difyctl holds a scoped session that represents your corporate identity on your company’s Dify host. It carries only the access your administrator granted you.
What You Can Do
- See the apps you’re allowed to run.
difyctl get applists the apps your administrator permitted for you, not every app on the host. - Inspect an app’s inputs.
describe appshows a permitted app’s type and the inputs it expects, so you can build a correct invocation. - Run a permitted app.
run appinvokes it and prints the response, the same way an account user does. - Resume a paused workflow. When a workflow you ran pauses for human input,
resume appcontinues it. - Work locally.
auth whoami,version, andhelpneed no special access.
What You Can’t Do
Running the apps you were given is the full scope of your session. The rest ofdifyctl is out of reach:
- No workspace. An external SSO session isn’t tied to a workspace, so
get workspaceanduse workspacedon’t apply, and neither does the--workspaceflag. - No browsing beyond your permitted apps.
get appreturns only what your administrator granted, and-A(all workspaces) doesn’t apply. You can’t list or reach other apps on the host. - No exporting or importing apps.
- No workspace or member management.
How Permission Errors Look
When you try something outside your scope, the server refuses it with an HTTP 403, whichdifyctl reports as a server_4xx_other error and exit code 1.
This is distinct from a denied sign-in: access_denied (exit 4) means the authorization itself was rejected during the browser step, not that a command fell outside your scope. See Output Formats and Exit Codes for the full scheme.