Docs
EN / 中Main siteConsole
Refer friends. Keep the rewards coming!Your friend can unlock up to 10M tokens · earn up to 30% revenue share.
+500K TokensGenerate link

Permission Model

Plugin permission is not a once-granted forever state; the real code filters by tenant, role, scope, status, and market review.

Visibility filters

  • GET /api/v4/plugins: owner/admin tenant plugins with status=APPROVED and is_enabled=true.
  • GET /api/v4/public/plugins: anonymous, but requires status=APPROVED, market_status=APPROVED, and is_enabled=true.
  • GET /api/v4/skill-store: public skills require scope=PUBLIC, status=APPROVED, not deleted, and not archived.
  • GET /api/v4/tools: JWT user or Desktop OAuth with tools scope.

OAuth scope

Desktop OAuth's skills group includes skill_store, tools, and tools:execute. Skill install/certify uses skill_store; tool listing uses tools.

Safety boundary

API keys are encrypted at rest. Public-market readme and usageInstructions are content-checked. Skill upload checks ZIP safety, URLs, schemas, and prompt injection.