Go to Slack

Token rotation for workspace apps

Published: Thursday, August 30, 2018

Workspace apps use an access token to represent all the permissions granted to your app by a workspace.

Workspace tokens are so potent and powerful that apps should take great care to keep them safe and secret. We're releasing a OAuth 2.0-based token expiration and rotation system that will make workspace tokens short-lived while providing your app a secure means to refresh tokens as needed.

For more detail on the ins and outs of token rotation, check out our full documentation.

We're requiring that distributed workspace apps follow these security best practices, so token rotation using refresh tokens is required for all distributed workspace apps.

What's changing?

We're making an OAuth 2.0-based token rotation flow available to workspace apps.

Implementing token rotation is required for workspace apps that are distributed or destined for the app directory.

We're grandfathering existing workspace apps marked for distribution from this requirement until January 15, 2019. If your workspace app is already distributed, be sure and implement token rotation by January 15, 2019.

How do I prepare?

Learn how to enable token rotation, use refresh tokens, expire tokens, and secure your app by following our guide to rotating and refreshing credentials.

Token rotation is supported by node-slack-sdk today: refer to its refresh token docs to learn how. Python support is on the way.

What if I do nothing?

If you aren't building a workspace app, nothing happens. Token rotation support is not available to traditional Slack apps.

If your workspace app is not marked as distributed and is only installed in its "home workspace," then enabling token rotation is optional but encouraged.

If your workspace app is already marked as distributed, you have until January 15, 2019 to implement and turn on token rotation.

If you enable distribution for any workspace app, refreshing tokens will become required.

When is this happening?

Token expiration, refresh tokens, and our OAuth 2.0 token refresh flow are all available now.

Existing workspace apps with distribution enabled have until January 15, 2019. Grandfathering will expire then and token rotation will be required.

Keep those tokens rotating!

Review other recent updates