Slack
Slack Technologies / Salesforcesaas5 credentials
Bot User OAuth Token
slack / bot-user-token
Slack bot tokens authenticate Web API calls as an app's bot user. Slack documents that bot token strings begin with xoxb- and recommends storing them as secrets such as SLACK_BOT_TOKEN.
Looks like
examplexoxb-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
SLACK_BOT_TOKEN, SLACK_TOKENAuthorizationBearer token used for Slack Web API calls
.env, Bolt app config, deployment manifests, Slack app config files
CI/CD variables, Kubernetes Secrets, cloud secret managers, hosted app secrets
Bolt apps, bot scripts, workflow automation, committed examples
Web API debug logs, request traces, CI logs, and stack traces
Notes
Bot token blast radius depends on installed scopes and channel membership. Rotate tokens found outside the intended app secret store.
User OAuth Token
slack / user-token
Slack user tokens let apps act directly on behalf of a user. Slack documents that user token strings begin with xoxp-.
Looks like
examplexoxp-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
SLACK_USER_TOKENAuthorizationBearer token used for Slack Web API calls
app OAuth installation tables and token stores
OAuth app config, local development .env files
app secret stores, CI/CD variables, cloud secret managers
OAuth exchange logs and application debug output
Notes
User tokens inherit the user's visibility and perform write actions as that user. Treat them as user-account delegation credentials.
App-Level Token
slack / app-level-token
Slack app-level tokens authenticate app-wide features such as Socket Mode. Slack documents that app-level token strings begin with xapp-.
Looks like
examplexapp-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
SLACK_APP_TOKENSocket Mode app config, .env files, deployment manifests
CI/CD variables, Kubernetes Secrets, cloud secret managers
Bolt apps, Socket Mode examples, committed test configs
Socket Mode startup logs, CI logs, application debug logs
Notes
App-level tokens are separate from bot tokens. Socket Mode apps often require both SLACK_APP_TOKEN and SLACK_BOT_TOKEN.
Incoming Webhook URL
slack / incoming-webhook-url
Slack incoming webhooks are channel-specific URLs that contain a secret path component. Slack documents that webhook URLs contain a secret and should not be shared online or checked into public repositories.
Looks like
examplehttps://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXXLocation
.env files, notification configs, CI/CD webhook settings
CI/CD variables, hosted app settings, cloud secret managers
deployment scripts, monitoring rules, committed notification examples
webhook POST traces, CI logs, application debug output
OAuth install responses containing incoming_webhook.url
Notes
Webhook URLs are bound to a channel and can post messages without a bot token. Slack actively revokes leaked secrets it discovers.
Signing Secret
slack / signing-secret
Slack signs requests sent to apps using a signing secret unique to the app. Apps use it to validate X-Slack-Signature and X-Slack-Request-Timestamp headers on incoming requests.
Looks like
exampleXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
SLACK_SIGNING_SECRETX-Slack-Signature, X-Slack-Request-Timestampincoming request headers verified with the signing secret; the secret itself is not sent
.env files, app config, deployment manifests
CI/CD variables, cloud secret managers, hosted app settings
Bolt examples, tests, committed local config
Notes
A leaked signing secret lets an attacker forge Slack-originated requests to endpoints that trust Slack signature verification.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.