wylon
search ⌘K
Account/API Keys

API Keys

API keys authenticate every request to the wylon inference API. Each key is bound to a project, carries a scope, and can be rotated or revoked without redeploying your application.

Anatomy of a key

wylon keys are strings with a fixed structure, so you can recognize them in logs and in secret managers.

wl-<env>-<random 32 chars>

# examples
wl-live-7B2kLq9pVmXr3sTyZ8hDnCqFgW1vJaHb    # production
wl-test-4cKnRj8vQpYxZs5tUwEhGmAoDlFbCiNz    # test (sandbox, no billing)

Creating a key

  1. Open API Keys

    Go to Dashboard → Account → API keys.

  2. Click “Create new key”

    Pick a project, set a name, optionally attach a scope (see below), and optionally set an expiry date.

  3. Copy immediately

    wylon only shows the full key once. After dismissing the dialog you’ll see only the first 8 characters.

Scopes

Scopes restrict what a key can do. Default is inference.* — unrestricted inference against the attached project.

ScopeAllows
inference.readCall chat completions, list models.
inference.writeAll of read + submit Batch jobs.
inference.*All inference permissions.
admin.billingRead usage, top-up balance, download invoices.
admin.*Full administrative access.
lock
Principle of least privilege. Production workloads should use inference.read or inference.write. Reserve admin.* keys for CI/CD pipelines or operator consoles.

Using keys in code

Never hardcode a key. Load it from the environment or a secret manager at startup.

export WYLON_API_KEY="wl-live-7B2kLq…"
import os
from openai import OpenAI
client = OpenAI(api_key=os.environ["WYLON_API_KEY"], base_url="https://api.wylon.cn/v1")
import OpenAI from "openai";
const client = new OpenAI({ apiKey: process.env.WYLON_API_KEY, baseURL: "https://api.wylon.cn/v1" });

Rotation

Rotate keys on a schedule (quarterly for production) or immediately on any suspected leak. To rotate without downtime:

  1. Create a new key.
  2. Deploy the new key to all instances.
  3. Watch the Last used column on the old key — once it sits idle for 24 hours, revoke it.

Revocation

Click Revoke on any key to disable it immediately. In-flight requests carrying that key return 401 invalid_api_key. Revocation is irreversible.

Leaked key playbook

If a key has been committed to a repo, pasted in a chat, or seen in logs you don’t control:

  1. Revoke it immediately in the dashboard.
  2. Create a replacement scoped as tightly as possible.
  3. Check Billing → Usage for spikes in the 24 hours before discovery.
  4. If unfamiliar usage is found, contact security@wylon.cn.
key
Never ship a key to the browser. Proxy calls through your server. A leaked server-side key can be revoked; a leaked client-side key has already been exfiltrated to every visitor.

Per-key limits

Organization-level rate limits apply across all keys. You can additionally cap a single key’s RPM, TPM, or monthly spend in the dashboard — useful for sandbox keys given to external contractors.

沪ICP备2026010432号-1 沪公网安备31010402336632号