Skip to main content
difyctl can hold sign-ins for several Dify hosts and accounts at once. Each host and account pair is a context: its metadata lives in hosts.yml in the config directory, and its bearer token lives in your OS credential store (with a protected file fallback). Each task maps to one command: For the step-by-step sign-in walkthrough, see Authenticate.

Sign In

auth login runs the OAuth 2.0 device flow: it prints a one-time code and a verification URL, opens the URL in your browser, and waits for you to approve the sign-in there. The CLI never sees your password.

Flags

Examples

Sign in to your Dify host:
Sign in from an SSH session, opening the verification URL on another device:

Output

The code prompt goes to stderr, then a spinner waits for the browser-side approval:
On success, the confirmation goes to stdout:
The Workspace: line is your default workspace. Each sign-in also registers a server-side session, labeled difyctl on <hostname>. Run auth devices list to see all your sessions. Signing in to a host you’re already signed in to refreshes that context’s stored token.

Exit Codes

See Output Formats and Exit Codes for the full scheme.

Check Your Active Identity

auth whoami prints who the active context belongs to. It reads the stored context without contacting the server, so it answers “which identity is active”, not “is the token still valid”. It exits 0 even if the session has expired server-side.

Flags

Examples

For scripts:

Output

The --json output is a single line with id, email, and name:

Exit Codes

List Your Saved Contexts

auth list shows every stored host and account pair and marks the active one. Like auth whoami, it is purely local and never contacts the server.

Flags

Examples

Output

Default table:
-o json:

Exit Codes

Sign Out

auth logout revokes the active context’s session on the server, then deletes its token and hosts.yml entry from your machine. Other saved contexts are untouched. The local cleanup always happens. If the server-side revoke fails, difyctl prints a warning on stderr and clears your credentials anyway. The same applies when the token sits in an OS keychain that can’t be read at sign-out (locked, or no desktop session): the revoke is skipped and the local cleanup still runs.

Flags

None.

Examples

Output

Exit Codes

Switch the Active Host

use host changes which stored host subsequent commands run against. It is local: it only re-points the active context among the sign-ins you already have. To add a new host, run auth login --host instead.

Flags

Examples

Switch to a stored host by its domain:

Output

On success, the new active host is confirmed:
A domain you haven’t signed into fails as a usage error that lists your known hosts.

Exit Codes

Switch the Active Account

use account changes which stored account is active on the current host. Like use host, it is local and only switches between sign-ins you already have.

Flags

Examples

Switch to another account on the active host:

Output

On success, the new active account is confirmed:
An email that isn’t stored on the active host fails as a usage error that lists your known accounts. An account whose stored token is gone (revoked, or cleared by a session revoke) fails with a not-logged-in error and a hint to sign in again.

Exit Codes

List Your Active Sessions

Every device-flow sign-in registers a server-side session, labeled difyctl on <hostname> by default. auth devices list shows the sessions active for your account so you can spot and revoke ones you don’t recognize.

Flags

Examples

List the sessions active for your account:

Output

The table marks the session your current sign-in uses with *. LAST USED is empty for a session you haven’t used since signing in. --json prints a single line of JSON: a data array with one entry per session, plus the paging fields page, limit, total, and has_more. Each entry carries id, prefix, client_id, device_label, created_at, last_used_at, and expires_at.

Exit Codes

Revoke Sessions

auth devices revoke ends sessions server-side. The target matches by exact label first, then by exact session ID, then by case-insensitive label substring. A target that matches more than one session fails with the candidates listed, so pass an exact ID to disambiguate. In a terminal, difyctl first asks you to confirm; pass -y/--yes to skip the prompt. Outside a terminal (a script or pipe), it revokes without prompting. If you revoke the session your current sign-in uses, difyctl also clears that context’s local credentials: you are signed out on this machine.

Arguments

  • <target>: a device label or session ID from auth devices list. Required unless --all is passed.

Flags

Examples

Revoke one session by its label:
Sign out everywhere else, keeping this machine’s session:

Output

On success, difyctl prints ✓ Revoked <N> session(s). A named target that matches nothing fails with no session matches "<target>". --all with no other sessions prints no sessions to revoke and exits 0.

Exit Codes

See Output Formats and Exit Codes for the full scheme.
Last modified on July 16, 2026