lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Slack

Slack Technologies / Salesforcesaas5 credentials

Credentials5 documented
01

Bot User OAuth Token

slack / bot-user-token

Slack bot tokens authenticate Web API calls as an app's bot user. Slack documents that bot token strings begin with xoxb- and recommends storing them as secrets such as SLACK_BOT_TOKEN.

generated on installsecrettoken

Looks like

example
example

Slack bot token prefix

xoxb-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
SLACK_BOT_TOKEN, SLACK_TOKEN
http header
Authorization

Bearer token used for Slack Web API calls

config file

.env, Bolt app config, deployment manifests, Slack app config files

secret store

CI/CD variables, Kubernetes Secrets, cloud secret managers, hosted app secrets

source code

Bolt apps, bot scripts, workflow automation, committed examples

logs

Web API debug logs, request traces, CI logs, and stack traces

Notes

Bot token blast radius depends on installed scopes and channel membership. Rotate tokens found outside the intended app secret store.

02

User OAuth Token

slack / user-token

Slack user tokens let apps act directly on behalf of a user. Slack documents that user token strings begin with xoxp-.

generated on installsecrettoken

Looks like

example
example

Slack user token prefix

xoxp-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
SLACK_USER_TOKEN
http header
Authorization

Bearer token used for Slack Web API calls

database

app OAuth installation tables and token stores

config file

OAuth app config, local development .env files

secret store

app secret stores, CI/CD variables, cloud secret managers

logs

OAuth exchange logs and application debug output

Notes

User tokens inherit the user's visibility and perform write actions as that user. Treat them as user-account delegation credentials.

03

App-Level Token

slack / app-level-token

Slack app-level tokens authenticate app-wide features such as Socket Mode. Slack documents that app-level token strings begin with xapp-.

generated on installsecrettoken

Looks like

example
example

Slack app-level token prefix

xapp-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
SLACK_APP_TOKEN
config file

Socket Mode app config, .env files, deployment manifests

secret store

CI/CD variables, Kubernetes Secrets, cloud secret managers

source code

Bolt apps, Socket Mode examples, committed test configs

logs

Socket Mode startup logs, CI logs, application debug logs

Notes

App-level tokens are separate from bot tokens. Socket Mode apps often require both SLACK_APP_TOKEN and SLACK_BOT_TOKEN.

04

Incoming Webhook URL

slack / incoming-webhook-url

Slack incoming webhooks are channel-specific URLs that contain a secret path component. Slack documents that webhook URLs contain a secret and should not be shared online or checked into public repositories.

generated on installsecrettoken

Looks like

example
example

Slack incoming webhook URL

https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX

Location

config file

.env files, notification configs, CI/CD webhook settings

secret store

CI/CD variables, hosted app settings, cloud secret managers

source code

deployment scripts, monitoring rules, committed notification examples

logs

webhook POST traces, CI logs, application debug output

http response

OAuth install responses containing incoming_webhook.url

Notes

Webhook URLs are bound to a channel and can post messages without a bot token. Slack actively revokes leaked secrets it discovers.

05

Signing Secret

slack / signing-secret

Slack signs requests sent to apps using a signing secret unique to the app. Apps use it to validate X-Slack-Signature and X-Slack-Request-Timestamp headers on incoming requests.

generated on installsecretsecret value

Looks like

example
example

Slack signing secret specimen from request-verification examples

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
SLACK_SIGNING_SECRET
http header
X-Slack-Signature, X-Slack-Request-Timestamp

incoming request headers verified with the signing secret; the secret itself is not sent

config file

.env files, app config, deployment manifests

secret store

CI/CD variables, cloud secret managers, hosted app settings

source code

Bolt examples, tests, committed local config

Notes

A leaked signing secret lets an attacker forge Slack-originated requests to endpoints that trust Slack signature verification.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.