There are more than a few things called "tokens" in the Slack platform. It's easy to conflate them for each other or not understand the deep, almost spiritual purpose of each type.
User tokens allow you to work directly on behalf of users, based on the OAuth scopes they award to your app.
Bot user tokens are special and require a bot user and the
Workspace tokens are part of our team-based Slack apps developer preview. They are agents for everything your app can do for a particular team.
Legacy tokens, scopes, and methods are better left to the past.
Verification tokens aren't like other tokens. Use them to validate requests coming from Slack.
User tokens represent workspace members. They are issued for the user who installed the app and for users who authenticate the app. When your app asks for OAuth scopes, they are applied to user tokens. You can use these tokens to take actions on behalf of users.
channels:historygrants access a user token access to
channels.historyfor any public channel)
Bot user tokens represent a bot associated with the app installed in a workspace. Bot user tokens are provided only if the app includes a bot user and explicitly asks for the
bot OAuth scope during installation. Bots are generally associated with conversational apps but they can do more than that (and bot-less apps can be conversational, too).
botrequested during the OAuth installation flow have no effect on the bot user token
The new world is made possible with a single kind of token that represents all of your app's interactions, bot or otherwise, with a single team.
This feature only applies to the workspace token-based Slack app developer preview, currently under active development.
These tokens are typically associated with custom integrations and early Slack integrations requiring an ambiguous "API token." They are generated using the legacy token generator and we discourage their use for much of anything beyond testing. They take on the full operational scope of the user that created them. If you’re building a tool for your own team, we encourage creating an internal integration with only the scopes it needs to work.
Slack dispatches a request that lands on your server. You need a way to identify that it really came from Slack. So every Slack app has a verification token that acts as a shared secret between your app and Slack. This verification token has nothing to do with any other kind of token on Slack. It's never needed for any API operations your app sends to Slack. It's only use case is to securely identify traffic coming from Slack.
Don't confuse verification tokens with an OAuth token, user token (
xoxp), bot user token (
xoxb), gossip girl token (
xoxo), or workspace token (
xoxa). The only relation is that token word "token."