Token rotation

Supported in Bolt for JavaScript as of v3.5.0, token rotation provides an extra layer of security for your access tokens and is defined by the OAuth V2 RFC.

Instead of an access token representing an existing installation of your Slack app indefinitely, with token rotation enabled, access tokens expire. A refresh token acts as a long-lived way to refresh your access tokens.

Bolt for JavaScript will rotate tokens automatically in response to incoming events so long as the built-in OAuth functionality is used.

To rotate tokens on a separate schedule, consider implementing the InstallProvider from the @slack/oauth package for use of the provided authorize method:

const { InstallProvider } = require("@slack/oauth");

const installer = new InstallProvider({
  clientId: process.env.SLACK_CLIENT_ID,
  clientSecret: process.env.SLACK_CLIENT_SECRET,
  stateSecret: process.env.SLACK_STATE_SECRET,
});

async function rotateTokenBeforeUsing(query) {
  return await installer.authorize({
    enterpriseId: query.enterpriseId,
    teamId: query.teamId,
    // User tokens can also be rotated if needed
    // userId: query.userId,
  });
}

The above implementation also requires an installation store to fetch and store installation information according to the incoming installation query.

For more information about token rotation, please see the documentation.