People trust Slack with how they communicate and collaborate at work. When they install your app, they extend that trust to you. Your app’s tokens, client secret, and signing secret each grant access to the Slack platform on your app’s behalf. Keeping them secure keeps your app secure.
Secure your users’ credentials
You already know to keep credentials out of source code and repositories. For development, you use local environment variables and keep your .env file in .gitignore. For production, you use a secrets management solution that injects credentials at build or runtime rather than storing them alongside your code. Here’s some more guidelines to responsibly manage your user’s data.
Slack uses OAuth to help manage secrets. This keeps it server-side, away from email, client-side JavaScript, and native app bundles. Also make sure to use redirect URIs in your app settings to domains you directly control. This way authorization codes are only sent to the infrastructure you own.
Only store tokens if your app genuinely needs them. Link each token to its owner (workspace and user) so access stays scoped to the right account. Keep tokens out of error messages, UI, URL query strings, and application logs. When a user uninstalls your app, delete the associated token immediately. For long-lived tokens, enable token rotation to automatically renew and expire them on a schedule. You can also manually revoke tokens with the auth.revoke API method.
Protect your app’s data
Every scope your app holds is data you’re responsible for protecting. Request the minimum scopes necessary for your features — fewer scopes mean fewer data flows to secure and a tighter security posture overall. For a deeper look at scope selection, see Less Is More: A Smart Approach to Slack Scopes.
Your app can receive data through events, API responses, and user interactions. Be intentional about what data you keep. Only retain it for as long as a feature actively needs it. For example, a message used to generate a summary can be discarded once the summary exists.
Keep sensitive information (passwords, PII, token values) out of application logs and activity records. Store them only where access is controlled.
Validate your app’s inputs
Data coming into your app can arrive from many sources: a user filling out a form, a webhook, or a third-party service. Check that data before your app acts on it, so it only processes valid, expected input.
Before your app acts, verify that the user is authorized to perform that action. If your app queries a datastore, use parameterized queries instead of raw user input. A good way to do this is to use your framework’s built-in query sanitization rather than constructing queries manually.
Secure your app’s infrastructure
Your app’s security extends beyond its Slack integration.
Use TLS for all network communication. Keep your dependencies up to date and monitor them for known vulnerabilities. Limit outbound network connections to only the domains your app actually needs to reach.
If your app accepts requests from the internet, restrict access where possible. Slack supports IP address allowlisting for API token usage, letting you control exactly which sources can interact with your app.
Security and privacy aren’t separate from building a great app. They’re built into the same decisions you’re already making about scopes, tokens, and data. Build them in early and they carry forward as your app grows.
Further reading
- Security best practices: comprehensive security guidance for Slack app development
- Verifying requests from Slack: request validation and Slack secrets
- Token rotation: automatic credential renewal
- Tokens: token types and their security characteristics
This is part of a series on building for the Slack Marketplace. For scope fundamentals, see Less Is More: A Smart Approach to Slack Scopes. For how tokens work, see Two Keys to One Platform: Understanding Bot and User Tokens.
