diff --git a/crates/openfang-api/src/channel_bridge.rs b/crates/openfang-api/src/channel_bridge.rs
index 7ae5f8416..d4d40a42a 100644
--- a/crates/openfang-api/src/channel_bridge.rs
+++ b/crates/openfang-api/src/channel_bridge.rs
@@ -1576,7 +1576,15 @@ pub async fn start_channel_bridge_with_config(
 
     // DingTalk (webhook mode)
     if let Some(ref dt_config) = config.dingtalk {
-        if let Some(token) = read_token(&dt_config.access_token_env, "DingTalk") {
+        if dt_config.mode == "stream" {
+            if let Some(client_id) = read_token(&dt_config.client_id_env, "DingTalk (client_id)") {
+                let client_secret =
+                    read_token(&dt_config.client_secret_env, "DingTalk (client_secret)")
+                        .unwrap_or_default();
+                let adapter = Arc::new(DingTalkAdapter::new_stream(client_id, client_secret));
+                adapters.push((adapter, dt_config.default_agent.clone()));
+            }
+        } else if let Some(token) = read_token(&dt_config.access_token_env, "DingTalk") {
             let secret = read_token(&dt_config.secret_env, "DingTalk (secret)").unwrap_or_default();
             let adapter = Arc::new(DingTalkAdapter::new(token, secret, dt_config.webhook_port));
             adapters.push((adapter, dt_config.default_agent.clone()));
diff --git a/crates/openfang-api/src/routes.rs b/crates/openfang-api/src/routes.rs
index 5a383d81d..18d8c334e 100644
--- a/crates/openfang-api/src/routes.rs
+++ b/crates/openfang-api/src/routes.rs
@@ -14,7 +14,7 @@ use openfang_kernel::OpenFangKernel;
 use openfang_runtime::kernel_handle::KernelHandle;
 use openfang_runtime::tool_runner::builtin_tool_definitions;
 use openfang_types::agent::{AgentId, AgentIdentity, AgentManifest};
-use std::collections::HashMap;
+use std::collections::{HashMap, HashSet};
 use std::sync::{Arc, LazyLock};
 use std::time::Instant;
 
@@ -1893,18 +1893,21 @@ const CHANNEL_REGISTRY: &[ChannelMeta] = &[
     },
     ChannelMeta {
         name: "dingtalk", display_name: "DingTalk", icon: "DT",
-        description: "DingTalk Robot API adapter",
+        description: "DingTalk Robot API adapter (webhook or stream mode)",
         category: "enterprise", difficulty: "Easy", setup_time: "~3 min",
-        quick_setup: "Paste your webhook token and signing secret",
+        quick_setup: "Choose webhook or stream mode, then paste credentials",
         setup_type: "form",
         fields: &[
-            ChannelField { key: "access_token_env", label: "Access Token", field_type: FieldType::Secret, env_var: Some("DINGTALK_ACCESS_TOKEN"), required: true, placeholder: "abc123...", advanced: false },
-            ChannelField { key: "secret_env", label: "Signing Secret", field_type: FieldType::Secret, env_var: Some("DINGTALK_SECRET"), required: true, placeholder: "SEC...", advanced: false },
+            ChannelField { key: "mode", label: "Mode", field_type: FieldType::Text, env_var: None, required: false, placeholder: "webhook or stream", advanced: false },
+            ChannelField { key: "access_token_env", label: "Access Token (webhook)", field_type: FieldType::Secret, env_var: Some("DINGTALK_ACCESS_TOKEN"), required: false, placeholder: "abc123...", advanced: false },
+            ChannelField { key: "secret_env", label: "Signing Secret (webhook)", field_type: FieldType::Secret, env_var: Some("DINGTALK_SECRET"), required: false, placeholder: "SEC...", advanced: false },
             ChannelField { key: "webhook_port", label: "Webhook Port", field_type: FieldType::Number, env_var: None, required: false, placeholder: "8457", advanced: true },
+            ChannelField { key: "client_id_env", label: "Client ID / AppKey (stream)", field_type: FieldType::Secret, env_var: Some("DINGTALK_CLIENT_ID"), required: false, placeholder: "dingxxx...", advanced: false },
+            ChannelField { key: "client_secret_env", label: "Client Secret / AppSecret (stream)", field_type: FieldType::Secret, env_var: Some("DINGTALK_CLIENT_SECRET"), required: false, placeholder: "abc123...", advanced: false },
             ChannelField { key: "default_agent", label: "Default Agent", field_type: FieldType::Text, env_var: None, required: false, placeholder: "assistant", advanced: true },
         ],
-        setup_steps: &["Create a robot in your DingTalk group", "Copy the token and signing secret", "Paste them below"],
-        config_template: "[channels.dingtalk]\naccess_token_env = \"DINGTALK_ACCESS_TOKEN\"\nsecret_env = \"DINGTALK_SECRET\"",
+        setup_steps: &["Create a robot in DingTalk", "Choose mode: webhook (needs public IP) or stream (no public IP needed)", "For webhook: copy token and signing secret", "For stream: copy Client ID and Client Secret from the app page"],
+        config_template: "[channels.dingtalk]\nmode = \"stream\"\nclient_id_env = \"DINGTALK_CLIENT_ID\"\nclient_secret_env = \"DINGTALK_CLIENT_SECRET\"",
     },
     ChannelMeta {
         name: "dingtalk_stream", display_name: "DingTalk Stream", icon: "DS",
@@ -2575,8 +2578,63 @@ pub async fn configure_channel(
     let secrets_path = home.join("secrets.env");
     let config_path = home.join("config.toml");
     let mut config_fields: HashMap<String, (String, FieldType)> = HashMap::new();
+    let mut allowed_keys: Option<HashSet<&'static str>> = None;
+
+    if name == "dingtalk" {
+        let mode = match fields.get("mode").and_then(|v| v.as_str()) {
+            Some("webhook") | None => "webhook",
+            Some("stream") => "stream",
+            Some(_) => {
+                return (
+                    StatusCode::BAD_REQUEST,
+                    Json(serde_json::json!({"error": "DingTalk mode must be 'webhook' or 'stream'"})),
+                )
+            }
+        };
+
+        let allowed: HashSet<&'static str> = if mode == "stream" {
+            ["mode", "default_agent", "client_id_env", "client_secret_env"]
+                .into_iter()
+                .collect()
+        } else {
+            [
+                "mode",
+                "default_agent",
+                "access_token_env",
+                "secret_env",
+                "webhook_port",
+            ]
+            .into_iter()
+            .collect()
+        };
+        allowed_keys = Some(allowed);
+        config_fields.insert("mode".to_string(), (mode.to_string(), FieldType::Text));
+
+        let inactive_secret_keys = if mode == "stream" {
+            ["DINGTALK_ACCESS_TOKEN", "DINGTALK_SECRET"]
+        } else {
+            ["DINGTALK_CLIENT_ID", "DINGTALK_CLIENT_SECRET"]
+        };
+        for env_key in inactive_secret_keys {
+            if let Err(e) = remove_secret_env(&secrets_path, env_key) {
+                return (
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                    Json(serde_json::json!({"error": format!("Failed to remove stale secret: {e}")})),
+                );
+            }
+            unsafe {
+                std::env::remove_var(env_key);
+            }
+        }
+    }
 
