How To Get Slack Token for Bot API, User Token & API Key

Understanding Slack Token Types

Each token type serves a distinct purpose. Choose the right token for your use case to build secure, functional Slack integrations.

🤖

Bot User Token

xoxb-

App's independent identity. Posts messages, listens to events.

👤

User Token

xoxp-

Acts on behalf of a specific user. User-centric actions.

⚡

App-Level Token

xapp-

Enables Socket Mode. Cross-workspace management.

🪝

Webhook URL

https://hooks.slack.com

Simple incoming messages. No token needed.

Bot User Token (xoxb-)

When To Use

Posting automated messages to channels
Responding to slash commands
Listening for events and mentions
Building bots with independent identity

Key Characteristics

Not tied to any specific user
Works even if installer leaves workspace
Requires explicit channel invitations
Defined by Bot Token Scopes

Best Practice: Use bot tokens as your default for most integrations. They're more stable and don't depend on user account status.

User Token (xoxp-)

When To Use

Accessing user-specific data
Acting in private channels/DMs
Setting reminders for users
Accessing personal settings

Key Characteristics

Tied to specific user account
Actions appear as that user
Constrained by user's permissions
Defined by User Token Scopes

Caution: User tokens require careful permission management. Only request user scopes when bot tokens can't accomplish the task.

App-Level Token (xapp-)

When To Use

Enabling Socket Mode connections
Running apps behind firewalls
Managing app across workspaces
Real-time WebSocket events

Key Characteristics

Represents app, not installation
Generated manually in dashboard
Requires connections:write scope
Works with WebSocket API

Note: App-level tokens are specifically for Socket Mode. Most apps won't need them unless avoiding public HTTP endpoints.

Incoming Webhook URL

When To Use

Simple notifications from external services
CI/CD build status alerts
Monitoring system alerts
One-way message posting only

Key Characteristics

No OAuth token needed
URL itself is the credential
Posts to pre-configured channel
Cannot read or listen to events

Security: Treat webhook URLs as secrets. Anyone with the URL can post to your channel. Use bot tokens for more control.

Interactive Token Type Identifier

Paste any Slack token to instantly identify its type and learn about its capabilities.

Paste Your Token:

How To Generate Slack Tokens: Two Methods

Method 1 is for internal apps and development. Method 2 (OAuth 2.0) is required for distributable apps installed across multiple workspaces.

Method 1: Direct Installation for Internal Apps

Perfect for single-workspace apps and quick development testing. Get tokens in minutes.

1

Create Your Slack App

Go to api.slack.com/apps and click "Create New App". Choose "From scratch", name your app, and select your development workspace.

2

Add OAuth Scopes

Navigate to "OAuth & Permissions" in the left sidebar. Scroll to "Scopes" and add required permissions under "Bot Token Scopes" (e.g., chat:write, channels:read).

3

Install App to Workspace

Click "Install to Workspace" at the top of the OAuth & Permissions page. Review the permissions and click "Allow" to authorize.

4

Copy Your Bot Token

After installation, you'll see your Bot User OAuth Token (starts with xoxb-). Copy and store it securely. Never commit it to version control!

Pro Tip: If you also added User Token Scopes, you'll see a separate User OAuth Token (xoxp-) on the same page.

Method 2: OAuth 2.0 Flow for Distributable Apps

Required for public apps in the Slack App Directory. Allows any workspace to install your app securely.

1

Configure Redirect URLs

In "OAuth & Permissions", add your server's HTTPS redirect URL (e.g., https://yourapp.com/slack/oauth). This is where Slack sends users after authorization.

2

Build Authorization URL

Construct the OAuth URL with your Client ID, redirect URI, and requested scopes. Users click this to start installation.

3

Exchange Code for Token

When Slack redirects back with a temporary code, POST to oauth.v2.access with your Client ID, Client Secret, and the code to get permanent tokens.

4

Store Tokens Securely

Save the returned access_token (bot) and authed_user.access_token (user) in your database, associated with the workspace team.id.

OAuth Authorization URL Example

HTTP

https://slack.com/oauth/v2/authorize?


client_id=YOUR_CLIENT_ID&
scope=chat:write,channels:read&
user_scope=users:read&
redirect_uri=[https://yourapp.com/slack/oauth](https://yourapp.com/slack/oauth)

Token Exchange Request Example

JavaScript

const response = await fetch('https://slack.com/api/oauth.v2.access', {


method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
client_id: process.env.SLACK_CLIENT_ID,
client_secret: process.env.SLACK_CLIENT_SECRET,
code: receivedCode,
redirect_uri: '[https://yourapp.com/slack/oauth](https://yourapp.com/slack/oauth)'
})
});

const data = await response.json();
const botToken = data.access_token; // xoxb-...
const userToken = data.authed_user?.access_token; // xoxp-...

Token Types Quick Reference

Complete comparison of all Slack API credentials and their use cases.

