1

I have a question about the top-level access token that is returned after the "Add to Slack" button is clicked and consent is granted.

This is the JSON response:

{
    "access_token": "xoxp-XXXXXXXX-XXXXXXXX-XXXXX",
    "scope": "incoming-webhook,commands,bot",
    "team_name": "Team Installing Your Hook",
    "team_id": "XXXXXXXXXX",
    "incoming_webhook": {
        "url": "https://hooks.slack.com/TXXXXX/BXXXXX/XXXXXXXXXX",
        "channel": "#channel-it-will-post-to",
        "configuration_url": "https://teamname.slack.com/services/BXXXXX"
    },
    "bot":{
        "bot_user_id":"UTTTTTTTTTTR",
        "bot_access_token":"xoxb-XXXXXXXXXXXX-TTTTTTTTTTTTTT"
    }
}

In documentation https://api.slack.com/docs/slack-button, the only place that mentions the top-level access_token is "Use the top-level access_token value for other integration points."

Could you please give some examples on how the top-level access_token will be used?

Erik Kalkoken
  • 30,467
  • 8
  • 79
  • 114
user3709284
  • 323
  • 1
  • 2
  • 10

1 Answers1

2

This is the standard response from Slack after a successful installation of your app to a Slack workspace, e.g. via "Add to Slack" button.

You get two tokens, which have different meanings:

  • access_token: This is called the user token. It allows your app to work directly on behalf of users, based on the OAuth scopes they award to your app. e.g. it can upload files on behalf of the user that installed the app. You always get this token if you install a Slack app.

  • bot_access_token: bot token, which allows your app to work on behalf of its bot user and always has the bot scope. You only get this token if your app includes a bot user.

If you have both tokens I would recommend to use the bot token primarily, because that way all your actions will clearly show as being related to your app.

Note that not all API methods work with a bot token. (check the documentation of your API method to find out which token works)

Erik Kalkoken
  • 30,467
  • 8
  • 79
  • 114