difyctl can hold sign-ins for several Dify hosts and accounts at once. Each host and account pair is a context: its metadata lives in hosts.yml in the config directory, and its bearer token lives in your OS credential store (with a protected file fallback).
Each task maps to one command:
difyctl auth loginsigns you in to a hostauth whoamiprints the identity you’re signed in asauth listlists your saved contextsauth logoutsigns you out of the active hostuse host/use accountswitch the active contextauth devices listlists your active sessionsauth devices revokerevokes sessions you don’t recognize
Sign In
auth login runs the OAuth 2.0 device flow: it prints a one-time code and a verification URL, opens the URL in your browser, and waits for you to approve the sign-in there. The CLI never sees your password.
Flags
Examples
Sign in to your Dify host:Output
The code prompt goes to stderr, then a spinner waits for the browser-side approval:Workspace: line is your default workspace.
Each sign-in also registers a server-side session, labeled difyctl on <hostname>. Run auth devices list to see all your sessions. Signing in to a host you’re already signed in to refreshes that context’s stored token.
Exit Codes
See Output Formats and Exit Codes for the full scheme.
Check Your Active Identity
auth whoami prints who the active context belongs to. It reads the stored context without contacting the server, so it answers “which identity is active”, not “is the token still valid”. It exits 0 even if the session has expired server-side.
Flags
Examples
Output
--json output is a single line with id, email, and name:
Exit Codes
List Your Saved Contexts
auth list shows every stored host and account pair and marks the active one. Like auth whoami, it is purely local and never contacts the server.
Flags
Examples
Output
Default table:
-o json:
Exit Codes
Sign Out
auth logout revokes the active context’s session on the server, then deletes its token and hosts.yml entry from your machine. Other saved contexts are untouched.
The local cleanup always happens. If the server-side revoke fails, difyctl prints a warning on stderr and clears your credentials anyway.
The same applies when the token sits in an OS keychain that can’t be read at sign-out (locked, or no desktop session): the revoke is skipped and the local cleanup still runs.
Flags
None.Examples
Output
Exit Codes
Switch the Active Host
use host changes which stored host subsequent commands run against. It is local: it only re-points the active context among the sign-ins you already have. To add a new host, run auth login --host instead.
Flags
Examples
Switch to a stored host by its domain:Output
On success, the new active host is confirmed:Exit Codes
Switch the Active Account
use account changes which stored account is active on the current host. Like use host, it is local and only switches between sign-ins you already have.
Flags
Examples
Switch to another account on the active host:Output
On success, the new active account is confirmed:Exit Codes
List Your Active Sessions
difyctl on <hostname> by default. auth devices list shows the sessions active for your account so you can spot and revoke ones you don’t recognize.
Flags
Examples
List the sessions active for your account:Output
*. LAST USED is empty for a session you haven’t used since signing in.
--json prints a single line of JSON: a data array with one entry per session, plus the paging fields page, limit, total, and has_more. Each entry carries id, prefix, client_id, device_label, created_at, last_used_at, and expires_at.
Exit Codes
Revoke Sessions
auth devices revoke ends sessions server-side. The target matches by exact label first, then by exact session ID, then by case-insensitive label substring. A target that matches more than one session fails with the candidates listed, so pass an exact ID to disambiguate.
In a terminal, difyctl first asks you to confirm; pass -y/--yes to skip the prompt. Outside a terminal (a script or pipe), it revokes without prompting.
If you revoke the session your current sign-in uses, difyctl also clears that context’s local credentials: you are signed out on this machine.
Arguments
<target>: a device label or session ID fromauth devices list. Required unless--allis passed.
Flags
Examples
Revoke one session by its label:Output
On success,difyctl prints ✓ Revoked <N> session(s). A named target that matches nothing fails with no session matches "<target>". --all with no other sessions prints no sessions to revoke and exits 0.
Exit Codes
See Output Formats and Exit Codes for the full scheme.