Skip to main content
Profy implements the standard OAuth 2.0 Authorization Code flow, allowing your App to call Profy APIs on behalf of users. With OAuth authorization, credits are deducted from the user’s account.

Flow Overview

Step 1: Register Your App

Create your App in Profy Studio:
  1. Go to app.profy.cn/studio
  2. Create a new App
  3. Configure OAuth settings in the App settings:
    • Client ID: Automatically generated App UUID
    • Client Secret: Generated in settings (stored as SHA-256 hash, displayed only once)
    • Redirect URIs: Register your callback URLs (multiple supported)
The Client Secret is displayed only once when generated — save it securely. The Redirect URI must exactly match one of the registered addresses, or authorization will be rejected.

Step 2: Redirect the User to Authorize

Redirect the user to the Profy authorization page:
The user will see the Profy authorization page displaying your App name and the requested permissions. After the user consents, Profy will redirect them back to your callback URL.

Step 3: Receive the Authorization Code

After the user authorizes, Profy redirects to your redirect_uri:
The Authorization Code is valid for 5 minutes and can only be used once. Exchange it for a token immediately upon receipt.

Step 4: Exchange for Tokens

Use the authorization code to obtain an Access Token and Refresh Token:
The token endpoint also supports application/x-www-form-urlencoded format.

Token Lifecycle

Access Token

  • JWT format (RS256 signed)
  • Contains sub (user ID), aud (App UUID), scope (permission scopes)
  • Use the Refresh Token to obtain a new token when expired

Refresh Token

  • Opaque string format
  • Rotation mechanism: The old token is invalidated after each use; a new Refresh Token is returned
  • A used Refresh Token cannot be reused

Step 5: Refresh Tokens

When the Access Token expires, use the Refresh Token to obtain a new token pair:
Refresh Tokens use a rotation mechanism. After each refresh, you must save the new Refresh Token. The old Refresh Token is immediately invalidated after use.

Revoking Tokens

When a user logs out or you need to revoke access, call the revocation endpoint:
The revocation endpoint follows RFC 7009 — it returns 200 OK even if the token is already invalid.

Available Scopes

Security Best Practices

Generate a random state value when initiating the authorization request, and verify that the state matches in the callback.
  • Server-side: Use encrypted storage (encrypted database columns, secrets management services)
  • Client-side: Use httpOnly cookies or secure storage
  • Do not store Refresh Tokens in URLs, logs, or frontend localStorage
Profy strictly validates that the redirect_uri is in the registered list. Ensure registered URIs include the full path to avoid open redirect vulnerabilities.
The Client Secret should only be used on the server side. Do not expose it in frontend code. Use environment variables or a secrets management service for storage.

Error Handling

Next Steps

Events API

Report custom billing events via OAuth Token

App Development Guide

Complete App development workflow