Skip to main content

Token Overview

API Token (API Key) is your credential for calling Laozhang API. Like a password, it’s used to verify your identity and record usage.
Security AlertAPI Token is like your account password. If leaked, others can use your quota. Please keep it safe!

Create Token

Standard Token

1

Log in to Console

Visit Laozhang API Console and log in
2

Enter Token Management

Token Management InterfaceClick “API Keys” in the left menu
3

Create New Token

Create New TokenClick “Create New Token” button
4

Configure Token

Fill in token information:
  • Token Name: For identifying token purpose (e.g., “Production Environment”, “Testing”)
  • Billing Method: Choose billing method
    • Usage-based billing (pay per token)
    • Pay-per-use (pay per request)
  • Permissions: Set API permissions (optional)
  • Expiration Time: Set token validity period (optional)
5

Save Token

Click “Create” button and immediately save the generated Token
Important: Token only displays once. If lost, need to recreate.

Special Purpose Tokens

  • Usage-based Billing Token
  • Pay-per-use Token
  • Read-only Token
  • Temporary Token
Suitable For:
  • High-frequency API calls
  • Chat applications
  • Text processing
  • Code generation
Billing Method:
  • Billed by tokens consumed
  • More economical for high usage
  • Support all text models
How to Create: Select “Usage-based billing” when creating token

Manage Tokens

View Token List

View all your tokens in console:
Token NameCreatedLast UsedStatusOperations
Production2024-01-012 minutes ago🟢 ActiveEdit | Revoke
Testing2024-01-05Yesterday🟢 ActiveEdit | Revoke
Demo2024-01-10Never🟡 Not UsedEdit | Revoke
Old Token2023-12-01Last month🔴 RevokedDelete

Edit Token

Can modify token configuration:
1

Click Edit

Click “Edit” button next to token
2

Modify Configuration

Modifiable items:
  • Token name
  • Permissions
  • Expiration time
  • Usage limits
3

Save Changes

Click “Save” button
Cannot modify the token value itself. If need new Token value, must recreate.

Revoke Token

When need to invalidate a Token:
1

Select Token

Find token to revoke in token list
2

Click Revoke

Click “Revoke” button
3

Confirm Operation

Confirm revocation in popup dialog
After revocation, all applications using this Token will fail. Ensure alternatives are prepared.

Rotate Tokens

Regularly rotating Tokens enhances security:
1

Create New Token

Create new token as replacement
2

Update Application

Update all applications to use new Token
3

Test Verification

Confirm new Token works properly
4

Revoke Old Token

Revoke old Token
Recommended Rotation Frequency
  • Production environment: Every 3 months
  • Development environment: Every 6 months
  • Temporary Token: Set expiration time

Security Best Practices

1. Token Storage

# ❌ Bad Practice: Hardcode in code
api_key = "sk-rHcKJkgO4y3e5CTdDd1a..."

# ✅ Good Practice: Use environment variables
import os
api_key = os.getenv("LAOZHANG_API_KEY")

# ✅ Good Practice: Use configuration files
import json
with open('config.json') as f:
    config = json.load(f)
    api_key = config['api_key']

2. Version Control

Never Commit API KeyNever commit API Keys to version control systems (Git, SVN, etc.)
# .gitignore file
.env
config.json
secrets/
*.key

3. Permission Control

Set minimum necessary permissions:
ScenarioRecommended Permissions
Production EnvironmentFull permissions, strict access control
Development EnvironmentFull permissions, local use only
Testing EnvironmentLimited permissions, low quotas
Demo ApplicationsRead-only or limited calls
Third-party IntegrationMinimum necessary permissions

4. IP Whitelist

Limit Token to specific IP addresses:
1

Enable IP Restrictions

Edit Token settings and enable “IP Whitelist”
2

Add Allowed IPs

Add IPs allowed to use this Token:
  • Single IP: 192.168.1.100
  • IP Range: 192.168.1.0/24
  • Multiple IPs: Add multiple rules
3

Test Verification

Test from allowed IPs to ensure normal access

5. Usage Monitoring

Regularly check Token usage: 
import requests

# Query Token usage
response = requests.get(
    "https://api.laozhang.ai/v1/usage",
    headers={"Authorization": "Bearer your_api_key"}
)

usage = response.json()
print(f"Today's usage: {usage['today_usage']}")
print(f"This month's usage: {usage['month_usage']}")

# Set alert threshold
if usage['today_usage'] > DAILY_LIMIT:
    send_alert("Usage abnormal!")

Token Leakage Handling

If Token Leaked

1

Immediately Revoke

Immediately revoke leaked Token in console
2

Check Usage Records

Check recent usage records for unusual activitiesUsage Records
3

Assess Impact

Evaluate potential losses:
  • Unusual API calls?
  • Abnormal cost increases?
  • Sensitive data leaks?
4