     for field_def in meta.fields {
+        if let Some(allowed) = &allowed_keys {
+            if !allowed.contains(field_def.key) {
+                continue;
+            }
+        }
+
         let value = fields
             .get(field_def.key)
             .and_then(|v| v.as_str())
diff --git a/crates/openfang-api/static/index_body.html b/crates/openfang-api/static/index_body.html
index f9e5dffbf..b73f6b5dc 100644
--- a/crates/openfang-api/static/index_body.html
+++ b/crates/openfang-api/static/index_body.html
@@ -2107,6 +2107,21 @@ <h3 style="display:flex;align-items:center;gap:0.5rem">
                       </ol>
                     </details>
 
+                    <!-- DingTalk mode selector -->
+                    <div x-show="isDingTalkChannel()" class="mb-3">
+                      <label class="text-sm" style="display:block;margin-bottom:0.5rem">Connection mode</label>
+                      <div class="flex gap-2" style="flex-wrap:wrap">
+                        <label class="btn btn-ghost btn-sm" :class="{ 'btn-primary': dingTalkMode() === 'webhook' }" style="display:flex;align-items:center;gap:0.4rem;cursor:pointer">
+                          <input type="radio" name="dingtalk-mode" value="webhook" :checked="dingTalkMode() === 'webhook'" @change="updateDingTalkMode('webhook')">
+                          <span>Webhook</span>
+                        </label>
+                        <label class="btn btn-ghost btn-sm" :class="{ 'btn-primary': dingTalkMode() === 'stream' }" style="display:flex;align-items:center;gap:0.4rem;cursor:pointer">
+                          <input type="radio" name="dingtalk-mode" value="stream" :checked="dingTalkMode() === 'stream'" @change="updateDingTalkMode('stream')">
+                          <span>Stream</span>
+                        </label>
+                      </div>
+                    </div>
+
                     <!-- Basic fields only (the minimum to get started) -->
                     <template x-for="f in (isQrChannel() && showBusinessApi) ? advancedFields() : basicFields()" :key="f.key">
                       <div style="margin-bottom:0.75rem">
diff --git a/crates/openfang-api/static/js/pages/channels.js b/crates/openfang-api/static/js/pages/channels.js
index 84568e7e5..61cd907a3 100644
--- a/crates/openfang-api/static/js/pages/channels.js
+++ b/crates/openfang-api/static/js/pages/channels.js
@@ -67,14 +67,35 @@ function channelsPage() {
       return configured.length + '/' + all.length;
     },
 
-    basicFields() {
+    isDingTalkChannel() {
+      return this.setupModal && this.setupModal.name === 'dingtalk';
+    },
+
+    dingTalkMode() {
+      if (!this.isDingTalkChannel()) return '';
+      return this.formValues.mode === 'stream' ? 'stream' : 'webhook';
+    },
+
+    visibleFields() {
       if (!this.setupModal || !this.setupModal.fields) return [];
-      return this.setupModal.fields.filter(function(f) { return !f.advanced; });
+      var fields = this.setupModal.fields;
+      if (!this.isDingTalkChannel()) return fields;
+      var mode = this.dingTalkMode();
+      return fields.filter(function(f) {
+        if (f.key === 'mode' || f.key === 'default_agent') return true;
+        if (mode === 'stream') {
+          return f.key === 'client_id_env' || f.key === 'client_secret_env';
+        }
+        return f.key === 'access_token_env' || f.key === 'secret_env' || f.key === 'webhook_port';
+      });
+    },
+
+    basicFields() {
+      return this.visibleFields().filter(function(f) { return !f.advanced; });
     },
 
     advancedFields() {
-      if (!this.setupModal || !this.setupModal.fields) return [];
-      return this.setupModal.fields.filter(function(f) { return f.advanced; });
+      return this.visibleFields().filter(function(f) { return f.advanced; });
     },
 
     hasAdvanced() {
@@ -150,6 +171,9 @@ function channelsPage() {
           }
         });
       }
+      if (ch.name === 'dingtalk') {
+        vals.mode = vals.mode === 'stream' ? 'stream' : 'webhook';
+      }
       this.formValues = vals;
       this.showAdvanced = false;
       this.showBusinessApi = false;
@@ -162,6 +186,39 @@ function channelsPage() {
       }
     },
 
