Skip to main content

Get credentials

1

Create a Slack app

Go to api.slack.com/apps and click Create New App > From scratch. Name your app and select a development workspace.
2

Configure OAuth and permissions

Navigate to OAuth and Permissions. Under Redirect URLs, add:
https://auth.example.com/auth/oauth/slack/callback
Under Scopes > User Token Scopes, add openid, email, and profile.
3

Copy credentials

Go to Basic Information and copy the Client ID and Client Secret under App Credentials.
KavachOS uses Slack’s OpenID Connect flow (/openid/connect/authorize), not the older identity.basic scope approach. Make sure you add User Token Scopes, not Bot Token Scopes.

Configuration

lib/kavach.ts
import { createKavach } from 'kavachos';
import { oauth } from 'kavachos/auth';

const kavach = await createKavach({
  database: { provider: 'postgres', url: process.env.DATABASE_URL! },
  secret: process.env.KAVACH_SECRET!,
  baseUrl: 'https://auth.example.com',
  plugins: [
    oauth({
      providers: [
        {
          id: 'slack', 
          clientId: process.env.SLACK_CLIENT_ID!, 
          clientSecret: process.env.SLACK_CLIENT_SECRET!, 
        },
      ],
    }),
  ],
});

SLACK_CLIENT_ID=1234567890.1234567890123
SLACK_CLIENT_SECRET=...

Scopes

Default scopes: openid email profile These are standard OIDC scopes that Slack supports. No additional User Token Scopes are needed for basic sign-in.

User data returned

FieldSourceNotes
idsub claimStable Slack user ID per workspace
emailemail claimWorkspace email
namename claimDisplay name
imagepicture claimProfile photo URL
The user ID is scoped to a workspace, not to the Slack user globally. If a user belongs to multiple workspaces and signs in with different ones, they will be treated as different accounts unless you implement custom linking logic.
Last modified on April 17, 2026