Skip to main content
This article covers frequently asked questions about the development process and permission management of internal apps. It is intended for organization developers who use the DingTalk Open Platform for app development, primarily Organization Admins and technical staff with development permissions.

What is an organization-authorized app

An organization-authorized app is an organization-level app, an app form from earlier versions of DingTalk. To use this type of app, you need to generate a dedicated API credential based on the organization’s unique identifier (Organization ID, namely CorpId) and security key (organization secret, namely CorpSecret). With the generated API credential, you can access development capabilities such as OpenAPI, Webhook, and Stream.
Only Organization Admins can view and manage organization-authorized API calls. Other users cannot perform these actions.

What is an organization-authorized API call

Sign in to the DingTalk Developer Console, and click More > Basic information > Development information (legacy) to find and record the organization identifier (CorpId) and organization secret (CorpSecret). Use these two values to generate a dedicated API credential that grants access to OpenAPI. This process is called an organization-authorized API call.
This is a legacy product from the early Open Platform. We recommend calling OpenAPI through an internal app instead. For details, see Get the access_token of an internal app.

How to stop an organization-authorized API call

Because the organization secret (CorpSecret) cannot be deleted directly, you can logically disable the organization-authorized API call feature by modifying the egress IP allowlist. Path: Sign in to the Developer Console → App Management → the target app → Security settings → Modify the egress IP address. Steps:
  1. Sign in to the DingTalk Developer Console.
  2. Select the target app from the app list to open its details page.
  3. Click Security settings.
  4. In the “Egress IP address” field, enter an invalid public IP address (for example, 0.0.0.0).
  5. Click Save to apply the settings.
Note: After you set an invalid IP, external services can no longer call the API with the existing credential, which effectively stops the authorized API call.

Troubleshooting

When debugging an internal app in the Mini Program IDE, the message “Sorry, you are not within the available scope of this app. Contact the admin to update the configuration” appears

Answer: Possible causes for this message during debugging include, but are not limited to:
  1. The user debugging the internal app is not in the developer list. Add the user under Developer Console > the target app > User management.
  2. No version has been uploaded for the internal app. Make sure the app version is uploaded in the Mini Program IDE, and then release the version under Developer Console > the target app > Version management and release.
  3. The user is not configured under Developer Console > the target app > Version management and release > Available scope.

Note

The available scope for an internal app mini program is displayed only after a version has been uploaded in the Mini Program IDE and released under Version management and release.

An internal micro app or mini program has no App Key or App Secret

Answer: Possible reasons why the App Key and App Secret are not shown for a created app:
  • When the internal app was created in the Developer Console, the development method Delegated ISV development was selected, so the credentials are not displayed in App Management.

Note

If delegated development is not actually required, select Self-developed by the organization.
  • The user is not the app creator and does not have the required permissions to view the App Key and App Secret. Ask the Super Admin to grant the corresponding app management permission under DingTalk Admin Console > Security and permissions > Manage permissions.