Credential Type	Prefix	Primary Use Case	Generated From
Bot User Token	xoxb-	App's independent bot identity	OAuth & Permissions page
User Token	xoxp-	Actions on behalf of user	OAuth & Permissions page
App-Level Token	xapp-	Socket Mode, cross-workspace	Basic Information page
Client ID	N/A	App identifier for OAuth	Basic Information page
Client Secret	N/A	Authenticate during OAuth	Basic Information page
Signing Secret	N/A	Verify incoming requests	Basic Information page
Webhook URL	hooks.slack.com	Simple incoming messages	Incoming Webhooks feature

Security Best Practices for Token Management

Tokens are as sensitive as passwords. Follow these practices to protect your Slack integrations.

Never Hardcode Tokens

Store tokens in environment variables or secret management systems. Never commit them to version control, especially public repositories.

GitHub scans for exposed tokens and will alert you if found

Use Secret Management Systems

In production, use AWS Secrets Manager, Google Secret Manager, HashiCorp Vault, or similar tools for centralized, auditable credential management.

Verify Incoming Requests

Always verify Slack requests using the Signing Secret. This prevents forged webhooks and replay attacks on your endpoints.

Implement Token Rotation

For long-lived apps, rotate tokens periodically. Use the auth.revoke API to invalidate compromised tokens immediately.

Follow Least Privilege Principle

Only request the scopes your app needs. Granular permissions reduce the impact of a compromised token.

Monitor Token Usage

Log API calls and monitor for suspicious activity. Set up alerts for unusual patterns or failed authentication attempts.

Verifying Request Signatures with Signing Secret

Node.js

const crypto = require('crypto');


function verifySlackRequest(req, signingSecret) {
const timestamp = req.headers['x-slack-request-timestamp'];
const slackSignature = req.headers['x-slack-signature'];

// Prevent replay attacks
const fiveMinutesAgo = Math.floor(Date.now() / 1000) - (60 * 5);
if (timestamp < fiveMinutesAgo) {
return false;
}

// Create basestring: v0:timestamp:body
const baseString = `v0:${timestamp}:${req.rawBody}`;

// Calculate HMAC-SHA256 signature
const hmac = crypto.createHmac('sha256', signingSecret);
hmac.update(baseString);
const computedSignature = 'v0=' + hmac.digest('hex');

// Use timing-safe comparison
return crypto.timingSafeEqual(
Buffer.from(computedSignature),
Buffer.from(slackSignature)
);
}

Build Slack Apps Faster with Suptask

Skip the OAuth complexity. Suptask provides pre-built Slack authentication, ticketing workflows, and task management. Turn messages into trackable tasks in seconds.

No credit card • 14-day trial • Used by 1,000+ teams

Frequently Asked Questions About Slack Tokens

Common questions developers ask when building Slack integrations.

What's the difference between bot token and user token? +

Bot tokens (xoxb-) represent your app's independent identity and aren't tied to any user. User tokens (xoxp-) act on behalf of a specific user and require that user's authorization. Bot tokens are more stable and should be your default choice.

Do I need OAuth 2.0 for a simple internal bot? +

No. For internal apps used in a single workspace, you can use the simple "Install to Workspace" button in the OAuth & Permissions page. This generates tokens instantly without implementing the full OAuth flow. OAuth 2.0 is only required for distributable apps.

Where do I find my Slack app's Client ID and Client Secret? +

Both are located on the "Basic Information" page of your app's settings at api.slack.com/apps. The Client ID is visible, but you must click "Show" to reveal the Client Secret. Keep the Client Secret confidential.

What happens if my token gets exposed publicly? +

Immediately revoke the token from your app's dashboard or use the auth.revoke API method. GitHub and other platforms scan for exposed Slack tokens and may alert you. After revoking, generate a new token and update your app's configuration.

Can I use the same token across multiple workspaces? +

No. Each workspace installation generates unique tokens. When building a distributable app, you must store separate tokens for each workspace that installs your app, typically keyed by the workspace's team_id.

Do bot tokens expire? +

Bot and user tokens don't have a fixed expiration date, but they can be revoked when: (1) a user uninstalls your app, (2) you manually revoke them, (3) a workspace admin removes the app, or (4) scopes are changed (which may require reinstallation).

What's the Signing Secret used for? +

The Signing Secret verifies that incoming webhook requests actually came from Slack and haven't been tampered with. You use it to compute an HMAC-SHA256 signature and compare it with Slack's signature. This prevents request forgery and replay attacks.

When should I use an app-level token (xapp-)? +

App-level tokens are specifically for Socket Mode, which allows your app to receive events over WebSockets instead of HTTP webhooks. Use them if your app runs behind a firewall and can't expose a public URL, or if you prefer WebSocket-based event delivery.

How do I migrate from legacy tokens? +

Legacy tokens (tester tokens, workspace tokens, broad "bot" scope) are deprecated. Create a new Slack App, add granular scopes that match your needs, install it to get modern xoxb- or xoxp- tokens, update your code, then decommission the old integration.

What scopes should I request for my bot? +

Follow the principle of least privilege. Common scopes: chat:write (send messages), channels:read (list channels), channels:history (read messages), commands (slash commands). Only add scopes your app actively uses.

Ready To Build Your Slack Integration

You now understand bot tokens, user tokens, OAuth flows, and security best practices. Start with Method 1 for internal tools, or implement OAuth 2.0 for distributable apps. Always verify requests with your Signing Secret.

How To Get Slack Token for Bot API, User Token & API Key