Skip to content

Slack Socket Mode App Token

Service Name: Slack

Service Description: Slack is a messaging app for business that connects people to the information they need. By bringing people together to work as one unified team, Slack transforms the way organizations communicate.

Service Address: https://slack.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the workspace level by Enterprise Grid customers.

Secret Access Scope: Socket Mode App Tokens (xapp-) allow your app to receive events and interactive payloads over a WebSocket connection instead of HTTP, enabling apps to run behind a firewall without exposing public endpoints.

Secret Revokement URL: https://api.slack.com/apps > Select your app > Settings > Basic Information > App-Level Tokens > Revoke

Secret Example: xapp-1-A03GTNVFAGE-3256147388484- 9a1f3c18ef086a1eb402e24abb8eb98d7aa0abaf89f21659ddcf1b1dd85b2677

Suspicious Activity Investigation Instructions:

  • Review the Slack Admin dashboard for unusual app installations or authorizations
  • Check the app's event subscriptions and permissions in the Slack API dashboard
  • Monitor WebSocket connection logs for unusual connection patterns or locations
  • Review audit logs in Slack for actions performed by the app
  • Check for unexpected bot messages or interactions in channels

Mitigation Instructions:

  • Immediately revoke the compromised Socket Mode App Token through the Slack API dashboard
  • Generate a new Socket Mode App Token if the app is still needed
  • Review and potentially restrict the app's OAuth scopes and permissions
  • Update your application code to use the new token
  • Consider implementing IP restrictions if you're on an Enterprise Grid plan
  • Review other apps and integrations for potential security issues
  • Enable additional security features like two-factor authentication for all workspace admins