Skip to main content
When you sign in through external SSO, difyctl holds a scoped session that represents your corporate identity on your company’s Dify host. It carries only the access your administrator granted you.

What You Can Do

  • See the apps you’re allowed to run. difyctl get app lists the apps your administrator permitted for you, not every app on the host.
  • Inspect an app’s inputs. describe app shows a permitted app’s type and the inputs it expects, so you can build a correct invocation.
  • Run a permitted app. run app invokes it and prints the response, the same way an account user does.
  • Resume a paused workflow. When a workflow you ran pauses for human input, resume app continues it.
  • Work locally. auth whoami, version, and help need no special access.

What You Can’t Do

Running the apps you were given is the full scope of your session. The rest of difyctl is out of reach:
  • No workspace. An external SSO session isn’t tied to a workspace, so get workspace and use workspace don’t apply, and neither does the --workspace flag.
  • No browsing beyond your permitted apps. get app returns only what your administrator granted, and -A (all workspaces) doesn’t apply. You can’t list or reach other apps on the host.
  • No exporting or importing apps.
  • No workspace or member management.

How Permission Errors Look

When you try something outside your scope, the server refuses it with an HTTP 403, which difyctl reports as a server_4xx_other error and exit code 1. This is distinct from a denied sign-in: access_denied (exit 4) means the authorization itself was rejected during the browser step, not that a command fell outside your scope. See Output Formats and Exit Codes for the full scheme.

Asking for More Access

If you need an app that isn’t in your list, or a capability that’s out of scope, ask your Dify administrator. Access is granted on their side, so signing in again won’t change what your session can reach until they update it.