+    updateDingTalkMode(mode) {
+      if (!this.isDingTalkChannel()) return;
+      this.formValues.mode = mode === 'stream' ? 'stream' : 'webhook';
+      if (this.formValues.mode === 'stream') {
+        delete this.formValues.access_token_env;
+        delete this.formValues.secret_env;
+        delete this.formValues.webhook_port;
+      } else {
+        delete this.formValues.client_id_env;
+        delete this.formValues.client_secret_env;
+      }
+    },
+
+    buildChannelPayload() {
+      if (!this.isDingTalkChannel()) {
+        return { fields: this.formValues };
+      }
+      var mode = this.dingTalkMode();
+      var payloadFields = { mode: mode };
+      if (this.formValues.default_agent !== undefined && this.formValues.default_agent !== null) {
+        payloadFields.default_agent = this.formValues.default_agent;
+      }
+      if (mode === 'stream') {
+        if (this.formValues.client_id_env !== undefined) payloadFields.client_id_env = this.formValues.client_id_env;
+        if (this.formValues.client_secret_env !== undefined) payloadFields.client_secret_env = this.formValues.client_secret_env;
+      } else {
+        if (this.formValues.access_token_env !== undefined) payloadFields.access_token_env = this.formValues.access_token_env;
+        if (this.formValues.secret_env !== undefined) payloadFields.secret_env = this.formValues.secret_env;
+        if (this.formValues.webhook_port !== undefined) payloadFields.webhook_port = this.formValues.webhook_port;
+      }
+      return { fields: payloadFields };
+    },
+
     // ── QR Code Flow (WhatsApp Web style) ──────────────────────────
 
     resetQR() {
@@ -230,9 +287,7 @@ function channelsPage() {
       var name = this.setupModal.name;
       this.configuring = true;
       try {
-        await OpenFangAPI.post('/api/channels/' + name + '/configure', {
-          fields: this.formValues
-        });
+        await OpenFangAPI.post('/api/channels/' + name + '/configure', this.buildChannelPayload());
         this.setupStep = 2;
         // Auto-test after save
         try {
diff --git a/crates/openfang-channels/src/dingtalk.rs b/crates/openfang-channels/src/dingtalk.rs
index 1875927a6..3b3db1c76 100644
--- a/crates/openfang-channels/src/dingtalk.rs
+++ b/crates/openfang-channels/src/dingtalk.rs
@@ -1,15 +1,20 @@
 //! DingTalk Robot channel adapter.
 //!
-//! Integrates with the DingTalk (Alibaba) custom robot API. Incoming messages
-//! are received via an HTTP webhook callback server, and outbound messages are
-//! posted to the robot send endpoint with HMAC-SHA256 signature verification.
+//! Supports two modes for receiving messages:
+//! - **Webhook mode** (default): Listens on a local HTTP port for DingTalk callbacks.
+//!   Requires a public-facing URL (nginx, tunnel, etc.).
+//! - **Stream mode**: Opens a WebSocket long-connection to DingTalk's gateway.
+//!   No public IP or port required — ideal for NAT/internal deployments.
+//!
+//! Outbound messages are posted via the Robot Send API (webhook mode) or the
+//! DingTalk Open API reply endpoint (stream mode).
 
 use crate::types::{
     split_message, ChannelAdapter, ChannelContent, ChannelMessage, ChannelType, ChannelUser,
 };
 use async_trait::async_trait;
 use chrono::Utc;
-use futures::Stream;
+use futures::{SinkExt, Stream, StreamExt};
 use std::collections::HashMap;
 use std::pin::Pin;
 use std::sync::Arc;
@@ -20,18 +25,31 @@ use zeroize::Zeroizing;
 
 const MAX_MESSAGE_LEN: usize = 20000;
 const DINGTALK_SEND_URL: &str = "https://oapi.dingtalk.com/robot/send";
+const DINGTALK_GATEWAY_URL: &str = "https://api.dingtalk.com/v1.0/gateway/connections/open";
+/// Connection mode for the DingTalk adapter.
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum DingTalkMode {
+    /// HTTP webhook callback mode — requires a public-facing port.
+    Webhook,
+    /// WebSocket stream mode — no public IP needed.
+    Stream,
+}
 
 /// DingTalk Robot channel adapter.
-///
-/// Uses a webhook listener to receive incoming messages from DingTalk
-/// conversations and posts replies via the signed Robot Send API.
 pub struct DingTalkAdapter {
+    mode: DingTalkMode,
+    // ── Webhook mode fields ──
     /// SECURITY: Robot access token is zeroized on drop.
     access_token: Zeroizing<String>,
     /// SECURITY: Signing secret for HMAC-SHA256 verification.
     secret: Zeroizing<String>,
     /// Port for the incoming webhook HTTP server.
     webhook_port: u16,
+    // ── Stream mode fields ──
+    /// SECURITY: Client ID (AppKey) for stream mode.
+    client_id: Zeroizing<String>,
+    /// SECURITY: Client Secret (AppSecret) for stream mode.
+    client_secret: Zeroizing<String>,
     /// HTTP client for outbound requests.
     client: reqwest::Client,
     /// Shutdown signal.
@@ -40,24 +58,40 @@ pub struct DingTalkAdapter {
 }
 
 impl DingTalkAdapter {
-    /// Create a new DingTalk Robot adapter.
-    ///
-    /// # Arguments
-    /// * `access_token` - Robot access token from DingTalk.
-    /// * `secret` - Signing secret for request verification.
-    /// * `webhook_port` - Local port to listen for DingTalk callbacks.
+    /// Create a new DingTalk Robot adapter in **webhook** mode.
     pub fn new(access_token: String, secret: String, webhook_port: u16) -> Self {
         let (shutdown_tx, shutdown_rx) = watch::channel(false);
         Self {
+            mode: DingTalkMode::Webhook,
             access_token: Zeroizing::new(access_token),
             secret: Zeroizing::new(secret),
             webhook_port,
+            client_id: Zeroizing::new(String::new()),
+            client_secret: Zeroizing::new(String::new()),
+            client: reqwest::Client::new(),
+            shutdown_tx: Arc::new(shutdown_tx),
+            shutdown_rx,
+        }
+    }
+
+    /// Create a new DingTalk Robot adapter in **stream** mode.
+    pub fn new_stream(client_id: String, client_secret: String) -> Self {
+        let (shutdown_tx, shutdown_rx) = watch::channel(false);
+        Self {
+            mode: DingTalkMode::Stream,
+            access_token: Zeroizing::new(String::new()),
+            secret: Zeroizing::new(String::new()),
+            webhook_port: 0,
+            client_id: Zeroizing::new(client_id),
+            client_secret: Zeroizing::new(client_secret),
             client: reqwest::Client::new(),
             shutdown_tx: Arc::new(shutdown_tx),
             shutdown_rx,
         }
     }
 
+    // ── Webhook helpers ──
+
     /// Compute the HMAC-SHA256 signature for a DingTalk request.
     ///
     /// DingTalk signature = Base64(HMAC-SHA256(secret, timestamp + "\n" + secret))
@@ -104,6 +138,16 @@ impl DingTalkAdapter {
         )
     }
 
