Connecting an MCP server to the Slackbot MCP Client

This feature is still rolling out to developers

To check if you have access to this feature, go to App Settings. For any app, look for an MCP Servers label in the left sidebar under Features.

The Slackbot MCP Client allows developers to connect remote MCP servers via HTTP to Slack. Once connected, Slackbot will automatically discover your MCP server's tools and invoke them based on user prompts in conversation.

You can add MCP server support via a Slack app, like any other Slack platform feature. Within this guide, you'll determine the proper authentication method for your MCP server, configure it within a Slack app, and then install said app to a workspace. By the end, you'll be able to invoke the tool from Slackbot.

---

Choosing the proper authentication method

Slack supports four authentication methods for MCP server requests. Choose the one that fits your use case and the MCP server you plan to use.

Authentication method	Use	Per-user identity	Requires separate OAuth flow
No auth	Use when your MCP server serves the same responses regardless of who is asking. Users can start using tools immediately with no OAuth flow.	No	No
Slack identity auth	Use when your MCP server maps Slack user IDs and team IDs to available features. No separate OAuth flow is required for end users; Slack identifies them via signed requests containing their user and team IDs.	Yes (Slack user/team ID)	No
Dynamic Client Registration	Use when connecting to a third-party MCP server that supports DCR. You provide the URL and the server handles OAuth client registration automatically.	Yes (OAuth tokens)	Yes
Manual OAuth	Use when your MCP server doesn't support DCR. You define the authorization URL, token URL, scopes, and identity endpoint. When a user connects in Slackbot, Slack redirects them through the provider's OAuth flow using these credentials.	Yes (OAuth tokens)	Yes

---

Adding the MCP server to your Slack app

You can configure your MCP server within App Settings or by editing the app manifest directly. If you add a server via App Settings, those settings are automatically added to the manifest.

App Settings

1. Go to your app at api.slack.com/apps. If you don't already have one, create one by clicking Create New App.

2. In the left sidebar under Features, click MCP Servers.

3. Click the Get Started button to open the MCP Server form.

4. Fill in the following fields:

   • Name: A display name for your MCP server.
   • URL: The HTTPS endpoint of your MCP server (e.g., https://mcp.acme.com/mcp).
   • Auth Type: Select your desired authentication.

5. Complete any additional fields required by your selected auth type. For example, selecting Manual OAuth prompts you to choose an external auth provider.

6. Click Save.

Once saved, your MCP server appears in the MCP Server Connection Details table. You can add additional servers by clicking + Add MCP Server.

Adding an MCP server via App Settings automatically adds the mcp:connect scope to your app.

App manifest

1. Go to your app at api.slack.com/apps. If you don't already have one, create one by clicking Create New App.

2. In the left sidebar under Features, click App Manifest.

3. The mcp:connect bot scope is required for MCP server connectivity. Add it like so:

  "oauth_config": {
    "scopes": {
      "bot": ["mcp:connect"]
    }
  },

4. You'll also need to add an mcp_servers block to your app manifest. The mcp_servers block tells Slack where to find your MCP endpoint.

Field	Required	Description
url	Required	The HTTPS URL of your MCP server endpoint
auth_type	Required	Authentication type. Can be "no_auth", "slack_identity_auth", "manual_auth", or "dynamic_client_registration"
auth_provider_key	Optional	Reference to an external_auth_providers entry for per-user OAuth. Must begin with mcp_.

5. Choose the auth type that fits your use case. The following are example manifests:

Slack identity

The app needs users:read and users:read.email scopes to fetch profile data, plus a redirect_url for the app's own OAuth install flow.

