docs/usage/channels/lark.mdx
By connecting a Lark channel to your LobeHub agent, team members can interact with the AI assistant directly in Lark private chats and group conversations.
If you are using the Chinese version (飞书), please refer to the Feishu setup guide.
Visit open.larksuite.com/app and sign in with your account.
Click Create Enterprise App. Fill in the app name (e.g., "LobeHub Assistant"), description, and icon, then submit the form.
Go to Credentials & Basic Info and copy:
cli_xxx)Important: Keep your App Secret confidential. Never share it publicly.
</Steps>
In your app settings, go to Permissions & Scopes, click Batch Import, and paste the JSON below to grant the bot all necessary permissions.
{
"scopes": {
"tenant": [
"application:application.app_message_stats.overview:readonly",
"application:application:self_manage",
"application:bot.menu:write",
"cardkit:card:read",
"cardkit:card:write",
"contact:user.employee_id:readonly",
"event:ip_list",
"im:chat.members:bot_access",
"im:message",
"im:message.group_at_msg:readonly",
"im:message.p2p_msg:readonly",
"im:message:readonly",
"im:message:send_as_bot",
"im:resource"
],
"user": []
}
}
<Callout type={'info'}>
The scopes above are tailored for Lark (international). Some Feishu-specific scopes (e.g. aily:*, corehr:*, im:chat.access_event.bot_p2p_chat:read) are not available on Lark and have been excluded.
</Callout>
Go to App Capability → Bot. Toggle the bot capability on and set your preferred bot name. </Steps>
In LobeHub, navigate to your agent's settings, then select the Channels tab. Click Lark from the platform list.
Enter the following fields:
You don't need to fill in Verification Token or Encrypt Key at this point — you can set them up after configuring the Event Subscription in Step 4.
Click Save Configuration. After saving, an Event Subscription URL will be displayed. Copy this URL — you will need it in the next step.
</Steps>
Go back to your app in the Lark Developer Portal. Navigate to Event Subscription.
Paste the Event Subscription URL you copied from LobeHub into the Request URL field. The platform will verify the endpoint automatically.
Add the following event:
im.message.receive_v1 — Triggered when a message is receivedThis allows your app to receive messages and forward them to LobeHub.
After configuring Event Subscription, you can find the Verification Token and Encrypt Key at the top of the Event Subscription page under Encryption Strategy.
Go back to LobeHub's channel settings and fill in:
Click Save Configuration again to apply.
</Steps>
In your app settings, go to Version Management & Release. Create a new version with release notes.
Submit the version for review and publish. For enterprise self-managed apps, approval is typically automatic.
</Steps>
Back in LobeHub's channel settings, click Test Connection to verify the credentials. Then find your bot in Lark by searching its name and send it a message to confirm it responds.
One optional field under Advanced Settings carries a lot of weight in day-to-day use — fill it in once and most surprises go away.
This is your own Lark open_id (the per-app, per-user identifier — not the same as your Lark mobile number or email), used by:
/approve <code> is the owner's command and the runtime checks the sender against this ID.To get it: DM the bot once and inspect the inbound event payload — the open_id field on the sender is yours. The Lark Developer Portal also exposes a User ID lookup that maps mobile/email to open_id. Paste it into Your Platform User ID in LobeHub's Advanced Settings.
Lark doesn't expose a single "default server" concept that AI tools can pivot on (the bot operates per-tenant via credentials), so the Default Server field is not exposed for Lark channels.
Two independent policies gate inbound traffic. Both default to Open.
A populated Allowed User IDs field is a global gate — DMs and group @mentions are restricted to listed Lark open_id values. Empty means "no user-level filter". Read the open_id from the event payload, or copy the User ID displayed in the Lark Developer Portal.
Open only when the list is empty: Allowlist then fails closed (no DMs).Allowlist, but a non-listed sender receives a one-time pairing code instead of a flat rejection. Approve via /approve <code> and the applicant is auto-appended to Allowed User IDs. Requires Your Platform User ID to be set (the runtime checks the /approve sender against it) and a configured Redis backend.@mentions.Controls which Lark chat groups the bot will respond in.
@mentions in any chat group the bot has been added to.chat_id is listed in Allowed Channel IDs (read it from the event payload).See the Channels overview for cross-platform details.
| Field | Required | Description |
|---|---|---|
| App ID | Yes | Your Lark app's App ID (cli_xxx) |
| App Secret | Yes | Your Lark app's App Secret |
| Verification Token | No | Verifies webhook event source (recommended) |
| Encrypt Key | No | Decrypts encrypted event payloads |
| Event Subscription URL | — | Auto-generated after saving; paste into Lark Developer Portal |
| Allowed User IDs | No | Comma- or whitespace-separated Lark open_id values. Global gate — applies to DMs and group @mentions |
| DM Policy | No | open (default), allowlist, pairing, or disabled — who is allowed to DM the bot |
| Group Policy | No | open (default), allowlist, or disabled — where the bot responds to @mentions |
| Allowed Channel IDs | No | Comma- or whitespace-separated Lark chat_id values. Used when Group Policy is Allowlist |
im.message.receive_v1 event is subscribed.Disabled, switch to Open or Allowlist. If it is Allowlist, confirm the sender's open_id is listed in Allowed User IDs.