Only Workspace Owner, Admin, and Editor roles have the permissions to create and publish Web Apps. For details on each member’s permissions, please refer to Member Permission Management.
After creating a Web App, the default application access permission is “Specific Members Within Platform”. If the scope is left empty, it means it is not open to any members.

Modify Web App Access Permissions

Modify Web App access permissions through the following entries:
  1. Access the Studio page and click Web App Access Permissions in the menu at the bottom right corner of the application.
  2. Enter the Web App editing page and click Web App Access Permissions in the menu button at the top left corner.
  3. Enter the Web App editing interface and click the Publish button in the top right corner. Select Web App access permissions in the Who can access web app area.
Web App provides four types of access permissions:

All Members Within Platform

For internal users, i.e., members within Dify Enterprise need to pass internal user identity authentication when accessing Web App links. For detailed configuration instructions, please refer to Internal User Authentication.
Only members who have joined Dify Enterprise can access the Web App. When accessing the application link, a login verification page will pop up. Users can use account and password, account and verification code, or SSO authentication, and can access the Web App after passing verification.
If Web App SSO settings were enabled in Dify Enterprise versions earlier than 2.8.x, after upgrading to v2.8.x, the current Web App’s access permission scope will be automatically set to Authenticated External Users.
After enabling this option, users can access the application by visiting the Web App URL or in the Explorer page of the workspace.

Specific Members Within Platform

For internal users, i.e., members within Dify Enterprise. Users need to pass internal user identity authentication when accessing Web App links. For detailed configuration instructions, please refer to Internal User Authentication.
Default permission option when creating a new Web App, restricting the Web App to only specific group members within the team. For example, a Web App created by the “Sales Department” containing sensitive sales data is only open to members within the Sales Department. If you select this permission option but have not yet added any groups or members, the Web App is in a state where no one can access it. Configuration Methods:
  • Allow Specific Groups to Access
Click the Add button to add specific groups. All members within the group will automatically obtain access to the Web App. When new members are added to the group, the system will automatically grant them Web App access permissions; when members are removed from the group, the system will automatically revoke their Web App access permissions.
  • Allow Specific Members to Access
Selected members will always have Web App access permissions, even if they are removed from the group, they will still have Web App access permissions; unselected members in the same group cannot access the Web App.
When selecting specific groups or members for access but no groups or members have been added yet, the Web App is in a state where no one can access it, and operations such as generating Web App access links and obtaining Web App embed codes cannot be performed.
Workspace Owner, Admin, and Editor have permissions to access and edit all Web Apps within the Workspace. However, please note that if the Owner or Admin is not added to the Web App’s “Specific Members Within Platform” list, they still cannot access the Web App through online links.

Authenticated External Users

For external users, i.e., members outside Dify Enterprise. To learn how to configure SSO for external members, please refer to Web App External User Authentication.
After selecting this option, users outside the Dify Enterprise platform will be required to pass SSO authentication when accessing Web App links. Enterprise administrators can uniformly monitor and manage external users through third-party identity providers (IdP), keeping them isolated from member data within Dify Enterprise. Common Configuration Scenarios:
  • Large enterprises: Only IT department personnel need to join Dify Enterprise for application orchestration. After publishing applications, they are used by employees in other departments without requiring everyone to join Dify Enterprise.
  • External suppliers: Providing AI-driven services to external partners, such as partner intelligent training assistants, knowledge base Q&A, etc.
  • Product consultation platform: Providing intelligent product introductions and technical support to potential customers.
If you find a disable reminder appears on the right side of this option, please contact the system administrator to go to the admin backend and check whether Web App external user SSO authentication has been configured and enabled. For detailed instructions, please refer to Web App External User Authentication.

Anyone

This option will allow any user who obtains the internet link to access the Web App without requiring an authentication process. It is usually suitable for publicly demonstrated Web Apps, customer-facing services, or public resources.

Accessing Web App

Team members can view and access all Web Apps that are open to them within the enterprise on the Explorer page.

Other Web App Publishing Options

After completing Web App permission configuration, you can also use the following features in the Web App publishing panel:

Embed in Website

Get embed code to embed the Web App into other websites.

Frequently Asked Questions

Do I need to republish the Web App for permission changes to take effect?

No. Permission changes take effect immediately without needing to republish the Web App. However, please note that the current sessions of members who have already obtained access permissions will not immediately become invalid and may need to wait for the session to expire before the new Web App permission settings take effect.

How to ensure that only specific members can access my Web App?

You can select the “Specific Groups or Members” option and then add the members you need to grant access permissions to.

How to check who has permission to access my Web App?

You can view the list of groups and members who currently have access to the Web App in the Who can access web app option on the Web App’s publishing page.

How to choose the appropriate permission mode?

It is recommended to choose according to the following principles:
  • Internal collaboration tools: Choose “All Members Within Platform”
  • Department-specific Web App: Choose “Specific Members Within Platform”
  • Customer service Web App: Choose “Authenticated External Users”
  • Public demonstration: Choose “Anyone” (please use with caution)

Will adjusting Web App access permissions affect API calls?

No. The API access permissions of Web Apps are independently controlled by API Keys and are unrelated to Web App access permissions. As long as you ensure that the API Key remains valid and is not leaked, you can normally call the Web App through the API. Even if you change the Web App’s access permission settings, it will not affect the call permissions of existing API Keys.