Authentication
Profy uses a dual authentication system: SMS + JWT for end users and API Keys for programmatic access. All sessions are backed by Redis with single-device enforcement.Overview
SMS Login Flow
Users authenticate by verifying ownership of a phone number via SMS verification code.SMS Providers
| Provider | Use Case | Configuration |
|---|---|---|
| Aliyun SMS | Primary provider | ALIYUN_SMS_ACCESS_KEY_ID, ALIYUN_SMS_ACCESS_KEY_SECRET |
| Volcengine | Alternative provider | VOLCENGINE_SMS_* env vars |
JWT Token System
Tokens are signed using the jose library with HS256 algorithm.Token Structure
Redis Session Keys
Each login creates two Redis entries for bidirectional lookup:| Key Pattern | Value | TTL | Purpose |
|---|---|---|---|
auth:token:{token} | User JSON payload | 24h (auto-refreshed) | Token → user lookup |
auth:user-token:{userId} | Token string | 24h | User → token lookup (single-device) |
Single-Device Enforcement
When a user logs in from a new device, the previous session is invalidated:- Look up existing token via
auth:user-token:{userId} - Delete old
auth:token:{oldToken}entry - Store new token in both keys
Auth Middleware
The auth filter runs on every request and applies route-level access control.Whitelisted Routes (No Auth Required)
| Route | Reason |
|---|---|
/api/auth/login | Login endpoint |
/api/auth/sms/sendCode | SMS dispatch |
/api/health | Health check |
/api/market/* | Public marketplace browsing |
/api/payment/notify/* | Payment provider callbacks |
Middleware Flow
The middleware extracts tokens from either:Authorization: Bearer <token>headerCookie: token=<token>cookie
API Key System
API Keys provide programmatic access to the/openapi/* endpoints, used primarily by the Profy agent engine for credit consumption.
Key Format
All API keys use thesk_ prefix followed by a cryptographically random string.
API Key Endpoints
| Method | Endpoint | Description |
|---|---|---|
POST | /api/user/apiKey/create | Generate a new API key |
POST | /api/user/apiKey/list | List user’s API keys |
POST | /api/user/apiKey/delete | Revoke an API key |
Key Storage
API keys are stored in Redis underopenapi:key:{key} with the associated user payload. Validation is a simple Redis lookup — no JWT verification needed.
OpenAPI Endpoints (API Key Auth)
| Method | Endpoint | Description |
|---|---|---|
POST | /openapi/credit/consume | Consume credits (used by Profy) |
POST | /openapi/credit/preCheck | Pre-validate consumption |
GET | /openapi/credit/balance | Query credit balance |
Security Considerations
| Concern | Mitigation |
|---|---|
| SMS abuse | Rate limiting (60s cooldown per phone), optional CAPTCHA |
| Token leakage | 24h Redis TTL, single-device enforcement |
| Replay attacks | JWT expiry (7d), Redis-backed session invalidation |
| API Key exposure | Revocable keys, sk_ prefix for easy scanning |
| Internal endpoints | /internal/* routes restricted to private network via Nginx |
Token Refresh
The platform provides a token refresh endpoint atGET /api/token/refresh that issues a new JWT before the current one expires, maintaining seamless session continuity.
Related Pages
Architecture
See how auth fits into the request lifecycle
Agent Platform
API Keys power the Profy credit consumption bridge

