All Products
Search
Document Center

Agent Identity:Securely access DingTalk from an agent

Last Updated:Jul 10, 2026

Use Agent Identity to enable an agent to call the DingTalk Open Platform and securely write data to DingTalk Docs.

Architecture

diagram_agentidentity_dingtalk

Prerequisites

Environment requirements

Your local test environment must have Python (version 3.10 or later) and the pip package manager installed.

User and permission requirements

  1. User requirements:

    1. A DingTalk Open Platform administrator: To manage applications on the DingTalk Open Platform.

    2. A script execution user (RAM user): To run the setup script and test the application locally.

  2. RAM permission requirements:

    The script execution user must have the following permissions:

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "agentidentity:*",
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": "agentidentitydata:*",
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": "ram:CreateServiceLinkedRole",
          "Resource": "*",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": ["agentidentity.aliyuncs.com"]
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": [
            "ram:CreateApplication",
            "ram:CreateRole", 
            "ram:CreatePolicy",
            "ram:AttachPolicyToRole", 
            "ram:CreateAppSecret",
            "ram:DeleteApplication"
          ],
          "Resource": "*"
        }
      ]
    }

DashScope API key

Obtain a DashScope API key with permission to call Model Studio models. If you have not created one, see Create an API Key.

Step 1: Create and configure a DingTalk application

Create a DingTalk application

Follow the DingTalk OAuth credential provider setup tutorial to create a DingTalk application and configure it as an OAuth2 credential provider for Agent Identity.

Configure DingTalk application permissions

  1. Log on to the DingTalk Open Platform. Find the DingTalk application that you created and go to its details page.

  2. In the left-side navigation pane of the application details page, click Permission Management. In the permission search box, enter Document.Document.Write, and click Enable in the Actions column. This permission lets the DingTalk application overwrite the user's DingTalk documents on their behalf.

Step 2: Install and test the application locally

Get and prepare the sample code

  1. Clone the code repository. Open a local terminal and run the following command to clone the sample code.

    git clone https://github.com/aliyun/agent-identity-dev-kit.git
    cd agent-identity-dev-kit/agent_identity_python_samples/end-to-end_sample
  2. Install dependencies. Create and activate a Python virtual environment, and then install the required dependencies.

    pip install -r requirements.txt
  3. Configure environment variables.

    export AGENT_IDENTITY_REGION_ID=cn-beijing # Agent Identity is currently available only in the China (Beijing) region
    export DASHSCOPE_API_KEY=<your-api-key> # Your DashScope API key

Prepare RAM user credentials

Configure credentials locally for the script execution user mentioned in the User and permission requirements section.

Alibaba Cloud CLI

  1. Install the Alibaba Cloud CLI (skip if already installed). For details, see Quick start with CLI.

  2. Log on to the Alibaba Cloud CLI. For details, see Configure OAuth authentication for Alibaba Cloud CLI.

  3. Check the credential configuration. Run the command aliyun configure list to verify the credential configuration. The output should be similar to the following:

    Profile        | Credential          | Valid   | Region           | Language
    ---------      | ------------------  | ------- | ---------------- | --------
    OAuthProfile * | OAuth:xQcliVOdYA@CN | Valid   | cn-hangzhou      | zh

Access key (not recommended)

Create an access key for the script execution user and configure it in your local environment variables.

export ALIBABA_CLOUD_ACCESS_KEY_ID=<your-access-key-id>
export ALIBABA_CLOUD_ACCESS_KEY_SECRET=<your-access-key-secret>

Run the setup script

In the root directory of your local project, run the setup script prepare.py to automatically create the required cloud resources:

python -m prepare

This script performs the following actions:

  1. Creates an identity provider.

  2. Creates an Alibaba Cloud OAuth 2.1 inbound application.

  3. Creates an OAuth 2.1 native application required for Alibaba Cloud MCP services (not used in this tutorial).

  4. Creates a workload identity and a role.

  5. Configures the credential provider.

The script outputs information about the created resources to the .config.json file in the root directory.

If the script fails due to an exception, such as a network issue or an exceeded resource quota, clean up the created resources before running the script again:

python -m clear
Note

To avoid affecting other RAM resources in your account, the cleanup logic does not delete the role or any custom policies. You must delete them manually.

Configure the DingTalk credential provider in the code

  1. On the Agent Identity Credential Providers page, find the DingTalk credential provider that you created in Step 1 and copy its Credential Provider Name.

  2. In the deploy_starter/tools/ding_talk_tool.py file of your project, find the following code:

    @requires_access_token(
        credential_provider_name="test-provider-for-dingtalk",
        scopes=["openid", "corpid"],
        auth_flow="USER_FEDERATION",
        on_auth_url= on_auth,
        # force_authentication=True,
        callback_url= f"{get_config_with_default('APP_REDIRECT_URI', 'http://localhost:8090')}/callback",
        inject_param_name="access_token",
    )

    Replace the existing code with the following, and update the credential_provider_name value to the name of your DingTalk credential provider.

    @requires_access_token(
        credential_provider_name="your-dingtalk-credential-provider-name",
        scopes=["openid", "corpid"],
        auth_flow="USER_FEDERATION",
        on_auth_url= on_auth,
        # force_authentication=True,
        callback_url= f"{get_config_with_default('APP_REDIRECT_URI', 'http://localhost:8090')}/callback",
        inject_param_name="access_token",
        custom_parameters={"prompt": "consent"},
    )

Step 3: Test and verify

  1. Start the agent proxy service. In the root directory, run the following command:

    python -m deploy_starter.main
  2. Start the front-end and back-end applications. In the root directory, run the following command:

    python -m application.backend.app
  3. Access the application and interact with the agent:

    1. After the agent and the front-end/back-end applications start, open a browser and navigate to http://localhost:8090.

    2. Complete the Alibaba Cloud logon and user authorization process. In the application's chat window, interact with the model. For example, enter: "Write the following content to my DingTalk Doc: {DingTalk Doc link} {content to write}".

      After you send the prompt, the agent invokes the DingTalk tool and displays an authorization prompt: "Please click the link to authorize writing to DingTalk Docs", along with an OAuth2 authorization link (agentidentitydata.cn-beijing.aliyuncs.com/oauth2/authorize?request_uri=urn:ietf:params:oauth:request_uri:xxx). Click this link to authorize writing to the DingTalk Doc.

      Note

      You must obtain the link to an existing DingTalk Doc beforehand. This sample application cannot create new DingTalk Docs.

    3. Click the OAuth authorization URL in the response and complete the logon and authorization process using the account of the DingTalk Doc owner.

    4. After authorization is complete, the agent confirms that the document has been written successfully.

    5. Verify that the content has been written to the DingTalk Doc.

Note

You can combine the DingTalk writing feature with other MCP services. For example, follow the Use Agent Identity in Model Studio pro-code mode tutorial to write data retrieved from Alibaba Cloud MCP to a DingTalk Doc.

Important notes

  • To run the preparation script prepare.py again, first run the cleanup script in the project root directory:

    python -m clear
  • Do not change the constant configurations in the prepare.py script. Otherwise, the application may not work as expected.

  • To deploy the front-end and back-end applications to Alibaba Cloud (for example, on an ECS instance), associate an instance RAM role (such as an ECS instance role or a Function Compute instance role) with the back-end application's runtime environment. You must also grant the AliyunAgentIdentityDataCompleteAuthAccess system policy to the role. Otherwise, the agent cannot obtain an OAuth access token.