SkillsMar 30, 2026·1 min read

Lark CLI Skill: Shared — Auth, Config & Security

Lark/Feishu CLI shared foundation skill. App config, auth login, identity switching, scope management, and security rules.

Lark / Feishu · Community

Agent ready

Safe staging for this asset

This asset is staged first. The copied prompt tells the agent to inspect the staged files and ask before activating scripts, MCP config, or global config.

Stage only · 17/100Policy: stage

Agent surface

Any MCP/CLI agent

Kind

CLI Tool

Install

Stage only

Trust

Trust: Community

Entrypoint

Lark CLI Skill: Shared — Auth, Config & Security

Safe staging command

npx -y tokrepo@latest install 24871f37-2824-450b-893a-bf2815d8b9fc --target codex

Stages files first; activation requires review of the staged README and plan.

TL;DR

Foundation skill for Lark/Feishu CLI covering app authentication, config management, identity switching, and security rules.

§01

What it is

The Lark CLI Shared Skill is the foundation layer for Lark/Feishu command-line automation. It provides app configuration, authentication login flows, identity switching between multiple Lark apps, scope management for API permissions, and security rules for safe CLI operations.

This skill is for developers and DevOps engineers who automate Lark/Feishu workflows via CLI. If you manage multiple Lark apps, need to switch between identities, or want to script Lark API interactions, this skill provides the authentication plumbing.

§02

How it saves time or tokens

Instead of manually handling OAuth tokens, refresh cycles, and multi-app credential management, this skill provides a single lark-cli auth login command that handles the entire flow. Identity switching lets you move between apps without re-authenticating. Scope management ensures your CLI sessions have the right permissions before making API calls, preventing failed requests and wasted debugging time.

§03

How to use

Install the Lark CLI and skill: npm install -g @larksuite/cli then npx skills add larksuite/cli -y -g.
Initialize configuration: lark-cli config init to set up your app credentials.
Authenticate: lark-cli auth login --recommend to start the auth flow with recommended scopes.

§04

Example

# Install and configure
npm install -g @larksuite/cli
npx skills add larksuite/cli -y -g
lark-cli config init

# Authenticate with recommended scopes
lark-cli auth login --recommend

# Switch between app identities
lark-cli auth switch --app my-production-app

# Check current auth status
lark-cli auth status

# List available scopes
lark-cli auth scopes list

§05

Related on TokRepo

AI tools for automation -- CLI automation tools and workflows
AI tools for API -- API integration and management tools

§06

Common pitfalls

Not running config init before attempting to authenticate. The CLI needs app credentials (App ID and App Secret) configured before the auth flow can start.
Forgetting to request necessary scopes during login. If your script needs specific API permissions, pass them during auth rather than discovering missing scopes at runtime.
Storing credentials in version control. The CLI config file contains sensitive tokens. Add the config directory to .gitignore and use environment variables for CI/CD pipelines.

Frequently Asked Questions

What is the difference between Lark and Feishu?+

Lark is the international version and Feishu is the Chinese domestic version of the same collaboration platform by ByteDance. The CLI works with both, but the API endpoints and app registration process differ between the two.

How does identity switching work?+

The CLI stores credentials for multiple Lark apps locally. The auth switch command lets you change which app identity is active for subsequent commands without re-authenticating. This is useful when managing staging and production apps.

Is the CLI suitable for CI/CD pipelines?+

Yes. You can authenticate using environment variables (LARK_APP_ID, LARK_APP_SECRET) instead of interactive login. The CLI supports non-interactive modes for automated pipelines.

What scopes should I request?+

Use the --recommend flag during login to get commonly needed scopes. For specific use cases, check the Lark API documentation for required scopes and pass them explicitly during auth login.

How are credentials stored securely?+

The CLI stores tokens in a local config directory with restricted file permissions. Tokens are refreshed automatically before expiration. For enhanced security, use environment variables and avoid storing credentials in the config file.