Skip to content

Slack Token

Service Name: Slack

Service Description: Slack is a business communication platform offering many IRC-style features, including persistent chat rooms (channels) organized by topic, private groups, and direct messaging, as well as voice and video calls.

Service Address: https://slack.com/

Validation Type: API Auth

IP Allow list: IP restrictions are available at the workspace level through Enterprise Grid plans.

Secret Access Scope: Grants programmatic access to Slack workspaces, allowing operations like sending messages, accessing channels, and interacting with users based on the token's scopes.

Secret Revokement URL: https://slack.com/help/articles/215770388-Manage-API-tokens

Secret Example: xoxp-1234567890-1234567890-1234567890-abcdef1234567890abcdef1234567890

Suspicious Activity Investigation Instructions:

  • Review Slack audit logs for unusual activity (Admin dashboard > Tools > Audit logs).
  • Check for unauthorized messages or file uploads from the token.
  • Verify if the token has been used from unusual IP addresses or locations.
  • Review the apps and integrations connected to your Slack workspace.
  • Check for any data exports or unusual API calls made with the token.

Mitigation Instructions:

  • Immediately revoke the compromised token by going to your Slack App's management page.
  • For user tokens: Have the user visit api.slack.com/apps and revoke the token.
  • For bot tokens: Go to the app management page, select the app, and regenerate the token.
  • Review and adjust the scopes assigned to the application to follow the Principle of Least Privilege.
  • Enable IP restrictions for your Slack workspace if available on your plan.
  • Implement token rotation practices for your Slack applications.
  • Consider implementing Slack Enterprise Key Management for additional security.