New and Improved OAuth Scopes

If you’ve ever built something with the Slack API, you know that our OAuth scopes have been very open, and in fact they mirror the permissions of a Slack user’s account. That’s swell if your app needs to access a broad data set. However, for apps that do simple tasks (like uploading files, accessing starred items, or listing users on a team), these general scopes tend to go beyond what’s needed. We’re all familiar with the principle of least privilege — there must be a better solution!

Your New Building Blocks

Today, we’re releasing 27 granular OAuth scopes that let you choose precisely the access you need. The scopes should seem immediately familiar because they’re based on all of things you know and use in Slack, like files, channels, and users. Even better, for each scope option, you can choose whether you just want read access to it (like fetching a list of channels) or modify access as well (like renaming channels or creating new ones).

To revisit our earlier example, with the new OAuth scopes, you’d need only the following scopes:

  • upload files: files:write:user
  • access starred items: stars:read
  • list users on a team: users:read

And of course, you can mix and match the new scopes any way you’d like. So, if your app needs to list channels, upload files, and send messages, you’d use channels:read files:write chat:write as your scope during OAuth. For the full breakdown of what scopes are available, have a look at the OAuth API documentation. If you have an app using the older generation of scopes, we have good news! Your app will continue to work just as splendidly as did before, and we’re working on a tool to help you seamlessly migrate your current users over to the new scopes if you decide you’d prefer that option.

Incoming Webhooks and Slash Commands

These improved scopes can also be mixed in with two new special scopes introduced with the Slack Button. Both commands greatly streamline installation — users install your app on their team by simply clicking an Add to Slack button, skipping the need for copying and pasting auth keys.

The incoming-webhook scope allows your app to post content into a channel of the team’s choosing. This is great for apps that want to send notifications into Slack. To learn more about how this can be used and to see some examples of companies already using this, read this Slack Button announcement or our API documentation for incoming webhooks.

The brand new commands scope, just launched today, will allow your app to install slash commands on Slack teams via OAuth, streamlining user onboarding. This will allow your app to respond immediately to messages within a team and to post content back into the channels. Slash commands make users feel powerful: right within Slack they can trigger actions like requesting a Lyft. We can’t wait to see what you do with our new features. Our Slash Commands announcement post has examples of the feature in action and our newly updated slash command api documentation has all the technical details.