Tokens
We're still building and not all features are available quite yet. Enjoy this peek into the future!
Not ready for the future? Return to the past at api.slack.com.
Tokens are the keys to the Slack platform. They tie together all the scopes and permissions your app has obtained, allowing it to read, write, and interact. There are multiple types of tokens available. Each type is suited for different types of apps and their functionality. Certain scopes are unique to particular token types, as summarized in the table below:
| Token | App type | Description |
|---|---|---|
| Bot token | Slack apps | Bot tokens ascribe to a granular permission model to request only the scopes you need. Refer to the quickstart guide for Slack apps to learn how to get one. |
| Workflow token | Slack apps | Workflow tokens, or "just in time" tokens, are a subset of bot tokens. They cannot perform actions that require a user scope. |
| User token | Slack apps | User tokens allow you to work directly on behalf of users when necessary. |
| Configuration token | Slack apps | Configuration tokens are per-workspace tokens used with App Manifest APIs to create and configure your apps. |
| App-level token | Slack apps | App-level tokens are for use with Slack apps but only with specific APIs, which are related to the app across all organizations where the app is installed. |
| Service token | Workflow apps | Service tokens are long-lived, non-rotatable user tokens that won't expire, so they can be used to perform any Slack CLI action without the need to refresh tokens. Refer to obtaining a service token to learn how to get one. |
Bot tokens
Bot tokens represent a bot associated with an app installed in a workspace. Unlike user tokens, they're not tied to a user's identity—they're only tied to your app. Since acting independently allows your app to stay installed even when an installing user is deactivated, using bot tokens is usually for the best.
- New bot users can request individual scopes, similar to user tokens.
- Bot token strings begin with
xoxb-.
Ready to get one? Refer to the quickstart guide for Slack apps.
Workflow tokens
Workflow tokens expire, but cannot be refreshed. These tokens expire either 15 minutes after being issued, or when a function step is completed successfully or returns an error—whichever occurs first. The token is then revoked immediately. Workflow token strings begin with xwfp-.
"Borrowed visibility"
Unlike xoxb- tokens, workflow tokens can sometimes access private channels their bot users are not a member of. This feature is called "borrowed visibility" because a workflow temporarily borrows the access of the user who ran it.
When evaluating a "Can this user see this channel?" check for a workflow, we consider the bot user to have visibility based on these rules:
- If the bot user is actually in the channel, the workflow has visibility.
- If the bot user is not a member of the channel, the workflow may still have visibility if all of the following are true:
- The user (human, not bot) who started the workflow (i.e. the
user_idon the token) is in the channel. - The channel the workflow is attempting to view is either:
- the channel where the workflow was tripped, or
- a channel that was selected in the workflow's OpenForm channel picker.
- The user (human, not bot) who started the workflow (i.e. the
This feature only grants visibility into channels (e.g. acting as though the bot user is a member of the channel for that specific workflow run). It does not allow the bot user to act on behalf of a user (this requires a user scope) or to bypass any organization policies.
User tokens
User tokens represent workspace members. They are issued for the user who installed the app and for users who authenticate the app. When your app asks for OAuth scopes, they are applied to user tokens. You can use these tokens to take actions on behalf of users.
- User tokens gain the resource-based OAuth scopes requested in the installation process (e.g. asking for
channels:historygrants a user token access toconversations.historyfor any public channel). - User tokens represent the same access a user has to a workspace — the channels, conversations, users, reactions, and so on that they can see. Write actions with user tokens are performed as if by the user themselves.
- User token strings begin with
xoxp-.
Both configuration and service tokens are also tied to a user logged into Slack.
Configuration tokens
App configuration tokens (or config tokens for short) are solely used to create and configure Slack apps using our App Manifest APIs. Each configuration token is unique to a user and a workspace, but not an app. This means you can manage the configuration of any of your apps in a single development workspace, with just one config token.
App-level tokens
App-level tokens represent your app across organizations, including installations by all individual users on all workspaces in a given organization.
- These tokens give you the ability to handle things that relate to your app as a whole, such as listing all the authorizations an event is visible to.
- App-level token strings begin with
xapp-.
App-level tokens are obtained upon app creation. Find your app-level token in the Basic Information tab of the app settings.
Service tokens
Service tokens won't expire, so they can be used to perform any Slack CLI action without the need to refresh tokens.
- The service token will not conflict with your regular authentication token; you can continue using your regular authentication token within the Slack CLI.
Ready to get one? Refer to obtaining a service token.
Legacy token types
For posterity, here is a list of tokens that are no longer supported or recommended for use.
Legacy bot tokens
These bot tokens, obtained through an older OAuth flow, should only be used in special cases — such as connecting to the now-deprecated Real Time Messaging (RTM) API.
- Legacy bot tokens requested an umbrella
botscope with many different permissions included within it. We have now moved away from this umbrella permission model, and instead recommend you use newer, granular bot tokens. Newer platform features will no longer be supported with the legacy bot token. - Legacy bot tokens can't have resource-based OAuth scopes added to them; any scopes other than
botrequested during the OAuth installation flow have no effect on the legacy bot token. - Revoking a legacy bot token with
auth.revokedoes not uninstall the bot user. A new token may be obtained via OAuth or, for internal integrations, your app management console.
Legacy workspace tokens
Legacy workspace apps have been fully deprecated as of August 2021. Don't use this token type for new apps.
- The developer preview for workspace apps has ended. We took the components of workspace apps and broke them apart: applying them in phases to existing apps as well as new ones. Read more about the motivation behind ending the preview.
Legacy custom integration tokens
These tokens were associated with legacy custom integrations and early Slack integrations requiring an ambiguous "API token." They were generated using the legacy token generator, and are no longer recommended for use.
- These tokens take on the full operational scope of the user that created them. If you're building a tool for your own team, we encourage creating a single-workspace app with only the scopes it needs.