Ephemeral Tokens

Short-lived bt- tokens that expire automatically. Designed for browser and mobile environments where a permanent key cannot be safely stored.

Overview

An ephemeral token is created from a permanent prx- key and inherits all of its restrictions. The token:

Has a bt- prefix
Expires after the TTL you specify (default 1 hour, max 24 hours)
Inherits allowed_models, allowed_origins, spending_limit, and all other restrictions from the parent key
Is stored in Redis — not in the database — so it leaves no permanent trace
Can be revoked at any time before it expires

Generating a token

Call the ephemeral endpoint from your server using your permanent key. Never call this from client-side code.

http

POST https://proxyify.dev/api/keys/ephemeral/
Authorization: Bearer prx-xxxxxxxxxxxxxxxx
Content-Type: application/json

{
  "key_id": 42,
  "ttl": 3600
}

json (response)

{
  "data": {
    "token": "bt-0c4da8f5aab6a9dcc6ebf205c3d98fee",
    "expires_in": 3600
  }
}

Python (server-side)

import requests

res = requests.post(
    "https://proxyify.dev/api/keys/ephemeral/",
    headers={"Authorization": "Bearer prx-xxxxxxxxxxxxxxxx"},
    json={"key_id": 42, "ttl": 3600},
)
token = res.json()["data"]["token"]

Using the token

Use the bt- token exactly like a prx- key — same Authorization header, same endpoint.

JavaScript (browser)

const client = new OpenAI({
  apiKey: "bt-0c4da8f5aab6a9dcc6ebf205c3d98fee",
  baseURL: "https://proxyify.dev/v1",
  dangerouslyAllowBrowser: true,
});

try {
  const res = await client.chat.completions.create({
    model: "openai/gpt-4o-mini",
    messages: [{ role: "user", content: "Hello" }],
  });
  console.log(res.choices[0].message.content);
} catch (e) {
  if (e.status === 401) {
    // Token expired — request a new one from your backend
    const freshToken = await fetchFreshToken();
  }
}

TTL & expiry

TTL (seconds)	Duration	Use case
`900`	15 minutes	Single user interaction
`3600`	1 hour	Default — most session-based apps
`21600`	6 hours	Long work sessions
`86400`	24 hours	Maximum allowed TTL

When a token expires, any in-flight request returns 401 Invalid or expired API key. Your code should handle this by requesting a fresh token from your backend and retrying.

Revoking a token

Tokens expire automatically. If you need to invalidate one immediately (e.g. user logs out), you can also generate ephemeral tokens from the dashboard's Keys page — the Token button on each key card.

Frontend-safe Keys → Full guide to safely using Proxyify in the browser. Authentication → Key restrictions that ephemeral tokens inherit.