Vintage illustration of sailors on the ocean
← Back to blog

Integration guide

How Slack's OAuth Flow Works (and How to Call Their API With Python)

A practical walkthrough of Slack's OAuth 2.0 authorization code flow plus a quick Python SDK demo.

Paulina XuNovember 22, 20258 min
OAuthSlackPython

Why Slack's OAuth Flow Matters

Slack follows the standard OAuth 2.0 authorization code flow: users approve scopes, your app exchanges the short-lived code for tokens, and the bot token authenticates API calls. Understanding the moving pieces upfront keeps your onboarding smooth and your integration compliant with Slack's security expectations.

The OAuth Flow Step by Step

Step 1: Redirect the user to Slack

Send users to https://slack.com/oauth/v2/authorize with your client_id, requested scopes, redirect_uri, and an optional state parameter for CSRF protection. Slack renders the consent screen.

Step 2: Receive a temporary code

Slack redirects back to your redirect_uri with a short-lived code query parameter. Exchange it immediately — the code expires quickly.

Step 3: Exchange the code for tokens

POST to https://slack.com/api/oauth.v2.access with client_id, client_secret, code, and redirect_uri. The response contains a bot token (xoxb- prefix), optional user token (xoxp-), and workspace metadata.

Step 4: Call Slack APIs with the bot token

Include the access token in the Authorization: Bearer header when calling Slack Web API endpoints. Each endpoint documents the scopes it requires.

Calling the Slack API With Python

Once you have a bot token, the Slack Python SDK handles authorization headers, retries, and error parsing for you. Install the SDK, instantiate a WebClient, and start sending messages or calling other Web API methods.

from slack_sdk import WebClient
from slack_sdk.errors import SlackApiError

client = WebClient(token="xoxb-your-token")

try:
    response = client.chat_postMessage(
        channel="#general",
        text="Hello from Python!"
    )
    print("Message sent:", response["ts"])
except SlackApiError as exc:
    print("Error sending message:", exc.response["error"])

Need to list users or channels? Swap in other Web API methods, and the SDK takes care of the heavy lifting.

Common Bot Scopes

Request only the scopes your automation truly needs. Slack grants exactly what you ask for during the consent screen, so keep the list tight.

Scope

chat:write

Send messages

Scope

channels:read

Read channel list

Scope

users:read

Read user list

Scope

commands, event:read

Receive slash commands or events

Operational Best Practices

  • Slack tokens do not expire automatically, but workspaces can revoke them at any time. Build token revocation handling into your app.
  • Persist tokens in a secure data store (server-side database, encrypted at rest). Avoid keeping them in the browser.
  • Use the state parameter to prevent CSRF and replay attacks in the authorization redirect.
  • Respect Slack rate limits — the Web API enforces per-method quotas.

References