difyctl never sees your password.
Sign In
1
Run the login command
Pass your Dify host’s URL. For Dify Cloud, use If no browser opens (normal over SSH and in headless sessions), open the URL yourself on any device.
https://cloud.dify.ai; on a self-hosted deployment, use the console API URL.difyctl prints a one-time code, opens the verification URL in your default browser, and waits:2
Approve the sign-in in your browser
In the browser tab that opens, sign in with your Dify credentials and enter the one-time code.The code expires after 15 minutes. If it expired, re-run
difyctl auth login to get a fresh one.3
Confirm the session
Back in the terminal:The second line is your workspace.
Sign In Again
If a command fails withauth_expired (exit code 4), the server has expired or revoked your session.
Run difyctl auth login again. You don’t need to sign out first, and the new sign-in refreshes your stored token.
Check Who You’re Signed In As
--json:
Sign Out
Where Your Token Lives
Signing in stores an OAuth bearer token, recognizable by itsdfoa_ prefix. It represents you: whatever your account can do in your workspace, the token can do from the CLI.
difyctl keeps the token in your operating system’s credential store when one is available: Keychain on macOS, Credential Manager on Windows, Secret Service on Linux. If no credential store responds, it falls back to a tokens.yml file with 0600 permissions in the difyctl config directory.
difyctl picks the store once when you sign in, and the session uses it from then on. Session metadata (hosts, accounts, workspaces) lives alongside the token in hosts.yml.
The config directory is ~/.config/difyctl on macOS and Linux (Linux honors XDG_CONFIG_HOME) and %APPDATA%\difyctl on Windows. Set DIFY_CONFIG_DIR to override it.
Troubleshooting
For everything else, see the full Troubleshooting page.