+    fn stream_reply_url(&self, user: &ChannelUser) -> Option<String> {
+        user.openfang_user.as_ref().and_then(|v| {
+            if v.is_empty() {
+                None
+            } else {
+                Some(v.clone())
+            }
+        })
+    }
+
     /// Parse a DingTalk webhook JSON body into extracted fields.
     fn parse_callback(body: &serde_json::Value) -> Option<(String, String, String, String, bool)> {
         let msg_type = body["msgtype"].as_str()?;
@@ -122,19 +166,153 @@ impl DingTalkAdapter {
 
         Some((text, sender_id, sender_nick, conversation_id, is_group))
     }
-}
 
-#[async_trait]
-impl ChannelAdapter for DingTalkAdapter {
-    fn name(&self) -> &str {
-        "dingtalk"
+    // ── Stream mode helpers ──
+
+    /// Register a WebSocket connection with the DingTalk gateway.
+    /// Returns `(ws_endpoint, ticket)` on success.
+    async fn register_stream_connection(
+        client: &reqwest::Client,
+        client_id: &str,
+        client_secret: &str,
+    ) -> Result<(String, String), Box<dyn std::error::Error + Send + Sync>> {
+        let body = serde_json::json!({
+            "clientId": client_id,
+            "clientSecret": client_secret,
+            "subscriptions": [
+                { "type": "CALLBACK", "topic": "/v1.0/im/bot/messages/get" }
+            ],
+            "ua": "openfang"
+        });
+
+        let resp = client
+            .post(DINGTALK_GATEWAY_URL)
+            .json(&body)
+            .timeout(Duration::from_secs(15))
+            .send()
+            .await?;
+
+        if !resp.status().is_success() {
+            let status = resp.status();
+            let err_body = resp.text().await.unwrap_or_default();
+            return Err(format!("DingTalk gateway registration failed ({status}): {err_body}").into());
+        }
+
+        let result: serde_json::Value = resp.json().await?;
+        info!(response = %result, "DingTalk stream: gateway registration response");
+        let endpoint = result["endpoint"]
+            .as_str()
+            .ok_or("DingTalk gateway: missing endpoint in response")?
+            .to_string();
+        let ticket = result["ticket"]
+            .as_str()
+            .ok_or("DingTalk gateway: missing ticket in response")?
+            .to_string();
+
+        Ok((endpoint, ticket))
     }
 
-    fn channel_type(&self) -> ChannelType {
-        ChannelType::Custom("dingtalk".to_string())
+    /// Parse a stream event payload into a ChannelMessage.
+    fn parse_stream_event(data: &serde_json::Value) -> Option<ChannelMessage> {
+        // Stream events have a wrapper with headers + payload.
+        // The actual message data is in the "data" field as a JSON string.
+        let data_str = data["data"].as_str()?;
+        let payload: serde_json::Value = serde_json::from_str(data_str).ok()?;
+
+        let msg_type = payload["msgtype"].as_str().unwrap_or("text");
+        info!(payload = %payload, "DingTalk stream: parsed callback payload");
+        let text = match msg_type {
+            "text" => payload["text"]["content"]
+                .as_str()
+                .unwrap_or("")
+                .trim()
+                .to_string(),
+            _ => return None,
+        };
+        if text.is_empty() {
+            return None;
+        }
+
+        let sender_id = payload["senderStaffId"]
+            .as_str()
+            .or_else(|| payload["senderId"].as_str())
+            .unwrap_or("unknown")
+            .to_string();
+        let sender_nick = payload["senderNick"].as_str().unwrap_or("Unknown").to_string();
+        let session_webhook = payload["sessionWebhook"].as_str().unwrap_or("").to_string();
+        let session_webhook_expired_time = payload["sessionWebhookExpiredTime"]
+            .as_i64()
+            .unwrap_or_default();
+        let conversation_id = payload["conversationId"]
+            .as_str()
+            .unwrap_or("")
+            .to_string();
+        let is_group = payload["conversationType"].as_str() == Some("2");
+        let was_mentioned = payload["isInAtList"].as_bool().unwrap_or_else(|| {
+            payload["atUsers"]
+                .as_array()
+                .map(|users| !users.is_empty())
+                .unwrap_or(false)
+        });
+
+        let content = if text.starts_with('/') {
+            let parts: Vec<&str> = text.splitn(2, ' ').collect();
+            let cmd = parts[0].trim_start_matches('/');
+            let args: Vec<String> = parts
+                .get(1)
+                .map(|a| a.split_whitespace().map(String::from).collect())
+                .unwrap_or_default();
+            ChannelContent::Command {
+                name: cmd.to_string(),
+                args,
+            }
+        } else {
+            ChannelContent::Text(text)
+        };
+
+        Some(ChannelMessage {
+            channel: ChannelType::Custom("dingtalk".to_string()),
+            platform_message_id: payload["msgId"]
+                .as_str()
+                .or_else(|| data["headers"]["messageId"].as_str())
+                .map(str::to_string)
+                .unwrap_or_else(|| format!("dt-{}", Utc::now().timestamp_millis())),
+            sender: ChannelUser {
+                platform_id: sender_id,
+                display_name: sender_nick,
+                openfang_user: if session_webhook.is_empty() {
+                    None
+                } else {
+                    Some(session_webhook)
+                },
+            },
+            content,
+            target_agent: None,
+            timestamp: Utc::now(),
+            is_group,
+            thread_id: None,
+            metadata: {
+                let mut m = HashMap::new();
+                m.insert(
+                    "conversation_id".to_string(),
+                    serde_json::Value::String(conversation_id),
+                );
+                if session_webhook_expired_time > 0 {
+                    m.insert(
+                        "session_webhook_expired_time".to_string(),
+                        serde_json::Value::Number(session_webhook_expired_time.into()),
+                    );
+                }
+                if was_mentioned {
+                    m.insert("was_mentioned".to_string(), serde_json::Value::Bool(true));
+                }
+                m
+            },
+        })
     }
 
