wylon

API Keys

API keys authenticate every request to the wylon inference API. Each key is bound to a project, and can be rotated or deleted without redeploying your application.

Anatomy of a key

wylon keys are strings with a fixed structure, so you can recognize them in logs and in secret managers.

wl-<env>-<random 32 chars>

# examples
wl-live-7B2kLq9pVmXr3sTyZ8hDnCqFgW1vJaHb    # production
wl-test-4cKnRj8vQpYxZs5tUwEhGmAoDlFbCiNz    # test (sandbox, no billing)

Creating a key

  1. Open API Keys

    Go to Dashboard → Account → API keys.

  2. Click “Create new key”

    Pick a project, set a name, and optionally set an expiry date.

  3. Copy & store the key

    Copy the full generated key and store it securely; you can also view and copy your existing keys in the dashboard later.

Using keys in code

Never hardcode a key. Load it from the environment or a secret manager at startup.

export WYLON_API_KEY="wl-live-7B2kLq…"
import os
from openai import OpenAI
client = OpenAI(api_key=os.environ["WYLON_API_KEY"], base_url="https://api.wylon.cn/v1")
import OpenAI from "openai";
const client = new OpenAI({ apiKey: process.env.WYLON_API_KEY, baseURL: "https://api.wylon.cn/v1" });

Leaked key playbook

If a key has been committed to a repo, pasted in a chat, or seen in logs you don’t control:

  1. Delete it immediately in the dashboard.
  2. Create a replacement key.
  3. Check Billing → Usage for spikes in the 24 hours before discovery.
  4. If unfamiliar usage is found, contact support@wylon.cn.
key
Never ship a key to the browser. Proxy calls through your server. A leaked server-side key can be deleted; a leaked client-side key has already been exfiltrated to every visitor.
沪ICP备2026010432号-1 沪公网安备31010402336632号