Skip to content

Slack Token

Service Name: Slack

Service Description: Slack is a messaging app for business that connects people to the information they need. It transforms how organizations communicate by bringing people together to work as one unified team.

Service Address: https://slack.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the workspace level for Enterprise Grid customers.

Secret Access Scope: Grants programmatic access to Slack workspaces, allowing interaction with channels, messages, users, and other Slack resources based on the token's scopes.

Secret Revokement URL: https://slack.com/help/articles/215770388-Manage-API-tokens

Secret Example: xoxb-1234567890123-1234567890123-abcdefghijklmnopqrstuvwx

Suspicious Activity Investigation Instructions:

  • Review Slack audit logs for unusual API calls or access patterns.
  • Check for unauthorized app installations or integrations in your workspace.
  • Monitor for unusual message posting, channel creation, or user management activities.
  • Verify if the token was used from unusual geographic locations or IP addresses.
  • Review the scopes associated with the token to understand its potential access level.

Mitigation Instructions:

  • Navigate to the Slack API dashboard at https://api.slack.com/apps.
  • Select the app associated with the compromised token.
  • Go to the "OAuth & Permissions" section.
  • Click "Regenerate" next to the compromised token to invalidate it.
  • Alternatively, you can delete the entire app if it's no longer needed.
  • For bot tokens, you can also remove the app from your workspace through workspace settings.
  • Review and adjust the permissions scopes for any new tokens to follow the Principle of Least Privilege.
  • Consider implementing IP restrictions for API access if you're on an Enterprise Grid plan.