-    async fn start(
+    /// Start the webhook-based listener (original behavior).
+    async fn start_webhook(
         &self,
     ) -> Result<Pin<Box<dyn Stream<Item = ChannelMessage> + Send>>, Box<dyn std::error::Error>>
     {
@@ -192,7 +370,9 @@ impl ChannelAdapter for DingTalkAdapter {
                                     let cmd = parts[0].trim_start_matches('/');
                                     let args: Vec<String> = parts
                                         .get(1)
-                                        .map(|a| a.split_whitespace().map(String::from).collect())
+                                        .map(|a| {
+                                            a.split_whitespace().map(String::from).collect()
+                                        })
                                         .unwrap_or_default();
                                     ChannelContent::Command {
                                         name: cmd.to_string(),
@@ -267,9 +447,219 @@ impl ChannelAdapter for DingTalkAdapter {
         Ok(Box::pin(tokio_stream::wrappers::ReceiverStream::new(rx)))
     }
 
+    /// Start the stream-based WebSocket listener.
+    async fn start_stream(
+        &self,
+    ) -> Result<Pin<Box<dyn Stream<Item = ChannelMessage> + Send>>, Box<dyn std::error::Error>>
+    {
+        let (tx, rx) = mpsc::channel::<ChannelMessage>(256);
+        let client = self.client.clone();
+        let client_id = self.client_id.clone();
+        let client_secret = self.client_secret.clone();
+        let mut shutdown_rx = self.shutdown_rx.clone();
+
+        info!("DingTalk adapter starting in stream mode (WebSocket long-connection)");
+
+        tokio::spawn(async move {
+            // Reconnect loop — re-registers and reconnects on disconnection.
+            loop {
+                // Check shutdown before attempting connection
+                if *shutdown_rx.borrow() {
+                    break;
+                }
+
+                // Step 1: Register with the gateway to get a WebSocket endpoint + ticket.
+                let (endpoint, ticket) =
+                    match Self::register_stream_connection(&client, &client_id, &client_secret)
+                        .await
+                    {
+                        Ok(v) => v,
+                        Err(e) => {
+                            warn!("DingTalk stream: gateway registration failed: {e}");
+                            // Back off before retrying.
+                            tokio::select! {
+                                _ = tokio::time::sleep(Duration::from_secs(10)) => continue,
+                                _ = shutdown_rx.changed() => break,
+                            }
+                        }
+                    };
+
+                info!("DingTalk stream: registered, connecting to WebSocket");
+
+                // Step 2: Build WebSocket URL with ticket as query param.
+                let ws_url = format!("{}?ticket={}", endpoint, ticket);
+
+                let ws_stream = match tokio_tungstenite::connect_async(&ws_url).await {
+                    Ok((stream, _)) => stream,
+                    Err(e) => {
+                        warn!("DingTalk stream: WebSocket connection failed: {e}");
+                        tokio::select! {
+                            _ = tokio::time::sleep(Duration::from_secs(10)) => continue,
+                            _ = shutdown_rx.changed() => break,
+                        }
+                    }
+                };
+
+                info!("DingTalk stream: WebSocket connected");
+
+                let (mut ws_write, mut ws_read) = ws_stream.split();
+
+                // Step 3: Read messages from the WebSocket.
+                loop {
+                    tokio::select! {
+                        msg = ws_read.next() => {
+                            match msg {
+                                Some(Ok(tokio_tungstenite::tungstenite::Message::Text(text))) => {
+                                    info!("DingTalk stream: received text frame: {}", &text[..text.len().min(500)]);
+
+                                    match serde_json::from_str::<serde_json::Value>(&text) {
+                                        Ok(frame) => {
+                                            let frame_type = frame["type"].as_str().unwrap_or("");
+                                            let topic = frame["headers"]["topic"].as_str().unwrap_or("");
+                                            let msg_id = frame["headers"]["messageId"].as_str().unwrap_or("");
+                                            info!(frame_type, topic, msg_id, frame = %frame, "DingTalk stream: received frame");
+
+                                            match frame_type {
+                                                "SYSTEM" => {
+                                                    // System events: ping/pong heartbeat
+                                                    let topic = frame["headers"]["topic"].as_str().unwrap_or("");
+                                                    if topic == "ping" {
+                                                        let msg_id = frame["headers"]["messageId"]
+                                                            .as_str()
+                                                            .unwrap_or("");
+                                                        let pong = serde_json::json!({
+                                                            "code": 200,
+                                                            "headers": {
+                                                                "contentType": "application/json",
+                                                                "messageId": msg_id,
+                                                            },
+                                                            "message": "OK",
+                                                            "data": frame["data"],
+                                                        });
+                                                        if let Err(e) = ws_write
+                                                            .send(tokio_tungstenite::tungstenite::Message::Text(
+                                                                pong.to_string(),
+                                                            ))
+                                                            .await
+                                                        {
+                                                            warn!("DingTalk stream: failed to send pong: {e}");
+                                                            break;
+                                                        }
+                                                        info!("DingTalk stream: pong sent");
+                                                    }
+                                                }
+                                                "CALLBACK" => {
+                                                    // Bot message callback
+                                                    let msg_id = frame["headers"]["messageId"]
+                                                        .as_str()
+                                                        .unwrap_or("")
+                                                        .to_string();
+
+                                                    if let Some(channel_msg) =
+                                                        Self::parse_stream_event(&frame)
+                                                    {
+                                                        let _ = tx.send(channel_msg).await;
+                                                    }
+
+                                                    // ACK the message so DingTalk doesn't redeliver.
+                                                    let ack = serde_json::json!({
+                                                        "code": 200,
+                                                        "headers": {
+                                                            "contentType": "application/json",
+                                                            "messageId": msg_id,
+                                                        },
+                                                        "message": "OK",
+                                                        "data": "{\"response\": null}",
+                                                    });
+                                                    if let Err(e) = ws_write
+                                                        .send(tokio_tungstenite::tungstenite::Message::Text(
+                                                            ack.to_string(),
+                                                        ))
+                                                        .await
+                                                    {
+                                                        warn!("DingTalk stream: failed to send ACK: {e}");
+                                                        break;
+                                                    }
+                                                }
+                                                _ => {
+                                                    info!(frame_type, topic, "DingTalk stream: unhandled frame type/topic");
+                                                }
+                                            }
+                                        }
+                                        Err(e) => {
+                                            warn!("DingTalk stream: invalid JSON frame: {e}");
+                                        }
+                                    }
+                                }
+                                Some(Ok(tokio_tungstenite::tungstenite::Message::Ping(payload))) => {
+                                    let _ = ws_write
+                                        .send(tokio_tungstenite::tungstenite::Message::Pong(payload))
+                                        .await;
+                                }
+                                Some(Ok(tokio_tungstenite::tungstenite::Message::Pong(_))) => {}
+                                Some(Ok(tokio_tungstenite::tungstenite::Message::Close(_))) => {
+                                    info!("DingTalk stream: WebSocket closed by server, reconnecting...");
+                                    break;
+                                }
+                                Some(Err(e)) => {
+                                    warn!("DingTalk stream: WebSocket error: {e}");
+                                    break;
+                                }
+                                None => {
+                                    info!("DingTalk stream: WebSocket stream ended, reconnecting...");
+                                    break;
+                                }
+                                _ => {}
+                            }
+                        }
+                        _ = shutdown_rx.changed() => {
+                            info!("DingTalk stream adapter shutting down");
+                            let _ = ws_write
+                                .send(tokio_tungstenite::tungstenite::Message::Close(None))
+                                .await;
+                            return;
+                        }
+                    }
+                }
+
+                // Brief delay before reconnecting.
+                tokio::select! {
+                    _ = tokio::time::sleep(Duration::from_secs(3)) => {}
+                    _ = shutdown_rx.changed() => break,
+                }
+                info!("DingTalk stream: reconnecting...");
+            }
+
+            info!("DingTalk stream adapter stopped");
+        });
+
+        Ok(Box::pin(tokio_stream::wrappers::ReceiverStream::new(rx)))
+    }
+}
+
+#[async_trait]
+impl ChannelAdapter for DingTalkAdapter {
+    fn name(&self) -> &str {
+        "dingtalk"
+    }
+
+    fn channel_type(&self) -> ChannelType {
+        ChannelType::Custom("dingtalk".to_string())
+    }
+
+    async fn start(
+        &self,
+    ) -> Result<Pin<Box<dyn Stream<Item = ChannelMessage> + Send>>, Box<dyn std::error::Error>>
+    {
+        match self.mode {
+            DingTalkMode::Webhook => self.start_webhook().await,
+            DingTalkMode::Stream => self.start_stream().await,
+        }
+    }
+
     async fn send(
         &self,
-        _user: &ChannelUser,
+        user: &ChannelUser,
         content: ChannelContent,
     ) -> Result<(), Box<dyn std::error::Error>> {
         let text = match content {
@@ -281,7 +671,12 @@ impl ChannelAdapter for DingTalkAdapter {
         let num_chunks = chunks.len();
 