{
  "display_information": {
    "name": "MCP Client - Slack ID",
    "description": "Connects app MCP server to Slackbot MCP client using Slack identity auth"
  },
  "features": {
    "bot_user": {
      "display_name": "MCP Client - Slack ID",
      "always_online": true
    }
  },
  "oauth_config": {
    "redirect_urls": [
      "https://1234-56-78-90-0.ngrok-free.app/slack/oauth_redirect"
    ],
    "scopes": {
      "bot": ["mcp:connect", "users:read", "users:read.email"]
    }
  },
  "settings": {
    "org_deploy_enabled": true,
    "socket_mode_enabled": false,
    "token_rotation_enabled": false
  },
  "mcp_servers": {
    "profile": {
      "url": "https://1234-56-78-90-0.ngrok-free.app/mcp",
      "auth_type": "slack_identity_auth"
    }
  }
}

No auth

{
  "display_information": {
    "name": "MCP Client - No Auth",
    "description": "Connects app MCP server to Slackbot MCP client without authentication"
  },
  "features": {
    "bot_user": {
      "display_name": "MCP Client - No Auth",
      "always_online": true
    }
  },
  "oauth_config": {
    "scopes": {
      "bot": ["mcp:connect"]
    }
  },
  "settings": {
    "org_deploy_enabled": true,
    "socket_mode_enabled": false,
    "token_rotation_enabled": false
  },
  "mcp_servers": {
    "dice": {
      "url": "https://1234-56-78-90-0.ngrok-free.app/mcp",
      "auth_type": "no_auth"
    }
  }
}

Dynamic Client Registration

You don't need an external_auth_providers block because the MCP server advertises its own OAuth configuration.

{
  "display_information": {
    "name": "MCP Client - DCR",
    "description": "Connects Notion MCP server to Slackbot MCP client using Dynamic Client Registration"
  },
  "features": {
    "bot_user": {
      "display_name": "MCP Client - DCR",
      "always_online": true
    }
  },
  "oauth_config": {
    "scopes": {
      "bot": ["mcp:connect"]
    }
  },
  "settings": {
    "org_deploy_enabled": true,
    "socket_mode_enabled": false,
    "token_rotation_enabled": false
  },
  "mcp_servers": {
    "notion": {
      "url": "https://mcp.notion.com/mcp",
      "auth_provider_key": "mcp_dcr_notion",
      "auth_type": "dynamic_client_registration"
    }
  }
}

Manual OAuth

Define your OAuth provider in external_auth_providers and reference it in mcp_servers.{server_name}.auth_provider_key. This example connects to GitHub's MCP server.

external_auth_providers fields

Field	Description
client_id	Your OAuth app's client ID from the provider. When registering your OAuth app with the provider, set the redirect URI to https://oauth2.slack.com/external/auth/callback. This is where the provider sends users after they authorize.
scope	Permissions to request during the OAuth flow (can be empty if your server handles scoping internally).
authorization_url	Where Slack redirects users to authorize.
token_url	Where Slack exchanges the auth code for a token.
identity_config.url	Endpoint Slack calls to identify the connected account.
identity_config.account_identifier	JSONPath to extract a unique account identifier from the identity response.
use_pkce	Set to true if your server requires PKCE.
token_url_config.use_basic_auth_scheme	Set to true if your token endpoint expects client_secret_basic; false for client_secret_post. If unsure, check your MCP server's /.well-known/oauth-authorization-server response for token_endpoint_auth_methods_supported.

This example connects to GitHub's MCP server.

{
  "display_information": {
    "name": "MCP Client - External Auth",
    "description": "Connects GitHub MCP server to Slackbot MCP client using an external auth provider"
  },
  "features": {
    "bot_user": {
      "display_name": "MCP Client - External Auth",
      "always_online": true
    }
  },
  "oauth_config": {
    "scopes": {
      "bot": ["mcp:connect"]
    }
  },
  "settings": {
    "org_deploy_enabled": true,
    "socket_mode_enabled": false,
    "token_rotation_enabled": false
  },
  "external_auth_providers": {
    "oauth2": {
      "github": {
        "provider_type": "CUSTOM",
        "options": {
          "client_id": "YOUR_GITHUB_CLIENT_ID",
          "scope": ["repo"],
          "provider_name": "GitHub",
          "authorization_url": "https://github.com/login/oauth/authorize",
          "token_url": "https://github.com/login/oauth/access_token",
          "identity_config": {
            "url": "https://api.github.com/user",
            "account_identifier": "$.login"
          },
          "use_pkce": false,
          "token_url_config": {
            "use_basic_auth_scheme": false
          }
        }
      }
    }
  },
  "mcp_servers": {
    "github": {
      "url": "https://api.githubcopilot.com/mcp/",
      "auth_type": "manual_auth",
      "auth_provider_key": "mcp_github"
    }
  }
}

Refer to the app manifest reference for the full schema.

