> ## Documentation Index
> Fetch the complete documentation index at: https://docs.kavachos.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Slack

> Authenticate users with their Slack account via the `oauth` plugin. Uses Slack OpenID Connect with `openid`, `email`, and `profile` scopes. No Slack SDK required.

## Get credentials

<Steps>
  <Step>
    ### Create a Slack app

    Go to [api.slack.com/apps](https://api.slack.com/apps) and click **Create New App > From scratch**. Name your app and select a development workspace.
  </Step>

  <Step>
    ### Configure OAuth and permissions

    Navigate to **OAuth and Permissions**. Under **Redirect URLs**, add:

    ```
    https://auth.example.com/auth/oauth/slack/callback
    ```

    Under **Scopes > User Token Scopes**, add `openid`, `email`, and `profile`.
  </Step>

  <Step>
    ### Copy credentials

    Go to **Basic Information** and copy the **Client ID** and **Client Secret** under **App Credentials**.
  </Step>
</Steps>

<Info>
  KavachOS uses Slack's OpenID Connect flow (`/openid/connect/authorize`), not the older `identity.basic` scope approach. Make sure you add **User Token Scopes**, not Bot Token Scopes.
</Info>

## Configuration

```typescript title="lib/kavach.ts" theme={"system"}
import { createKavach } from 'kavachos';
import { oauth } from 'kavachos/auth';

const kavach = await createKavach({
  database: { provider: 'postgres', url: process.env.DATABASE_URL! },
  secret: process.env.KAVACH_SECRET!,
  baseUrl: 'https://auth.example.com',
  plugins: [
    oauth({
      providers: [
        {
          id: 'slack', // [!code highlight]
          clientId: process.env.SLACK_CLIENT_ID!, // [!code highlight]
          clientSecret: process.env.SLACK_CLIENT_SECRET!, // [!code highlight]
        },
      ],
    }),
  ],
});
```

```bash theme={"system"}
SLACK_CLIENT_ID=1234567890.1234567890123
SLACK_CLIENT_SECRET=...
```

## Scopes

Default scopes: `openid email profile`

These are standard OIDC scopes that Slack supports. No additional User Token Scopes are needed for basic sign-in.

## User data returned

| Field   | Source          | Notes                              |
| ------- | --------------- | ---------------------------------- |
| `id`    | `sub` claim     | Stable Slack user ID per workspace |
| `email` | `email` claim   | Workspace email                    |
| `name`  | `name` claim    | Display name                       |
| `image` | `picture` claim | Profile photo URL                  |

<Warning>
  The user ID is scoped to a workspace, not to the Slack user globally. If a user belongs to multiple workspaces and signs in with different ones, they will be treated as different accounts unless you implement custom linking logic.
</Warning>