         for chunk in chunks {
-            let url = self.build_send_url();
+            let url = match self.mode {
+                DingTalkMode::Webhook => self.build_send_url(),
+                DingTalkMode::Stream => self
+                    .stream_reply_url(user)
+                    .ok_or("DingTalk stream reply missing sessionWebhook")?,
+            };
             let body = serde_json::json!({
                 "msgtype": "text",
                 "text": {
@@ -297,17 +692,17 @@ impl ChannelAdapter for DingTalkAdapter {
                 return Err(format!("DingTalk API error {status}: {err_body}").into());
             }
 
-            // DingTalk returns {"errcode": 0, "errmsg": "ok"} on success
             let result: serde_json::Value = resp.json().await?;
-            if result["errcode"].as_i64() != Some(0) {
-                return Err(format!(
-                    "DingTalk error: {}",
-                    result["errmsg"].as_str().unwrap_or("unknown")
-                )
-                .into());
+            if self.mode == DingTalkMode::Webhook {
+                if result["errcode"].as_i64() != Some(0) {
+                    return Err(format!(
+                        "DingTalk error: {}",
+                        result["errmsg"].as_str().unwrap_or("unknown")
+                    )
+                    .into());
+                }
             }
 
-            // Rate limit: small delay between chunks
             if num_chunks > 1 {
                 tokio::time::sleep(Duration::from_millis(200)).await;
             }
@@ -332,16 +727,25 @@ mod tests {
     use super::*;
 
     #[test]
-    fn test_dingtalk_adapter_creation() {
+    fn test_dingtalk_adapter_creation_webhook() {
         let adapter =
             DingTalkAdapter::new("test-token".to_string(), "test-secret".to_string(), 8080);
         assert_eq!(adapter.name(), "dingtalk");
+        assert_eq!(adapter.mode, DingTalkMode::Webhook);
         assert_eq!(
             adapter.channel_type(),
             ChannelType::Custom("dingtalk".to_string())
         );
     }
 
+    #[test]
+    fn test_dingtalk_adapter_creation_stream() {
+        let adapter =
+            DingTalkAdapter::new_stream("client-id".to_string(), "client-secret".to_string());
+        assert_eq!(adapter.name(), "dingtalk");
+        assert_eq!(adapter.mode, DingTalkMode::Stream);
+    }
+
     #[test]
     fn test_dingtalk_signature_computation() {
         let timestamp: i64 = 1700000000000;
@@ -422,4 +826,121 @@ mod tests {
         assert!(url.contains("timestamp="));
         assert!(url.contains("sign="));
     }
+
+    #[test]
+    fn test_dingtalk_parse_stream_event() {
+        let data_payload = serde_json::json!({
+            "msgtype": "text",
+            "text": { "content": "Hello from stream" },
+            "senderStaffId": "staff123",
+            "senderNick": "StreamUser",
+            "conversationId": "conv789",
+            "conversationType": "1",
+        });
+        let frame = serde_json::json!({
+            "type": "CALLBACK",
+            "data": data_payload.to_string(),
+        });
+        let result = DingTalkAdapter::parse_stream_event(&frame);
+        assert!(result.is_some());
+        let msg = result.unwrap();
+        assert_eq!(msg.sender.platform_id, "staff123");
+        assert_eq!(msg.sender.display_name, "StreamUser");
+        assert!(!msg.is_group);
+        match msg.content {
+            ChannelContent::Text(t) => assert_eq!(t, "Hello from stream"),
+            _ => panic!("Expected text content"),
+        }
+    }
+
+    #[test]
+    fn test_dingtalk_parse_stream_event_command() {
+        let data_payload = serde_json::json!({
+            "msgtype": "text",
+            "text": { "content": "/help arg1 arg2" },
+            "senderStaffId": "s1",
+            "senderNick": "Cmd",
+            "conversationId": "c1",
+            "conversationType": "2",
+        });
+        let frame = serde_json::json!({
+            "type": "CALLBACK",
+            "data": data_payload.to_string(),
+        });
+        let result = DingTalkAdapter::parse_stream_event(&frame);
+        assert!(result.is_some());
+        let msg = result.unwrap();
+        assert!(msg.is_group);
+        match msg.content {
+            ChannelContent::Command { name, args } => {
+                assert_eq!(name, "help");
+                assert_eq!(args, vec!["arg1", "arg2"]);
+            }
+            _ => panic!("Expected command content"),
+        }
+    }
+
+    #[test]
+    fn test_dingtalk_parse_stream_event_preserves_message_id_and_mentions() {
+        let data_payload = serde_json::json!({
+            "msgtype": "text",
+            "msgId": "msg-123",
+            "text": { "content": "@openfang hello" },
+            "senderStaffId": "s1",
+            "senderNick": "Mentioned",
+            "conversationId": "c1",
+            "conversationType": "2",
+            "isInAtList": true,
+            "atUsers": [{ "dingtalkId": "$:LWCP_v1:$abc" }],
+        });
+        let frame = serde_json::json!({
+            "type": "CALLBACK",
+            "headers": {
+                "messageId": "frame-456",
+            },
+            "data": data_payload.to_string(),
+        });
+        let result = DingTalkAdapter::parse_stream_event(&frame);
+        assert!(result.is_some());
+        let msg = result.unwrap();
+        assert_eq!(msg.platform_message_id, "msg-123");
+        assert_eq!(
+            msg.metadata.get("was_mentioned").and_then(|v| v.as_bool()),
+            Some(true)
+        );
+    }
+
+    #[test]
+    fn test_dingtalk_parse_stream_event_empty_text() {
+        let data_payload = serde_json::json!({
+            "msgtype": "text",
+            "text": { "content": "   " },
+            "senderStaffId": "s1",
+            "senderNick": "Empty",
+            "conversationId": "c1",
+            "conversationType": "1",
+        });
+        let frame = serde_json::json!({
+            "type": "CALLBACK",
+            "data": data_payload.to_string(),
+        });
+        assert!(DingTalkAdapter::parse_stream_event(&frame).is_none());
+    }
+
+    #[test]
+    fn test_dingtalk_parse_stream_event_unsupported_type() {
+        let data_payload = serde_json::json!({
+            "msgtype": "image",
+            "image": {},
+            "senderStaffId": "s1",
+            "senderNick": "Img",
+            "conversationId": "c1",
+            "conversationType": "1",
+        });
+        let frame = serde_json::json!({
+            "type": "CALLBACK",
+            "data": data_payload.to_string(),
+        });
+        assert!(DingTalkAdapter::parse_stream_event(&frame).is_none());
+    }
 }
diff --git a/crates/openfang-cli/src/tui/screens/channels.rs b/crates/openfang-cli/src/tui/screens/channels.rs
index 8a07e45b8..72c613072 100644
--- a/crates/openfang-cli/src/tui/screens/channels.rs
+++ b/crates/openfang-cli/src/tui/screens/channels.rs
@@ -199,6 +199,8 @@ const CHANNEL_DEFS: &[ChannelDef] = &[
         name: "dingtalk",
         display_name: "DingTalk",
         category: "Enterprise",
+        env_vars: &["DINGTALK_ACCESS_TOKEN", "DINGTALK_SECRET", "DINGTALK_CLIENT_ID", "DINGTALK_CLIENT_SECRET"],
+        description: "DingTalk Robot API adapter (webhook or stream mode)",
         env_vars: &["DINGTALK_ACCESS_TOKEN", "DINGTALK_SECRET"],
         description: "DingTalk Robot API adapter (webhook mode)",
     },
diff --git a/crates/openfang-types/src/config.rs b/crates/openfang-types/src/config.rs
index c43737211..58f163883 100644
--- a/crates/openfang-types/src/config.rs
+++ b/crates/openfang-types/src/config.rs
@@ -2780,15 +2780,28 @@ impl Default for MumbleConfig {
 }
 
