More precision, fewer restrictions

Granular permissions now available for Slack apps

Slack API
Slack API
Jan 21 · 4 min read
Illustration and design by Casey Labatt-Simon.

We recently introduced the Slack app toolkit — the happy path for building apps that anyone can easily discover, understand, and use in Slack.

Permissions, or the way apps request information in Slack, are the first component of the toolkit. We’ve redesigned the bot token with a revised permissions model called granular permissions. Now you can request only the information needed for your app to function and drive deeper adoption among security-conscious customers.

This year, we will require granular permissions for Slack apps listed in the App Directory. To learn more, read on.

Reducing scopes

Before granular permissions, apps using the bot token received a broad set of scopes; developers did not have a way to pick and choose the information their app actually accessed. Now, with granular permissions, you can specify the exact scopes needed for your app to function.

Imagine a Slack app for reporting and approving expenses. Before granular permissions, this app would have been issued a blanket set of scopes. In that world, below is what an admin would see when reviewing the app. You’ll notice this app requests access to information it probably doesn’t need — like `channels:history`, the ability to fetch the history of messages in a channel. As a result, an admin may be less likely to approve it.

An app that does not use granular permissions displays all scopes on the OAuth page.

Consider the same Slack app using granular permissions. A developer could select only what their app needs and exclude unneeded scopes, like `channels:history`, to get the benefit of a less-permissive app. You’ll notice the page is simpler to review — and less intimidating for the admin.

An app that uses granular permissions likely displays less scopes on the OAuth page.

Building for the enterprise

KARTE shares real-time customer insights in Slack.

The KARTE team’s priority was to drive adoption of their service, particularly among security-conscious customers. Using granular permissions enabled KARTE to request the minimum number of scopes and increase their likelihood of adoption within the enterprise.

KARTE uses granular permissions to list fewer scopes on the OAuth page.

Improving app reliability

For instance, Donut, a team-building app for Slack, gets installed once by a single person — but hundreds or thousands of people might use it within Slack to connect with their teammates.

Donut introduces two users in Slack, providing context and scheduling help.

Donut was initially built with a user token. Due to the limitations of that token type, when an app installer left their company, the Donut app automatically uninstalled. Now with granular permissions, the app will remain on a workspace without interruption.

Adding incremental scopes

Simple Poll, a polling app for Slack, previously elected to build on the user token. While the token was less permissive, it also meant that Simple Poll missed out on some of the functionality offered by the bot token. By migrating to granular permissions, Simple Poll can make updates to their app or request new scopes as needed.

By upgrading to granular permissions, Simple Poll is able to build new functionality, like recurring polls.

“An added benefit is that we’re aligning Simple Poll to the favored permissions model that will unlock future capabilities,” said Simple Poll founder, Wilhelm Klopp. “We want to be on the model that Slack is recommending and investing in.”

Getting started

Starting February 21, 2020, the App Directory will require newly submitted apps to use granular permissions. Existing Slack apps on the App Directory must update by the end of 2020. Refer to the migration guide to learn how to upgrade your app.

Thanks to your feedback, we are making ongoing improvements to granular permissions in the coming weeks. Continue to share with us by emailing feedback@slack.com.


Looking for hands-on support? Save your spot for the Slack app virtual hackathon today.

Slack Platform Blog

Several bots are typing…

Slack API

Written by

Slack API

The Slack Developer Blog. Other Slack news, features and tips can be found at http://slackhq.com but this? This is all API, all the time

Slack Platform Blog

Several bots are typing…

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade