So, lately I've been playing around with the Slack API and I kind of figured out how to access the API using the keys available when I use Slack in Chrome. I'm able to access the conversations.history method and download messages. Anyone with API experience know if this is a normal thing? To be able to access the API with a App or standard Authentication token (user tokens are prefixed xoxp- and bot tokens xoxb- and workspace tokens xoxa-2. The token I was using was xoxc- . ) It seems kind of insecure, so my question is, are APIs always vulnerable like this. And, also, I'm guessing that I shouldn't be accessing it like this, and wondering if anyone has heard of people getting in trouble for this or if its expected/ok?
Asked
Active
Viewed 3,471 times
1 Answers
10
This is the response I got from Slack regarding it.
Thanks for reaching out, I'd be happy to help.
To clarify, xoxc tokens are special tokens that are used by the web client. These tokens are cookie dependent, so even if the token is somehow stolen, it would not be very useful.
However, while we might not explicitly prevent it, using xoxc tokens for the API is not supported or recommended. Our API methods and scopes are meant to be used with Bot (xoxb) or User tokens (xoxp). Workspace tokens (xoxa) tokens are now deprecated, as they were only available to create during a limited developer preview which has since ended. https://api.slack.com/authentication/token-types
As you continue to use the API, I'd recommend creating a Slack app and creating a properly scoped token as described here: https://api.slack.com/authentication/basics#scopes
I hope this helps clarify, but please let me know if you have any further questions.
dannylee8
- 505
- 7
- 17