 /// DingTalk Robot API channel adapter configuration.
+///
+/// Supports two modes:
+/// - `"webhook"` (default): Receives messages via HTTP callback. Requires a public-facing port.
+/// - `"stream"`: Connects to DingTalk via WebSocket long-connection. No public IP/port needed.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(default)]
 pub struct DingTalkConfig {
-    /// Env var name holding the webhook access token.
+    /// Connection mode: `"webhook"` or `"stream"`.
+    pub mode: String,
+    /// Env var name holding the webhook access token (webhook mode).
     pub access_token_env: String,
-    /// Env var name holding the signing secret.
+    /// Env var name holding the signing secret (webhook mode).
     pub secret_env: String,
-    /// Port for the incoming webhook.
+    /// Port for the incoming webhook (webhook mode only).
     pub webhook_port: u16,
+    /// Env var name holding the Client ID / AppKey (stream mode).
+    pub client_id_env: String,
+    /// Env var name holding the Client Secret / AppSecret (stream mode).
+    pub client_secret_env: String,
+    /// Subscribed event types for stream mode (empty = all).
+    #[serde(default)]
+    pub stream_subscriptions: Vec<String>,
     /// Default agent name to route messages to.
     pub default_agent: Option<String>,
     /// Per-channel behavior overrides.
@@ -2799,9 +2812,13 @@ pub struct DingTalkConfig {
 impl Default for DingTalkConfig {
     fn default() -> Self {
         Self {
+            mode: "webhook".to_string(),
             access_token_env: "DINGTALK_ACCESS_TOKEN".to_string(),
             secret_env: "DINGTALK_SECRET".to_string(),
             webhook_port: 8457,
+            client_id_env: "DINGTALK_CLIENT_ID".to_string(),
+            client_secret_env: "DINGTALK_CLIENT_SECRET".to_string(),
+            stream_subscriptions: Vec::new(),
             default_agent: None,
             overrides: ChannelOverrides::default(),
         }
@@ -3347,7 +3364,26 @@ impl KernelConfig {
             }
         }
         if let Some(ref dt) = self.channels.dingtalk {
-            if std::env::var(&dt.access_token_env)
+            if dt.mode == "stream" {
+                if std::env::var(&dt.client_id_env)
+                    .unwrap_or_default()
+                    .is_empty()
+                {
+                    warnings.push(format!(
+                        "DingTalk stream mode configured but {} is not set",
+                        dt.client_id_env
+                    ));
+                }
+                if std::env::var(&dt.client_secret_env)
+                    .unwrap_or_default()
+                    .is_empty()
+                {
+                    warnings.push(format!(
+                        "DingTalk stream mode configured but {} is not set",
+                        dt.client_secret_env
+                    ));
+                }
+            } else if std::env::var(&dt.access_token_env)
                 .unwrap_or_default()
                 .is_empty()
             {
diff --git a/docs/channel-adapters.md b/docs/channel-adapters.md
index 850625ab4..8d460e522 100644
--- a/docs/channel-adapters.md
+++ b/docs/channel-adapters.md
@@ -95,7 +95,7 @@ All adapters share a common foundation: graceful shutdown via `watch::channel`,
 | Pumble | Webhook | `PUMBLE_WEBHOOK_URL`, `PUMBLE_TOKEN` | `Custom("pumble")` |
 | Flock | Webhook | `FLOCK_TOKEN` | `Custom("flock")` |
 | Twist | API v3 polling | `TWIST_TOKEN` | `Custom("twist")` |
-| DingTalk | Robot API webhook | `DINGTALK_TOKEN`, `DINGTALK_SECRET` | `Custom("dingtalk")` |
+| DingTalk | Robot API webhook or Stream (WebSocket) | Webhook: `DINGTALK_ACCESS_TOKEN`, `DINGTALK_SECRET` / Stream: `DINGTALK_CLIENT_ID`, `DINGTALK_CLIENT_SECRET` | `Custom("dingtalk")` |
 
 ### Notification (2)
 
diff --git a/docs/configuration.md b/docs/configuration.md
index 5e1195ad8..8c9d812af 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -977,18 +977,33 @@ channel = ""
 
 #### `[channels.dingtalk]`
 
+Supports two modes:
+- **Webhook mode** (default): Receives messages via HTTP callback. Requires a public-facing port.
+- **Stream mode**: Connects to DingTalk via WebSocket long-connection. No public IP or port needed.
+
 ```toml
+# Webhook mode (default)
 [channels.dingtalk]
+mode = "webhook"
 access_token_env = "DINGTALK_ACCESS_TOKEN"
 secret_env = "DINGTALK_SECRET"
 webhook_port = 8457
+
+# Stream mode (recommended — no public IP needed)
+[channels.dingtalk]
+mode = "stream"
+client_id_env = "DINGTALK_CLIENT_ID"
+client_secret_env = "DINGTALK_CLIENT_SECRET"
 ```
 
 | Field | Type | Default | Description |
 |-------|------|---------|-------------|
-| `access_token_env` | string | `"DINGTALK_ACCESS_TOKEN"` | Env var holding the DingTalk webhook access token. |
-| `secret_env` | string | `"DINGTALK_SECRET"` | Env var holding the DingTalk signing secret. |
-| `webhook_port` | u16 | `8457` | Port for the incoming webhook. |
+| `mode` | string | `"webhook"` | Connection mode: `"webhook"` or `"stream"`. |
+| `access_token_env` | string | `"DINGTALK_ACCESS_TOKEN"` | Env var holding the DingTalk webhook access token (webhook mode). |
+| `secret_env` | string | `"DINGTALK_SECRET"` | Env var holding the DingTalk signing secret (webhook mode). |
+| `webhook_port` | u16 | `8457` | Port for the incoming webhook (webhook mode only). |
+| `client_id_env` | string | `"DINGTALK_CLIENT_ID"` | Env var holding the Client ID / AppKey (stream mode). |
+| `client_secret_env` | string | `"DINGTALK_CLIENT_SECRET"` | Env var holding the Client Secret / AppSecret (stream mode). |
 | `default_agent` | string or null | `null` | Agent name to route messages to. |
 
 #### `[channels.discourse]`
@@ -1351,8 +1366,10 @@ Complete table of all environment variables referenced by the configuration. Non
 | `FLOCK_BOT_TOKEN` | Flock | Flock bot token. |
 | `TWIST_TOKEN` | Twist | Twist API token. |
 | `MUMBLE_PASSWORD` | Mumble | Mumble server password. |
-| `DINGTALK_ACCESS_TOKEN` | DingTalk | DingTalk webhook access token. |
-| `DINGTALK_SECRET` | DingTalk | DingTalk signing secret. |
+| `DINGTALK_ACCESS_TOKEN` | DingTalk | DingTalk webhook access token (webhook mode). |
+| `DINGTALK_SECRET` | DingTalk | DingTalk signing secret (webhook mode). |
+| `DINGTALK_CLIENT_ID` | DingTalk | DingTalk Client ID / AppKey (stream mode). |
+| `DINGTALK_CLIENT_SECRET` | DingTalk | DingTalk Client Secret / AppSecret (stream mode). |
 | `DISCOURSE_API_KEY` | Discourse | Discourse API key. |
 | `GITTER_TOKEN` | Gitter | Gitter auth token. |
 | `NTFY_TOKEN` | ntfy | ntfy auth token (optional for public topics). |
@@ -1404,7 +1421,7 @@ For every **enabled channel** (i.e., its config section is present in the TOML),
 | Flock | `bot_token_env` |
 | Twist | `token_env` |
 | Mumble | `password_env` |
-| DingTalk | `access_token_env` |
+| DingTalk | `access_token_env` (webhook) or `client_id_env` + `client_secret_env` (stream) |
 | Discourse | `api_key_env` |
 | Gitter | `token_env` |
 | ntfy | `token_env` (only if `token_env` is non-empty; public topics are OK without auth) |