---

Implementing your MCP server

How you implement your MCP server will depend on the type of authentication your MCP server is using.

Slack identity

Using Slack identity auth

The snippets below use either Bolt for JavaScript or Bolt for Python, alongside the Slack CLI

View the full examples: JavaScript | Python

In this example, three things happen on each request:

1. The /mcp route verifies the Slack request signature.
2. The tool reads the caller's identity from _meta.slack (provided automatically by Slack).
3. The bot token from the installation store calls the users.info method.

JavaScript

src/app.js

ai/slackbot-mcp-client/slack-identity/src/app.js

loading...

View on GitHub

Entry point

Start the server on the configured port. The Bolt app handles OAuth install and redirect routes alongside your MCP endpoint.

app.js

ai/slackbot-mcp-client/slack-identity/app.js

loading...

View on GitHub

Python

src/app.py

ai/slackbot-mcp-client/slack-identity/src/app.py

loading...

View on GitHub

Entry point

Start the server on the configured port. The Bolt app handles OAuth install and redirect routes alongside your MCP endpoint.

app.py

ai/slackbot-mcp-client/slack-identity/app.py

loading...

View on GitHub

Setup

1. Expose your local server with ngrok. Update the url in your manifest with the generated URL.

   ngrok http 3000

2. Install the app:

   1. Go to App Settings.
   2. Navigate to OAuth & Permissions > Install to Workspace (or Install to Organization for Enterprise).
   3. Authorize the app.

3. Update environment variables with values from App Settings.

   The signing secret verifies that incoming requests originated from Slack. The state secret secures the OAuth install flow.

   ai/slackbot-mcp-client/slack-identity/.env.example

   loading...

   View on GitHub

   slack env init

4. Start the app:

   slack run

No auth

Using no auth

The snippets below use either Bolt for JavaScript or Bolt for Python, alongside the Slack CLI

View the full examples: JavaScript | Python

Slack will send unauthenticated requests to your MCP server. Slack still signs every request so your server can verify it originated from Slack.

In this example, the /mcp route verifies the Slack request signature before forwarding the request to the MCP transport.

JavaScript

src/app.js

ai/slackbot-mcp-client/no-auth/src/app.js

loading...

View on GitHub

Entry point

Bolt handles the Slack events route automatically, while the custom /mcp route serves your MCP server.

app.js

ai/slackbot-mcp-client/no-auth/app.js

loading...

View on GitHub

Python

src/app.py

ai/slackbot-mcp-client/no-auth/src/app.py

loading...

View on GitHub

Entry point

Bolt handles the Slack events route automatically, while the custom /mcp route serves your MCP server.

app.py

ai/slackbot-mcp-client/no-auth/app.py

loading...

View on GitHub

Setup

1. Expose your local server with ngrok. Update the url in your manifest with the generated URL.

   ngrok http 3000

2. Install the app:

   1. Go to App Settings.
   2. Navigate to OAuth & Permissions > Install to Workspace (or Install to Organization for Enterprise).
   3. Authorize the app.

3. From App Settings, get the signing secret.

4. Set the signing secret as an environment variable:

   slack app settings
   slack env set SLACK_SIGNING_SECRET placeholder

5. Start the app:

   slack run

When using Slackbot, you can ask for things like "Roll 2d20".

Dynamic Client Registration

Using Dynamic Client Registration

When using DCR, set the redirect URI in your OAuth provider to Slack's external auth callback endpoint:

https://oauth2.slack.com/external/auth/callback

Because the MCP server is hosted externally, there's no application code to write.

Setup

1. Install the app:
   1. Go to App Settings.
   2. Navigate to OAuth & Permissions > Install to Workspace (or Install to Organization for Enterprise).
   3. Authorize the app.

When a user connects to this MCP server in Slackbot, they'll be redirected to the provider's OAuth consent screen to authorize access.

Editing DCR servers

If you created your MCP server via App Settings with Dynamic Client Registration, only the identity URL and account identifier fields are editable in the UI. To change any other configuration, edit the app manifest directly.