Create New Token

Create new replacement Token
5

Update Applications

Update all applications to use new Token
6

Contact Support

If unusual usage found, contact support:

Prevent Leakage

Prevention Measures
  1. ✅ Use environment variables
  2. ✅ Add keys to .gitignore
  3. ✅ Do not share keys in chat/email
  4. ✅ Use different keys for different environments
  5. ✅ Enable IP whitelist
  6. ✅ Regularly rotate keys
  7. ✅ Monitor usage logs
  8. ✅ Set usage limits

Programmatic Management

Create Token via API

import requests

# Create new Token
response = requests.post(
    "https://api.laozhang.ai/v1/api-keys",
    headers={
        "Authorization": "Bearer your_admin_token",
        "Content-Type": "application/json"
    },
    json={
        "name": "New Production Token",
        "billing_method": "usage_based",
        "permissions": ["chat", "completion"],
        "expires_at": "2025-12-31T23:59:59Z"
    }
)

new_token = response.json()
print(f"New Token: {new_token['key']}")

List Tokens

# Get all Tokens
response = requests.get(
    "https://api.laozhang.ai/v1/api-keys",
    headers={"Authorization": "Bearer your_admin_token"}
)

tokens = response.json()
for token in tokens['data']:
    print(f"Name: {token['name']}, Status: {token['status']}")

Revoke Token

# Revoke specified Token
token_id = "key_123456"
response = requests.delete(
    f"https://api.laozhang.ai/v1/api-keys/{token_id}",
    headers={"Authorization": "Bearer your_admin_token"}
)

if response.status_code == 200:
    print("Token successfully revoked")

Common Issues

Possible Causes:
  1. Token Incorrect
    • Check for extra spaces or newlines when copying
    • Ensure complete Token copied
    • Check for character confusion (0/O, 1/l, etc.)
  2. Token Revoked
    • Check Token status in console
    • May have been manually revoked
    • May have reached expiration time
  3. Token Expired
    • Check Token expiration time
    • Recreate if expired
Solutions:
# Test Token validity
import requests

response = requests.get(
    "https://api.laozhang.ai/v1/models",
    headers={"Authorization": f"Bearer {api_key}"}
)

if response.status_code == 200:
    print("Token valid")
else:
    print(f"Token invalid: {response.json()}")
Yes, can create multiple TokensUse Cases:
  • Different environments (development/testing/production)
  • Different projects
  • Different billing methods
  • Different permission levels
Limits:
  • Standard users: Up to 10 Tokens
  • Professional users: Up to 50 Tokens
  • Enterprise users: Unlimited
Cannot directly change billing methodSolutions:
  1. Create new Token with desired billing method
  2. Update applications to use new Token
  3. Revoke old Token
Note:
  • Usage records remain independent
  • Balance is shared (same account)
Set Usage Limits:
1

Edit Token

Click “Edit” next to Token
2

Set Limits

Configure:
  • Daily limit (calls or amount)
  • Monthly limit
  • Single request maximum tokens
  • Allowed models
3

Save Settings

Click “Save” button
Example:
{
  "daily_limit": {
    "requests": 1000,
    "amount": 10
  },
  "monthly_limit": {
    "amount": 300
  },
  "max_tokens_per_request": 4000,
  "allowed_models": ["gpt-3.5-turbo", "gpt-4"]
}
Cannot Retrieve Lost TokenToken only displays once when created, cannot be retrieved later for security.Solutions:
  1. Create new Token as replacement
  2. Update all applications to use new Token
  3. Revoke old Token (optional)
Prevention:
  • Immediately save Token after creation
  • Use password manager to store
  • Save to secure configuration management system

Best Practices

1. Environment Isolation

Use different Tokens for different environments: 
Development Environment
  ├── Token: dev_token
  ├── Budget: $10/month
  └── Models: gpt-3.5-turbo only

Testing Environment
  ├── Token: test_token
  ├── Budget: $50/month
  └── Models: All models

Production Environment
  ├── Token: prod_token
  ├── Budget: $500/month
  ├── IP Whitelist: Server IPs only
  └── Monitoring: Alert enabled

2. Token Naming

Use clear naming conventions: 
[Environment]-[Project]-[Purpose]-[Date]

Examples:
- prod-webapp-api-2024-01
- dev-mobile-testing-2024-01
- test-integration-demo-2024-01

3. Regular Audits

Establish regular audit mechanisms: 
Weekly:
- Check Token usage
- Review unusual activities
- Verify IP whitelist

Monthly:
- Review all Tokens necessity
- Revoke unused Tokens
- Update Token permissions
- Rotate high-risk Tokens

Quarterly:
- Comprehensive security audit
- Update security policies
- Staff security training
I