Go to Slack

Types of tokens

There are more than a few things called "tokens" in the Slack platform. It's easy to conflate them for each other or not understand the deep, almost spiritual purpose of each type.

Meet the tokens

User tokens allow you to work directly on behalf of users, based on the OAuth scopes they award to your app.

Workspace tokens are part of our team-based Slack apps developer preview. They are agents for everything your app can do for a particular team.

Verification tokens aren't like other tokens. Use them to validate requests originating from Slack.

User tokens

User tokens represent the user that installed the app. When your app asks for OAuth scopes, they are applied to this token and all actions taken with the token are as if the user is making the API call via the app.

  • User token strings begin with xoxp-
  • User tokens gain the "old world" resource-based OAuth scopes requested in the installation process (example: asking for channels:history grants access a user token access to channels.history for any public channel)
  • User tokens represent the same access a user has to a team -- the channels, conversations, users, reactions, etc. they can see
  • Write actions with user tokens are performed as the user having taken the action themselves

API methods, Events, and other platform features that work with user-based tokens are marked with icons like:

Bot user tokens

Bot user tokens represent a "bot user" belonging to the app that was installed into the team. Bot user tokens are only provided to an app if if a "bot user" record is associated with the app and the app explicitly asks for the bot OAuth scope during installation. Bot user tokens are generally associated with conversational apps though any app can be conversational and bot user tokens can be used for more than just conversation.

  • Bot user token strings begin with xoxb-
  • Bot user tokens represent an immutable package of permissions against a specific team
  • Bot user tokens can't have resource-based OAuth scopes added to them, any scopes other than bot requested during the OAuth installation flow have no effect on the bot user token
  • "Bots" typically switch between using both a bot user token and any number of user tokens to complete their operations

Workspace tokens

The new world is made possible with a single kind of token that represents all of your app's interactions, bot or otherwise, with a single team.

Developer preview

This feature only applies to the workspace token-based Slack app developer preview, currently under active development.

  • Workspace token strings begin with xoxa-.
  • Workspace tokens are the only tokens you need for a team in the new world
  • Bot users and bot user tokens are not part of the new world; their capabilities are smooshed into the workspace tokens
  • No requests are made on behalf of users with workspace tokens, everything originates from your app
  • OAuth scopes negotiated during the OAuth installation process or through the Permissions API are applied directly to your workspace token
  • Whatever your app can do with a team, your workspace token makes possible

See working with workspace tokens and the Permissions API to learn more.

Legacy tokens

These tokens are typically associated with custom integrations and early Slack integrations requiring an ambiguous "API token." They are generated using the legacy token generator and we discourage their use for much of anything beyond testing. They take on the full operational scope of the user that created them. We encourage creating an internal integration instead with and request only the scopes your script, app, or whatever needs to function.

Verification tokens

Slash commands, Events API deliveries, and interactive messages all have one thing in common:

Slack dispatches a request that lands on your server. You need a way to identify that it really came from Slack. So every Slack app has a verification token that acts as a shared secret between your app and Slack. This verification token has nothing to do with any other kind of token on Slack. It's never needed for any API operations your app sends to Slack. It's only use case is to securely identify traffic coming from Slack.

Don't confuse verification tokens with an OAuth token, user token (xoxp), bot user token (xoxb), gossip girl token (xoxo), or workspace token (xoxa). The only relation is that token word "token."