Slack Bot vs User Token Scopes: How to Apply Least Privilege in Your App
Slack apps can hold two types of OAuth tokens — a bot token (xoxb-) tied to the app's bot user, and a user token (xoxp-) that acts on behalf of a real person who granted access. Bot tokens are the recommended default for modern apps, as they are more durable and do not depend on any individual remaining in the workspace. User tokens are only necessary in specific cases, such as searching the entire workspace, posting messages that must appear as a human user, exporting DMs from private channels, or implementing Sign in with Slack via OpenID Connect. Requesting scopes without clear justification is a common reason Slack apps get rejected from the Marketplace, making it critical to define permissions correctly from the manifest stage. Developers are advised to exhaust bot token capabilities before adding any user scopes, treating the two token types as independent permission sets even when both exist within the same app install.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in