Adding Slack provisions a resource (the upstream Slack API at https://slack.com/api, with default scopes pre-set) and a provider for Slack’s OAuth issuer - auto-provisioned on first install, or reused if you already connected another Slack resource.
Your application calls Keycard’s token-exchange endpoint with the user’s identity, gets back a token scoped to this resource, and uses it to call Slack directly. Identity, policy, and audit log apply to every exchange - the OAuth client secret stays inside Keycard. Each exchange is recorded in the audit log with the user identity, the resource accessed, and the policy decision.
Scopes
Section titled “Scopes”OAuth permissions Keycard requests on install. Override or add scopes in Console.
- chat:write
- default
- channels:read
- default
- users:read
- default
- app_mentions:read
- assistant:write
- bookmarks:read
- bookmarks:write
- calls:read
- calls:write
- canvases:read
- canvases:write
- channels:history
- channels:join
- channels:manage
- channels:write.invites
- channels:write.topic
- chat:write.customize
- chat:write.public
- commands
- conversations.connect:manage
- conversations.connect:read
- conversations.connect:write
- datastore:read
- datastore:write
- dnd:read
- emoji:read
- files:read
- files:write
- groups:history
- groups:read
- groups:write
- groups:write.invites
- groups:write.topic
- im:history
- im:read
- im:write
- im:write.topic
- incoming-webhook
- links:read
- links:write
- links.embed:write
- lists:read
- lists:write
- metadata.message:read
- mpim:history
- mpim:read
- mpim:write.topic
- pins:read
- pins:write
- reactions:read
- reactions:write
- reminders:read
- reminders:write
- remote_files:read
- remote_files:share
- remote_files:write
- search:read.enterprise
- search:read.files
- search:read.public
- search:read.private
- search:read.mpim
- search:read.im
- search:read.users
- team:read
- team.billing:read
- team.preferences:read
- tokens.basic
- triggers:read
- triggers:write
- usergroups:read
- usergroups:write
- users:read.email
- users:write
- users.profile:read
- workflows.templates:read
- workflows.templates:write
Use Slack from your code
Section titled “Use Slack from your code”Call Slack from your application with a Keycard-issued token scoped to this resource.
After installing Slack, your application exchanges a Keycard-issued access token for a token scoped to this resource. Pass the user’s access token as the subject_token.
from keycardai.oauth import Client, BasicAuth, TokenTypeimport requests
# Exchange the user's Keycard token for a Slack token.with Client( "https://<zone-id>.keycard.cloud", auth=BasicAuth("<your-client-id>", "<your-client-secret>"),) as client: response = client.exchange_token( subject_token=user_access_token, subject_token_type=TokenType.ACCESS_TOKEN, resource="https://slack.com/api", )
# Call Slack directly with the exchanged token.r = requests.get( "https://slack.com/api/<endpoint>", headers={"Authorization": f"Bearer {response.access_token}"},)import { TokenExchangeClient } from "@keycardai/oauth/tokenExchange";
const client = new TokenExchangeClient("https://<zone-id>.keycard.cloud", { clientId: "<your-client-id>", clientSecret: "<your-client-secret>",});
const response = await client.exchangeToken({ subjectToken: userAccessToken, resource: "https://slack.com/api",});
// Call Slack directly with the exchanged token.const res = await fetch("https://slack.com/api/<endpoint>", { headers: { Authorization: `Bearer ${response.accessToken}` },});See the OAuth SDK → Token Exchange reference for the full client API.
Register your OAuth credentials with Keycard so the resource can issue tokens.
Create a Slack app
Section titled “Create a Slack app”- Go to the Slack API Dashboard
- Click Create New App → From scratch
- Enter an app name and select the workspace you want to develop against
- Click Create App
Set the redirect URL
Section titled “Set the redirect URL”- In OAuth & Permissions, scroll to Redirect URLs
- Click Add New Redirect URL
- Enter the redirect URI provided by Keycard
- Click Save URLs
Get credentials
Section titled “Get credentials”- In Basic Information, scroll to App Credentials
- Note the Client ID and Client Secret
Register in Keycard
Section titled “Register in Keycard”- Open Keycard Console → your zone → Resources
- Click Explore Resources
- Find and click Slack in the catalog
- In the configuration dialog:
- Enter the Client ID and Client Secret from your Slack app
- Review the User scopes - the defaults (
chat:write,channels:read,users:read) are pre-populated
- Click Add Slack API
Configure the Slack provider
Section titled “Configure the Slack provider”After adding the resource, go to the Slack provider settings and expand Advanced options. Slack’s OAuth v2 API uses non-standard parameter names, so you must set the following values:
| Setting | Value |
|---|---|
| Scope Parameter | user_scope |
| Scope Separator | , (comma) |
| Access Token Path | authed_user.access_token |
Troubleshooting
Section titled “Troubleshooting”Common errors when wiring Slack into your zone.
Error: invalid_auth
The token is invalid or has been revoked. Reconnect the provider in Keycard Console. If the issue persists, check that the app is still installed in the workspace.
Error: missing_scope
The token doesn’t have the required scopes. Verify the scopes configured in both Slack’s app settings and your Keycard resource match. You may need to reinstall the app to pick up new scopes.
Error: not_allowed_token_type
You may be using a bot token where a user token is expected, or vice versa. Check the scope type (Bot vs User) in your Slack app configuration.
Related
Section titled “Related”- Catalog overview - browse other API and MCP servers
- Access policies - control who can use Slack
- Identity providers - control who can sign in