Flow Overview
Step 1: Register Your App
Create your App in Profy Studio:- Go to app.profy.cn/studio
- Create a new App
- Configure OAuth settings in the App settings:
- Client ID: Automatically generated App UUID
- Client Secret: Generated in settings (stored as SHA-256 hash, displayed only once)
- Redirect URIs: Register your callback URLs (multiple supported)
Step 2: Redirect the User to Authorize
Redirect the user to the Profy authorization page:
The user will see the Profy authorization page displaying your App name and the requested permissions. After the user consents, Profy will redirect them back to your callback URL.
Step 3: Receive the Authorization Code
After the user authorizes, Profy redirects to yourredirect_uri:
Step 4: Exchange for Tokens
Use the authorization code to obtain an Access Token and Refresh Token:application/x-www-form-urlencoded format.
Token Lifecycle
Access Token
- JWT format (RS256 signed)
- Contains
sub(user ID),aud(App UUID),scope(permission scopes) - Use the Refresh Token to obtain a new token when expired
Refresh Token
- Opaque string format
- Rotation mechanism: The old token is invalidated after each use; a new Refresh Token is returned
- A used Refresh Token cannot be reused
Step 5: Refresh Tokens
When the Access Token expires, use the Refresh Token to obtain a new token pair:Revoking Tokens
When a user logs out or you need to revoke access, call the revocation endpoint:200 OK even if the token is already invalid.
Available Scopes
Security Best Practices
Use the state parameter to prevent CSRF
Use the state parameter to prevent CSRF
Generate a random state value when initiating the authorization request, and verify that the state matches in the callback.
Store tokens securely
Store tokens securely
- Server-side: Use encrypted storage (encrypted database columns, secrets management services)
- Client-side: Use httpOnly cookies or secure storage
- Do not store Refresh Tokens in URLs, logs, or frontend localStorage
Strictly match Redirect URIs
Strictly match Redirect URIs
Profy strictly validates that the redirect_uri is in the registered list. Ensure registered URIs include the full path to avoid open redirect vulnerabilities.
Store Client Secret securely
Store Client Secret securely
The Client Secret should only be used on the server side. Do not expose it in frontend code. Use environment variables or a secrets management service for storage.
Error Handling
Next Steps
Events API
Report custom billing events via OAuth Token
App Development Guide
Complete App development workflow

