API Keys
API keys authenticate every request to the wylon inference API. Each key is bound to a project, and can be rotated or deleted without redeploying your application.
Anatomy of a key
wylon keys are strings with a fixed structure, so you can recognize them in logs and in secret managers.
wl-<env>-<random 32 chars>
# examples
wl-live-7B2kLq9pVmXr3sTyZ8hDnCqFgW1vJaHb # production
wl-test-4cKnRj8vQpYxZs5tUwEhGmAoDlFbCiNz # test (sandbox, no billing)
Creating a key
-
Open API Keys
Go to Dashboard → Account → API keys.
-
Click “Create new key”
Pick a project, set a name, and optionally set an expiry date.
-
Copy & store the key
Copy the full generated key and store it securely; you can also view and copy your existing keys in the dashboard later.
Using keys in code
Never hardcode a key. Load it from the environment or a secret manager at startup.
export WYLON_API_KEY="wl-live-7B2kLq…"
import os
from openai import OpenAI
client = OpenAI(api_key=os.environ["WYLON_API_KEY"], base_url="https://api.wylon.cn/v1")
import OpenAI from "openai";
const client = new OpenAI({ apiKey: process.env.WYLON_API_KEY, baseURL: "https://api.wylon.cn/v1" });
Leaked key playbook
If a key has been committed to a repo, pasted in a chat, or seen in logs you don’t control:
- Delete it immediately in the dashboard.
- Create a replacement key.
- Check Billing → Usage for spikes in the 24 hours before discovery.
- If unfamiliar usage is found, contact support@wylon.cn.
key
Never ship a key to the browser.
Proxy calls through your server. A leaked server-side key can be deleted; a leaked
client-side key has already been exfiltrated to every visitor.