Permissions
This document introduces the OAuth authorization mechanism and permission management for the Feishu plugin.
Authorization Modes
The Feishu plugin supports two authorization modes:
1. User Authorization (User Access Token)
This is the default and recommended authorization mode:
- Uses the user's Feishu identity to call APIs
- API permission scope is limited to the user's own Feishu permissions
- No additional permission configuration needed
Advantages:
- What the user can see, the bot can operate on
- No need to configure permission scope in developer console
- More secure, permission boundary is clear
2. Application Authorization (Tenant Access Token)
Use application identity to call APIs:
- Need to configure permission scope in developer console
- Can operate on all resources the app has permissions for
Use Cases:
- Need to operate on resources the user doesn't have access to
- Background automation tasks
First Authorization Flow
Automatic Trigger
When a user uses the plugin for the first time, the authorization flow is automatically triggered:
- User sends a message to the bot
- Bot sends authorization card (with QR code)
- User scans and confirms authorization
- After authorization, the bot gets the user's identity
Manual Trigger
Users can also manually trigger authorization:
Send message: 授权 or /feishu_auth
Permission Scope
User Identity Permissions
The permission scope of user identity authorization is completely limited to the user's own Feishu permissions:
- If the user can only access documents A and B, the API can also only access A and B
- If the user is removed from access to a document, the API call will also fail
This means:
- ✅ Documents you can see → Bot can also see
- ❌ Documents you can't see → Bot can't see either
App Permissions
In the Feishu Open Platform's app permission management page, you need to enable corresponding API permissions:
| Feature | Required Permissions |
|---|---|
| Messaging | im:message:send_as, im:message:receive |
| Docs | doc:readonly, doc:upload, doc:create |
| Bitable | bitable:readonly, bitable:create |
| Calendar | calendar:readonly, calendar:event:create |
| Tasks | task:readonly, task:create |
| Drive | drive:readonly, drive:upload |
Revoke Authorization
Users can revoke authorization at any time:
Send message: 撤销授权 or /feishu_revoke
After revocation:
- Bot can no longer call APIs on behalf of the user
- Re-authorization is required to continue using
FAQ
Q: Still can't access certain documents after authorization?
Cause: User identity permissions are limited to the user's own Feishu permissions
Solution:
- Check if the user has access to that document
- If higher permissions are needed, consider using application identity authorization
Q: What if the Token expires?
Note: User authorization token expires after about 2 hours
Solution: The plugin automatically uses refresh_token to refresh, no user action needed
Q: What should I note for multi-user usage?
Recommendation:
- Each user needs to authorize separately
- Different users may have different permissions
- Multi-account isolation can be configured
Next Steps
- Security - Security recommendations
- Tool Reference - Learn all available tools