Connect Lark / Feishu
Wisteria’s AI ambient watcher reads documents from your team’s Lark / Feishu workspace to propose training courses automatically. Connection uses a self-built app — you create the app in your own Lark / Feishu developer console, grant it read access to Drive and Contacts, and paste its credentials into Wisteria.
This is different from Microsoft 365 and Google Workspace, which use admin-consent OAuth and Domain-Wide Delegation respectively. Lark and Feishu don’t expose either pattern for third-party apps, so the integration is per-tenant by design. The trade-off works in your favour: the app lives in your tenant, not Wisteria’s, and you can revoke it instantly from your own developer console.
Lark or Feishu?
| Edition | Used in | Developer console |
|---|---|---|
| Lark | International (Singapore, Japan, US, EU) | open.larksuite.com |
| Feishu | Mainland China | open.feishu.cn |
They’re the same product on different deployments. Pick the one your team uses — the magic-link form has a region selector for exactly this.
What gets accessed
When you create the self-built app, grant it these permission scopes:
| Scope | Why we need it |
|---|---|
drive:drive:readonly | Read Docs and files in Lark Drive / Feishu Drive |
drive:file:readonly | Read file content for AI evaluation |
contact:user.base:readonly | Read user list so the AI evaluator understands org structure |
All scopes are read-only. Wisteria never writes, modifies, or deletes anything in your tenant.
Who can do this
You need a Lark / Feishu administrator with permission to create and publish self-built apps for your tenant. In most organisations this is the same person who manages the IT side of the workspace.
Setup steps
1. Open the magic link
A colleague who set up your Wisteria workspace will have sent you a one-time setup link by email. Open it and pick Lark or Feishu in the region selector.
If you don’t have the link, ask your colleague to send a fresh one from Settings → Integrations → Lark / Feishu → Set up via Lark admin inside Wisteria.
2. Open your developer console
- Lark — open open.larksuite.com
- Feishu — open open.feishu.cn
Sign in as a tenant administrator.
3. Create a self-built app
- Go to Developer Console → Custom Apps → Create Custom App.
- Name the app
Wisteria(or anything you’ll recognise — the name is only visible inside your tenant). - Upload a logo if you want; this is for your own admin UI.
- Save.
4. Grant the read scopes
In the app’s Permissions & Scopes tab, add:
drive:drive:readonlydrive:file:readonlycontact:user.base:readonly
Save the permission set.
5. Publish to your tenant
In the Version Management & Release tab:
- Create a release.
- Set availability to your whole tenant (or a specific group of users if you want to scope access narrower).
- Submit for tenant review. For most tenants this is auto-approved; some enterprise tenants require an admin sign-off step.
The app must be in a Published state before Wisteria can call it.
6. Copy the credentials
Open the app’s Credentials & Basic Info tab. Copy:
- App ID (begins with
cli_) - App Secret
Both are sensitive — treat the secret like a password.
7. Paste into Wisteria
Back on the magic-link page:
- Confirm the Region matches what you set up (Lark international or Feishu China).
- Paste App ID and App Secret.
- Click Verify & finish setup.
Wisteria calls Lark / Feishu’s API with the credentials, confirms they work against your tenant, encrypts the App Secret at rest, and redirects you to a “Thanks, all done” screen. Your colleague gets an email letting them know.
What if Verify fails?
”Invalid app credentials” / error: 99991663
Most common cause: a leading or trailing space when copy-pasting. Re-copy from the developer console and try again. If the App Secret was rotated since the app was created, also re-copy it.
”App not in tenant” / “App not authorised”
The app exists but isn’t published to your tenant. Go back to the developer console, open Version Management & Release, confirm the release is published and the tenant scope includes the relevant users.
”Region mismatch”
If you created the app in open.larksuite.com (Lark) but selected Feishu on the Wisteria page (or vice versa), the credentials look valid but the API host won’t accept them. Re-submit with the matching region.
”Permission denied” for specific scopes
The app exists and is published, but one of the read scopes hasn’t been granted. Go back to Permissions & Scopes, confirm all three scopes are added and saved, then re-publish.
Disconnecting
Two layers:
- Inside Wisteria — your super_admin clicks Disconnect at Settings → Integrations → Lark / Feishu. The encrypted App Secret is deleted from Wisteria’s database; the watcher stops.
- Inside Lark / Feishu — in the developer console, delete the app entirely. Once the app is gone, any credentials Wisteria might hold cease to be valid.
Either is sufficient to stop the watcher. Doing both is the cleanest option.
Security notes
- The App Secret is encrypted with AES-256-GCM at rest in Wisteria’s database. The encryption key never leaves Wisteria’s environment.
- Wisteria never logs the App Secret value.
- All API calls happen server-side from Wisteria’s infrastructure. Your tenant can audit them from the Lark / Feishu admin console.
- The app you create lives in your tenant, not Wisteria’s. You can revoke it instantly at any time.
Coming back to verify
If the App Secret is rotated, or the app is republished after a permission change, your super_admin can re-run verification from Settings → Integrations → Lark / Feishu → Re-verify inside Wisteria. Paste the fresh App Secret; the App ID stays the same.
Lark Docs vs uploaded files
The AI watcher reads two types of content from Lark Drive:
- Uploaded files (PDF, PPT/PPTX, DOCX) — content is extracted and passed to Claude for evaluation.
- Lark Docs (native Lark documents) — content is fetched via Lark’s
raw_contentendpoint, then evaluated the same way.
If a Lark Doc has restricted access at the document level, the watcher can only read it if the document is visible to the impersonated tenant user. The watcher honours your tenant’s document permissions — it can’t see what your users can’t see.
PDF export from Lark Docs (turning a native Lark Doc into a downloadable PDF for the “Generate course” flow) is on Wisteria’s roadmap for a future release. Until then, Generate works for uploaded PDF/PPT files; Lark Docs are surfaceable as suggestions but not yet directly convertible into course material.