Skill

slack-auth-security

OAuth flows, token management, and security best practices for Slack apps. Use when implementing app distribution, multi-workspace installations, token storage and rotation, managing scopes and permissions, or securing production Slack applications.

Install

npx claudepluginhub linehaul-ai/linehaulai-claude-marketplace --plugin slack-go-sdk

Tool Access

This skill uses the workspace's default tool permissions.

Preview

**Bot Token** (`xoxb-`):

SKILL.md

Similar Skills

design-system

Generates design tokens/docs from CSS/Tailwind/styled-components codebases, audits visual consistency across 10 dimensions, detects AI slop in UI.

team-skills-platform

163.7k

ui-demo

Records polished WebM UI demo videos of web apps using Playwright with cursor overlay, natural pacing, and three-phase scripting. Activates for demo, walkthrough, screen recording, or tutorial requests.

team-skills-platform

163.7k

kotlin-patterns

Delivers idiomatic Kotlin patterns for null safety, immutability, sealed classes, coroutines, Flows, extensions, DSL builders, and Gradle DSL. Use when writing, reviewing, refactoring, or designing Kotlin code.

team-skills-platform

163.7k

Stats

Parent Repo Stars4

Parent Repo Forks0

Last CommitJan 27, 2026

Actions

View Source View Plugin View on GitHub View README

Slack Auth & Security

OAuth 2.0 Flow

Bot Token vs User Token

Bot Token (xoxb-):

Performs actions as the bot user
Requires bot scopes
Recommended for most operations

User Token (xoxp-):

Acts on behalf of specific user
Requires user scopes
Used for user-specific operations

Basic OAuth Flow

import "github.com/slack-go/slack"

// Step 1: Generate authorization URL
state := generateRandomState()
authURL := fmt.Sprintf(
    "https://slack.com/oauth/v2/authorize?client_id=%s&scope=%s&state=%s",
    clientID,
    "chat:write,channels:read",
    state,
)

See oauth-flow.md for complete OAuth implementation.

Token Management

Storing Tokens Securely

// NEVER hardcode tokens
// Use environment variables or secrets manager
token := os.Getenv("SLACK_BOT_TOKEN")
api := slack.New(token)

Token Rotation

// Rotate tokens periodically
newToken, err := api.RotateTokens(refreshToken)
if err != nil {
    return err
}

// Update stored token
storeToken(newToken)

See token-management.md for storage strategies and rotation patterns.

Scopes and Permissions

Required Scopes by Operation

Messaging:

chat:write - Send messages
chat:write.public - Post to channels bot isn't in

Channels:

channels:read - View public channels
channels:manage - Create/manage channels
groups:read - View private channels

Users:

users:read - View users
users:read.email - View user emails

See scopes-permissions.md for comprehensive scope guide.

Security Best Practices

1. Request Verification

Always verify requests from Slack:

import "github.com/slack-go/slack"

func verifySlackRequest(r *http.Request, signingSecret string) bool {
    verifier, err := slack.NewSecretsVerifier(r.Header, signingSecret)
    if err != nil {
        return false
    }

    body, _ := ioutil.ReadAll(r.Body)
    verifier.Write(body)

    return verifier.Ensure() == nil
}

2. HTTPS Only

Never use HTTP endpoints for webhooks:

✅ https://your-app.com/slack/events
❌ http://your-app.com/slack/events

3. Token Storage

Use environment variables for development
Use secrets managers (AWS Secrets Manager, HashiCorp Vault) for production
Encrypt tokens at rest
Never commit tokens to version control

4. Rate Limiting

Implement rate limiting to avoid abuse:

type RateLimiter struct {
    requests map[string][]time.Time
    mu       sync.Mutex
}

func (rl *RateLimiter) Allow(userID string, maxRequests int, window time.Duration) bool {
    rl.mu.Lock()
    defer rl.mu.Unlock()

    now := time.Now()
    cutoff := now.Add(-window)

    // Remove old requests
    var validRequests []time.Time
    for _, t := range rl.requests[userID] {
        if t.After(cutoff) {
            validRequests = append(validRequests, t)
        }
    }

    if len(validRequests) >= maxRequests {
        return false
    }

    rl.requests[userID] = append(validRequests, now)
    return true
}

Multi-Workspace Installations

Token Per Workspace

Store tokens separately for each workspace:

type WorkspaceToken struct {
    TeamID      string
    BotToken    string
    BotUserID   string
    InstalledAt time.Time
}

func getAPIForTeam(teamID string) (*slack.Client, error) {
    token, err := loadTokenForTeam(teamID)
    if err != nil {
        return nil, err
    }
    return slack.New(token.BotToken), nil
}

App Manifest API

Programmatically configure apps:

manifest := &slack.Manifest{
    DisplayInformation: slack.ManifestDisplayInformation{
        Name: "My Bot",
        Description: "Helpful bot",
    },
    Features: slack.ManifestFeatures{
        BotUser: &slack.ManifestBotUser{
            DisplayName: "mybot",
            AlwaysOnline: true,
        },
    },
    OAuthConfig: slack.ManifestOAuthConfig{
        Scopes: slack.ManifestOAuthScopes{
            Bot: []string{"chat:write", "channels:read"},
        },
    },
}

_, err := api.CreateManifest(manifest)

See manifest-api.md for manifest patterns.

Production Checklist

See security-checklist.md for comprehensive security audit:

✅ HTTPS endpoints
✅ Request signature verification
✅ Token encryption at rest
✅ Rate limiting
✅ Audit logging
✅ Error handling (don't leak sensitive info)
✅ Regular token rotation

Common Pitfalls

Hardcoding tokens in code
Not verifying request signatures
Using HTTP instead of HTTPS
Storing tokens in plain text
Not implementing rate limiting
Exposing sensitive errors to users