Slack

Communication

Send messages and interact with Slack workspaces

Slack developer console OAuth setup guide API docs

Installing Slack creates a resource for the upstream API and the OAuth provider Keycard needs to mint tokens for it. Your app calls Keycard’s token exchange, gets back a token scoped to Slack, and uses it to call the API directly. Every exchange is governed by your zone’s identity provider, access policies, and audit log - the OAuth client secret stays inside Keycard.

Scopes

SCOPES

OAuth permissions Keycard requests on install. Override or add scopes in Console.

chat:write: default
channels:read: default
users:read: default
app_mentions:read
assistant:write
bookmarks:read
bookmarks:write
calls:read
calls:write
canvases:read
canvases:write
channels:history
channels:join
channels:manage
channels:write.invites
channels:write.topic
chat:write.customize
chat:write.public
commands
conversations.connect:manage
conversations.connect:read
conversations.connect:write
datastore:read
datastore:write
dnd:read
emoji:read
files:read
files:write
groups:history
groups:read
groups:write
groups:write.invites
groups:write.topic
im:history
im:read
im:write
im:write.topic
incoming-webhook
links:read
links:write
links.embed:write
lists:read
lists:write
metadata.message:read
mpim:history
mpim:read
mpim:write.topic
pins:read
pins:write
reactions:read
reactions:write
reminders:read
reminders:write
remote_files:read
remote_files:share
remote_files:write
search:read.enterprise
search:read.files
search:read.public
search:read.private
search:read.mpim
search:read.im
search:read.users
team:read
team.billing:read
team.preferences:read
tokens.basic
triggers:read
triggers:write
usergroups:read
usergroups:write
users:read.email
users:write
users.profile:read
workflows.templates:read
workflows.templates:write

Install

INSTALL

Add Slack to your zone so your app can exchange tokens for it.

Step 1 - Start the install in Keycard Console

In your zone’s Keycard Console, go to Resources -> Explore Resources.
Search for Slack and click into the catalog entry.
The install dialog shows a Redirect URI. Copy it - you’ll paste it into Slack in Step 2. Leave this Keycard tab open.

Step 2 - Create the OAuth app for Slack

Create a Slack app

Go to the Slack API Dashboard
Click Create New App → From scratch
Enter an app name and select the workspace you want to develop against
Click Create App

Set the redirect URL

In OAuth & Permissions, scroll to Redirect URLs
Click Add New Redirect URL
Enter the redirect URI provided by Keycard
Click Save URLs

Get credentials

In Basic Information, scroll to App Credentials
Note the Client ID and Client Secret

Step 3 - Finish the install in Keycard Console

Switch back to the Keycard install dialog you left open in Step 1.
Paste the Client ID and Client Secret from Step 2.
Click Add Slack. The resource is provisioned and your app can start exchanging tokens for it.

Configure the Slack provider

After adding the resource, go to the Slack provider settings and expand Advanced options. Slack’s OAuth v2 API uses non-standard parameter names, so you must set the following values:

Setting	Value
Scope Parameter	`user_scope`
Scope Separator	`,` (comma)
Access Token Path	`authed_user.access_token`

Use Slack from your code

USE FROM CODE

Call Slack from your application with a Keycard-issued token scoped to this resource.

After installing Slack, your application exchanges a Keycard-issued access token for a token scoped to this resource. Pass the user’s access token as the subject_token.

Python
TypeScript

from keycardai.oauth import Client, BasicAuth, TokenType
import requests

# Exchange the user's Keycard token for a Slack token.
with Client(
    "https://<zone-id>.keycard.cloud",
    auth=BasicAuth("<your-client-id>", "<your-client-secret>"),
) as client:
    response = client.exchange_token(
        subject_token=user_access_token,
        subject_token_type=TokenType.ACCESS_TOKEN,
        resource="https://slack.com/api",
    )

# Call Slack directly with the exchanged token.
r = requests.get(
    "https://slack.com/api/<endpoint>",
    headers={"Authorization": f"Bearer {response.access_token}"},
)

import { TokenExchangeClient } from "@keycardai/oauth/tokenExchange";

const client = new TokenExchangeClient("https://<zone-id>.keycard.cloud", {
  clientId: "<your-client-id>",
  clientSecret: "<your-client-secret>",
});

const response = await client.exchangeToken({
  subjectToken: userAccessToken,
  resource: "https://slack.com/api",
});

// Call Slack directly with the exchanged token.
const res = await fetch("https://slack.com/api/<endpoint>", {
  headers: { Authorization: `Bearer ${response.accessToken}` },
});

See the OAuth SDK → Token Exchange reference for the full client API.

Troubleshooting

TROUBLESHOOTING

Common errors when wiring Slack into your zone.

Error: invalid_auth

The token is invalid or has been revoked. Reconnect the provider in Keycard Console. If the issue persists, check that the app is still installed in the workspace.

Error: missing_scope

The token doesn’t have the required scopes. Verify the scopes configured in both Slack’s app settings and your Keycard resource match. You may need to reinstall the app to pick up new scopes.

Error: not_allowed_token_type

You may be using a bot token where a user token is expected, or vice versa. Check the scope type (Bot vs User) in your Slack app configuration.

Next steps

NEXT STEPS

What to do once Slack is installed.

Now do this

Call Slack from your code - see the Use Slack from your code section above for Python and TypeScript samples.

Recommended

Decide who can use it - write access policies scoped to the Slack resource so only the right users and apps reach the API.
Watch the calls - every token exchange and downstream call lands in your audit log with user identity, resource, and policy decision.

Optional

End-to-end example - see the Slack agent tutorial for a working integration.