profy Platform API supports two authentication methods, each suited to different integration scenarios. All authentication information is passed via the Authorization request header.

API Key Authentication

API Key is the simplest authentication method, ideal for server-to-server direct calls.

Usage

Add Authorization: Bearer sk-pro-xxxx to the request header:

Characteristics

Use Cases

  • Backend services calling AI capabilities
  • Automation scripts and scheduled tasks
  • Internal tools and management systems
  • Development and testing

Security Best Practices

An API Key is a credential for your account. A leak could result in credit consumption. Follow these security practices:
  1. Do not use API Keys in frontend code — browser-side code is visible to users
  2. Use environment variables to store keys; do not hardcode them in source code
  3. Set expiration times — choose an expiration period when creating the key in the Platform Console
  4. Assign scopes as needed — do not use full permissions
  5. Rotate regularly — periodically create new keys and revoke old ones

OAuth Bearer Authentication

OAuth authentication is suited for App scenarios that operate on behalf of users. Obtain an Access Token through the standard OAuth 2.0 Authorization Code flow.

Usage

Characteristics

Use Cases

  • Apps calling AI models on behalf of users
  • Third-party applications requiring user authorization
  • SaaS products with per-user billing
  • Custom billing event reporting (/v1/events supports OAuth only)

OAuth Flow Overview

For the detailed OAuth integration guide, see OAuth Integration.

Comparison

How to Choose

1

Determine the billing subject

If credits should be deducted from your own account → API KeyIf credits should be deducted from the user’s account → OAuth
2

Determine the calling pattern

If it’s a backend service calling directly → API KeyIf it’s an App acting on behalf of a user → OAuth
3

Determine feature requirements

If you need to use the Events API to report custom billing events → OAuthFor other scenarios, either method works

Authentication Errors

When authentication fails, the API returns the following errors: Error response example:

Rate Limits

API calls are protected by rate limits. Limits are calculated per API Key or per user associated with the OAuth Token. When a rate limit is triggered, the API returns 429 Too Many Requests:
You can view your API call volume and rate usage on the Usage Stats page of the Platform Console.

Next Steps

API Key Management

Complete guide to creating, viewing, and revoking API Keys

OAuth Integration

Complete OAuth 2.0 integration flow