Token rotation for workspace apps

Published:Thursday, August 30, 2018Updated:Monday, February 11, 2019


Workspace apps use an access token to represent all the permissions granted to your app by a workspace.

Workspace tokens are so potent and powerful that apps should take great care to keep them safe and secret. We're releasing a OAuth 2.0-based token expiration and rotation system that will make workspace tokens short-lived while providing your app a secure means to refresh tokens as needed.

For more detail on the ins and outs of token rotation, check out our full documentation.

What's changing?

We made OAuth 2.0-based token rotation flow available to workspace apps.

How do I prepare?

Learn how to enable token rotation, use refresh tokens, expire tokens, and secure your app by following our guide to rotating and refreshing credentials.

Token rotation is supported by node-slack-sdk today: refer to its refresh token docs to learn how. Python support is on the way.

What if I do nothing?

If you aren't building a workspace app, nothing happens. Token rotation support is not available to traditional Slack apps.

If your workspace app is not marked as distributed and is only installed in its "home workspace," then enabling token rotation is optional but encouraged.

If you enable distribution for any workspace app, refreshing tokens will become required.

When is this happening?

Token expiration, refresh tokens, and our OAuth 2.0 token refresh flow are all available now for workspace apps now. They aren't available for traditional apps yet.