Go to Slack

Reference: Token types

The rundown
Read this if:You're still experimenting, prototyping, and exploring.
Read first:Verifying requests from Slack
Read next:Quickstart: differences between old and new Slack apps

There are more than a few things called "tokens" in the Slack platform. It's easy to conflate them for each other or not understand the deep, almost spiritual purpose of each type.

Prepare for token strings values up to 255 characters long.

Meet the tokens

Bot user tokens let your app act independently. Previously, bot users were special and required the umbrella bot scope. New Slack apps can request individual scopes for their bot users, just like with user tokens.

User tokens allow you to work directly on behalf of users, based on the OAuth scopes they award to your app.

Bot user tokens

The bot user model is evolving! Currently in beta, you'll find more methods and scopes supporting bot tokens than ever before, but there's a catch — for most of these you'll need a new kind of more granular bot token.

Bot user tokens represent a bot associated with the app installed in a workspace. Unlike user tokens, they're not tied to a user's identity; they're just tied to your app.

Since acting independently allows your app to stay installed even when an installing user is deactivated, using bot tokens is usually for the best.

Check out the guide to new Slack apps for more info.

  • Bot user token strings begin with xoxb-
  • New bot users can request individual scopes, similar to user tokens. Older bot tokens requested an umbrella bot scope with many different permissions included it.
  • Older bot user tokens can't have resource-based OAuth scopes added to them, any scopes other than bot requested during the OAuth installation flow have no effect on the bot user token
  • Revoking an older bot user token with auth.revoke does not uninstall the bot user. A new token may be obtained via OAuth or, for internal integrations, your app management console.

User tokens

User tokens represent workspace members. They are issued for the user who installed the app and for users who authenticate the app. When your app asks for OAuth scopes, they are applied to user tokens. You can use these tokens to take actions on behalf of users.

  • User token strings begin with xoxp-
  • User tokens gain the "old world" resource-based OAuth scopes requested in the installation process (example: asking for channels:history grants a user token access to channels.history for any public channel)
  • User tokens represent the same access a user has to a workspace -- the channels, conversations, users, reactions, etc. they can see
  • Write actions with user tokens are performed as if by the user themselves

Workspace tokens

The developer preview for workspace apps has ended. We're taking the components of workspace apps and breaking them apart: applying them in phases to existing as well as new apps. Read more about the motivation behind ending the preview.

For those who already have an existing app using a workspace token, here's a quick overview on how they work:

  • Workspace access token strings begin with xoxa-2.
  • Workspace refresh token strings begin with xoxr.
  • Access tokens are the only tokens used to call an API method.
  • Use your refresh token to rotate and refresh your access token with no downtime.
  • Bot users and bot user tokens cannot be used in conjunction with workspace tokens.
  • No requests are made on behalf of users with workspace tokens.
  • OAuth scopes negotiated during the OAuth installation process or through the Permissions API are applied directly to your workspace token.

See working with workspace tokens and the Permissions API to learn more.

Legacy tokens

These tokens were associated with legacy custom integrations and early Slack integrations requiring an ambiguous "API token." They were generated using the legacy token generator and are no longer recommended for use. They take on the full operational scope of the user that created them. If you're building a tool for your own team, we encourage creating an internal integration with only the scopes it needs to work.

Verification tokens

Verification tokens are deprecated. Use the more secure signing secret to verify Slack requests for authenticity.

Verification tokens weren't like these other token types. They weren't really tokens at all.