Go to Slack


This method attaches Slack app unfurl behavior to a specified and relevant message. A user token is required as this method does not support bot user tokens.

The first time this method is executed with a particular ts and channel combination, the valid unfurls attachments you provide will be attached to the message. Subsequent attempts with the same ts and channel values will modify the same attachments, rather than adding more.


This method has the URL https://slack.com/api/chat.unfurl and follows the Slack Web API calling conventions.

Argument Example Required Description
token xxxx-xxxxxxxxx-xxxx Required

Authentication token.
Requires scope: links:write

channel C1234567890 Required

Channel ID of the message

ts   Required

Timestamp of the message to add unfurl behavior to

unfurls   Required

JSON mapping a set of URLs from the message to their unfurl attachments

user_auth_required true Optional, default=0

Set to true or 1 to indicate the user must install your Slack app to trigger unfurls for this domain

The provided ts value must correspond to a message in the specified channel. Additionally, the message must contain a fully-qualified URL pointing to a domain that is already registered and associated with your Slack app.

The unfurls parameter expects a URL-encoded string of JSON. Unlike chat.postMessage's attachments parameter, it does not expect a JSON array but instead, a hash keyed on the specific URLs you're offering an unfurl for. Each URL can have a single attachment, including message buttons.

Consult the unfurling docs for more guidance on this parameter.

The user_auth_required parameter is optional and requires that the user posting the link to authenticate with your app first. See authenticated unfurls.


    "ok": true

As you can see, we provide a minimal positive response when your unfurl attempt is successful. When it is not, you'll receive one of the errors below and ok will not be false.


This table lists the expected errors that this method could return. However, other errors can be returned in the case where the service is down or other unexpected factors affect processing. Callers should always check the value of the ok params in the response.

Error Description

No authentication token provided.


Invalid authentication token.


Authentication token is for a deleted user or team.


This method cannot be called by a bot user.


The method was passed an argument whose name falls outside the bounds of common decency. This includes very long names and names with non-alphanumeric characters other than _. If you get this error, it is typically an indication that you have made a very malformed API call.


The method was passed a PHP-style array argument (e.g. with a name like foo[7]). These are never valid with the Slack API.


The method was called via a POST request, but the charset specified in the Content-Type header was invalid. Valid charset names are: utf-8 iso-8859-1.


The method was called via a POST request with Content-Type application/x-www-form-urlencoded or multipart/form-data, but the form data was either missing or syntactically invalid.


The method was called via a POST request, but the specified Content-Type was invalid. Valid types are: application/x-www-form-urlencoded multipart/form-data text/plain.


The method was called via a POST request and included a data payload, but the request did not include a Content-Type header.


The team associated with your request is currently undergoing migration to an Enterprise Organization. Web API and other platform operations will be intermittently unavailable until the transition is complete.


The method was called via a POST request, but the POST data was either missing or truncated.


This table lists the expected warnings that this method will return. However, other warnings can be returned in the case where the service is experiencing unexpected trouble.

Warning Description

The method was called via a POST request, and recommended practice for the specified Content-Type is to include a charset parameter. However, no charset was present. Specifically, non-form-data content types (e.g. text/plain) are the ones for which charset is recommended.


The method was called via a POST request, and the specified Content-Type is not defined to understand the charset parameter. However, charset was in fact present. Specifically, form-data content types (e.g. multipart/form-data) are the ones for which charset is superfluous.