Employee API Gateway

Faray Lark Gateway

Employee Feishu API access for CLI and Codex. Authorization is split into approved scope packs; employees can re-run login to grant missing packs without replacing existing grants.

Gateway Enabled Keycloak first Feishu user OAuth

Install CLI

Install the standalone client, then complete Faray SSO and Feishu authorization from your terminal.

curl -fsSL https://sso.faray.org/lark-gateway/install.sh | sh
faray-lark login
faray-lark status

Authorize Gateway Health Check Windows Installer

Secret Boundary

Feishu app secret stays server-side

The production Gateway container holds the app credentials; employee machines receive only Gateway session tokens.

User Identity

Keycloak then Feishu OAuth

Gateway authorization starts with Faray SSO and then connects the employee's Feishu user grant.

API Scope

Approved OpenAPI JSON proxy

CLI and Codex workflows can call approved relative /open-apis/... JSON endpoints.

Standard Pack

Common employee workflows

The current grant covers identity, contacts, calendar, approval, Base, Docs, Drive, Sheets, IM, Tasks, Wiki, Mail, and Minutes.

Need help signing in?

If CLI setup fails, confirm Gateway health first, then retry faray-lark login. If a workflow reports a missing Feishu scope pack, run faray-lark login again first so Feishu can issue any already-approved pack grants.

If the missing scope is not part of a current Gateway pack, send the scope name and failing command to the internal Gateway access request owner. An administrator must grant the scope in the Feishu developer console, update the Gateway scope-pack configuration, deploy the change, and then ask affected employees to run faray-lark login again.

Access is limited to authorized Faray employees and approved users.