Manual OAuth

Using manual OAuth

When configuring your OAuth provider to recognize Slack as a client, Slack's client information metadata document is available at:

https://slack.com/.well-known/oauth-client-metadata

Setup

1. Install the app:
   1. Go to App Settings.
   2. Navigate to OAuth & Permissions > Install to Workspace (or Install to Organization for Enterprise).
   3. Authorize the app.

OAuth troubleshooting

"Unexpected error" on authorize page

This error is caused by a Redirect URI mismatch. Ensure the redirect URI registered with your OAuth provider matches https://oauth2.slack.com/external/auth/callback.

access_token_exchange_failed error

This error is caused by a token endpoint auth method mismatch. Check that use_basic_auth_scheme matches your provider's expected method.

"Not able to connect this account"

This error is caused by a missing or wrong client secret. Re-add the client secret via the MCP Servers section in App Settings or using slack external-auth add-secret.

---

Using Slackbot

1. Open a DM with Slackbot.

2. Click the Apps button in the Slackbot toolbar.

   

3. On first use, a list of suggested apps appears. Click the + button next to the app to add it. Users can have up to 5 active MCP servers at a time.

4. If using OAuth, you will be redirected to authorize with the partner's platform.

5. Once connected, the app appears under Your apps in the Integrations tab with a Manage button.

Check if Slackbot detects your tool

Ask Slackbot a question that maps to one of your tools:

What tools are available from Acme?

Slackbot will query your MCP server's tool definitions and list all available tools with descriptions.

You can also verify your tools by clicking Manage next to your app in the Integrations tab to view the list of available tools and their associated permissions.

Have Slackbot use a tool

Try a natural language prompt:

Show me recent activity on my Acme account

Slackbot will select the appropriate tool. If the tool is from a third-party, the user must explicitly authorize each tool call, both read and write, before Slackbot executes it.

When Slackbot invokes a tool, users are presented with the following options:

• Allow once: permits this tool call one time.
• Always allow: permits all future calls to this tool without prompting.
• Deny: blocks this tool call.

Users can view and update their tool permissions at any time in the MCP config dialog. After making a selection, Slackbot will then invoke the tool and return the results.

You can report responses with hallucinated information by clicking the thumbs down button. Then check the boxes next to the issues you want to report, and include the messages in your conversation if you’d like. We’ll always receive the last message you sent to Slackbot as part of a report. These reports help us identify patterns and improve Slackbot.

Enrich your tool responses

By default, tool results appear as plain text. To create a more polished experience, your MCP server can return rich responses using interactive HTML/JS via MCP Apps.

Troubleshooting

Viewing logs

You can view debug logs for your MCP server connections and tool calls via App Settings. In the left sidebar under Features, click MCP Servers, then select the Logs tab. The logs only include activity from app collaborators.

MCP connector not appearing in Slackbot

Check the following:

• the app has mcp:connect in its bot scopes.
• the MCP server is configured via an app manifest or App Settings.

Then try reinstalling the app after making any changes. For Enterprise orgs, make sure your app is installed at the org level.

Slackbot failed to load tools

Your MCP server may be rejecting authentication. If your app is using OAuth, ensure the user has completed the authorization flow.

You can also test your MCP endpoint directly:

curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer TOKEN" \
  -d '{
    "jsonrpc": "2.0",
    "id": 1,
    "method": "initialize",
    "params": {
      "protocolVersion": "2024-11-05",
      "capabilities": {},
      "clientInfo": {"name": "test", "version": "1.0"}
    }
  }' \
  https://mcp.acme.com/mcp

Slackbot discovers but does not invoke tools

The tools may be unclassified and default to write classification. Ensure your tools include proper descriptions and classification metadata so that read-only tools execute without additional unnecessary confirmation prompts.

OAuth errors

If using manual OAuth, see the manual OAuth troubleshooting section above.

---

Onward

By following along, you'll have an app that connects an MCP server to Slackbot for your users to interact with. But there's always more!

✨ To have visually graceful, interactive experiences, check out returning rich responses.

✨ To set up workspace controls, check out admin approval to manage how users install and access your app.

✨ To publish your app, check out distributing the app on the Slack Marketplace.