slack-auth-security_skill

This skill helps secure Slack app authentication by guiding OAuth, token management, scope configuration, and production best practices.
  • Go

3

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill linehaul-ai/linehaulai-claude-marketplace --skill slack-auth-security

  • SKILL.md5.1 KB

Overview

This skill explains OAuth flows, token management, and security best practices for building and operating Slack apps. It focuses on practical guidance for multi-workspace installs, secure token storage and rotation, scopes and permissions, and runtime protections. The content is language-agnostic but includes Go idioms and examples for common patterns.

How this skill works

The skill inspects common OAuth patterns (bot vs user tokens), token lifecycle actions (issue, store, rotate), and workspace-specific token handling. It outlines verification steps for incoming Slack requests, HTTPS requirements, rate limiting, and manifest-driven app configuration. It also details where to apply scopes and how to separate tokens per team for multi-workspace installations.

When to use it

  • Implementing OAuth authorization and token exchange for Slack apps
  • Designing token storage, rotation, and encryption strategies
  • Distributing apps to multiple workspaces and managing per-team tokens
  • Configuring and auditing app scopes and permissions before production
  • Hardening request handling (signing verification, HTTPS, rate limiting)

Best practices

  • Prefer bot tokens (xoxb-) for most automated actions; use user tokens (xoxp-) only when acting on a user’s behalf
  • Never hardcode tokens; use environment variables for dev and secrets managers (Vault, AWS Secrets Manager) in production
  • Verify Slack request signatures and timestamps on every inbound request to prevent replay and spoofing
  • Encrypt tokens at rest and rotate credentials periodically; automate rotation and update stored secrets atomically
  • Serve webhooks and OAuth redirects only over HTTPS and limit exposed error details to avoid leaking secrets
  • Implement per-user or per-team rate limiting and audit logging to detect abuse and support incident response

Example use cases

  • Exchange authorization codes during the OAuth flow and persist a workspace-specific bot token
  • Rotate a bot token programmatically and update the secret store without downtime
  • Apply minimal scopes for messaging and channel reads when publishing to the App Directory
  • Validate incoming event and command requests using Slack signing secrets to reject forged requests
  • Store and retrieve tokens keyed by team ID to support multi-workspace installations and per-team API clients

FAQ

No. Store a separate token record per workspace (team ID). This isolates access, simplifies revocation, and makes audit trails clear.

When to use bot vs user tokens?

Use bot tokens for automated actions and app functionality. Use user tokens only for actions that must run explicitly as the user and require delegated scopes.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
slack-auth-security skill by linehaul-ai/linehaulai-claude-marketplace | VeilStrat