difyctl never sees your corporate password.
External SSO is for people without a Dify account. If your email already belongs to a Dify account, this sign-in is rejected; sign in as an account user instead.
Sign In
Run the login command
https://.Sign in with your corporate identity
difyctl prints a one-time code and a verification URL, opens the URL in your default browser, and waits:Sign In Again
If a command fails withauth_expired (exit code 4), the server has expired or revoked your session.
Run difyctl auth login again. You don’t need to sign out first, and the new sign-in replaces the stored token.
Where Your Token Lives
Signing in stores an OAuth bearer token, recognizable by itsdfoe_ prefix. It represents your corporate identity on this Dify host and carries only the access your company granted it. For what that access covers, see Scope and Limitations.
difyctl keeps the token in your operating system’s credential store when one is available: Keychain on macOS, Credential Manager on Windows, Secret Service on Linux. If no credential store responds, it falls back to a tokens.yml file with 0600 permissions in the difyctl config directory, next to the session metadata in hosts.yml.
The config directory is ~/.config/difyctl on macOS and Linux and %APPDATA%\difyctl on Windows. Set DIFY_CONFIG_DIR to override it.
Check Who You’re Signed In As
Sign Out
difyctl auth login against the same host replaces the session.
If It Fails
| Problem | What to do |
|---|---|
| The browser never opens | Copy the URL from the terminal and open it on any device. Normal over SSH and in headless sessions. |
| The code expired | Codes are valid for 15 minutes. Re-run difyctl auth login to get a fresh one. |
Sign-in was denied (access_denied) | The authorization was rejected in the browser step. Check with your administrator that your account is enabled for Dify. |
| The browser says your email belongs to a Dify account | External SSO is only for users without a Dify account. Sign in as an account user instead. |
| The host is rejected | Only https:// hosts are accepted; a host without a scheme defaults to https://. |
A later command fails with auth_expired | The server expired or revoked your session. Sign in again. |