How to Get a Slack Bot Token (Step-by-Step) | Knit

How to Get a Slack Bot Token

To get a Slack bot token, create an app at api.slack.com/apps ("Create New App" → "From scratch"), open OAuth & Permissions, add the Bot Token Scopes your integration needs (such as chat:write), click Install to Workspace, approve the permissions, and copy the Bot User OAuth Token — it starts with xoxb-. Use that token in the Authorization: Bearer header to call Slack's Web API.

The rest of this page covers token types, where the credential goes, a working code sample, and the errors you'll hit if a scope is missing.

Prerequisites

A Slack workspace where you can install apps, or an admin who can approve the install.

A rough idea of which Bot Token Scopes your integration needs up front - adding scopes after install requires reinstalling the app, which generates a new token (Slack Developer Docs, App management quickstart).

If your integration needs to act as a specific person rather than a bot, you want a user token (xoxp-) instead - see the note near the bottom of this page.

Step-by-step: creating a Slack bot token

Where the credential goes

Slack's Web API accepts the token as a bearer token in the Authorization header (Slack Developer Docs, Tokens):

Authorization: Bearer xoxb-...

The word Bearer is case-sensitive. For some POST endpoints, you can alternatively send the token as a token= form field with Content-Type: application/x-www-form-urlencoded.

Connector-specific gotcha: a bot token's permissions are frozen at install time. If you add a new Bot Token Scope later, your existing xoxb- token does not gain that permission — you have to reinstall the app to the workspace (generating a new token) before the scope takes effect. A large share of missing_scope errors are really "I added the scope in the dashboard, but never reinstalled."

A few other things to know:

Lifetime: bot tokens (xoxb-) don't expire on their own and remain valid until revoked or the app is uninstalled. Apps that opt into Slack's token rotation get short-lived access tokens (around 12 hours) plus a refresh token instead (Slack Developer Docs, Tokens).

Revocation: call auth. revoke, or uninstall the app from the workspace's app management settings — either invalidates the token immediately.

Scopes: request the minimum Bot Token Scopes your integration needs, and add more only when required (then reinstall).

If you need a user token or a multi-workspace OAuth flow

For apps installed by many different workspaces, use the OAuth v2 install flow: send users to https://slack.com/oauth/v2/authorize?client_id=...&scope=<bot_scopes>&user_scope=<user_scopes>&redirect_uri=.... Slack redirects back with a temporary code (valid 10 minutes), which you exchange at oauth.v2.access for an access_token (bot, xoxb-) and, if you requested user_scope, an authed_user.access_token (user, xoxp-) (Slack Developer Docs, Installing with OAuth):

curl -F code=1234
-F client_id="$SLACK_CLIENT_ID"
-F client_secret="$SLACK_CLIENT_SECRET"
https://slack.com/api/oauth.v2.access

Minimal working example

This calls auth.test, which confirms the token is valid and returns basic identity info - a good smoke test for a new token.

curl:

curl -X POST https://slack.com/api/auth.test 

-H "Authorization: Bearer $SLACK_BOT_TOKEN"

Node.js:

const res = await fetch("https://slack.com/api/auth.test", {

method: "POST",

headers: {

Authorization: Bearer ${process.env.SLACK_BOT_TOKEN},

},

});
const data = await res.json();

console.log(data.team, data.user, data.bot_id);

Store SLACK_BOT_TOKEN as an environment variable — never hard-code it, and never commit it to source control.

Common errors and fixes

Why am I getting invalid_auth?

‍
The token is missing, malformed, or has been revoked (often via app uninstall). Check that the header reads Authorization: Bearer xoxb-... with no extra quotes, and confirm the app is still installed to the workspace under OAuth & Permissions (Slack Developer Docs, Tokens).

Why am I getting missing_scope?

‍
The response body includes needed and provided fields showing exactly which scope is required and which scopes your token actually has. Add the missing Bot Token Scope under OAuth & Permissions in your app's settings, then reinstall the app to the workspace — adding the scope alone doesn't update existing tokens (Slack Developer Docs, App management quickstart).

Why am I getting ratelimited?

‍
You've exceeded the per-method rate limit for your app in this workspace. Slack returns a 429 with a Retry-After header telling you how many seconds to wait before retrying (Slack Developer Docs, Rate limits).

The faster way

Creating and reinstalling a Slack app to fix scope issues is manageable for one workspace. It gets harder once your integration needs to support many workspaces, each with its own installed scopes, token lifecycles, and rate-limit tiers - on top of whatever other communication tools you're connecting. Knit's unified API handles Slack's OAuth installs and token storage, normalizes messaging and channel data across connectors, and manages rate-limit backoff for you. See the Slack API overview for what's available, or book a demo to see it against your own workspace. You can also sign up for free and connect a sandbox Slack workspace in a few minutes.

FAQ

Where do I find my Slack bot token after creating it?

‍
After you click "Install to Workspace" and approve the permissions, Slack shows the Bot User OAuth Token (starting with xoxb-) on the OAuth & Permissions page of your app. You can return to this page any time to copy it again - unlike some platforms, Slack doesn't hide it after the first view, but you should still store it as a secret.

What's the difference between a bot token (xoxb-) and a user token (xoxp-)?

‍
A bot token belongs to the app's bot user and is shared across the workspace install — it's the recommended default for most integrations. A user token acts on behalf of the specific person who authorized the app, with that person's own permissions. Use a bot token unless your integration specifically needs to act as a particular human user, such as posting messages that appear to come from them.

Do Slack bot tokens expire?

‍
No, not by default - xoxb- tokens remain valid until revoked via auth.revoke or until the app is uninstalled from the workspace. Apps that enable Slack's token rotation feature instead get short-lived access tokens (about 12 hours) and a refresh token, which Knit handles automatically for connected workspaces.

Why is my newly added scope not working?

‍
Adding a Bot Token Scope in your app's settings doesn't change tokens that were already issued. You need to reinstall the app to the workspace (or have the user reauthorize), which generates a new token that includes the added scope. This is the most common cause of missing_scope errors after a configuration change.

Is the Slack API free to use with a bot token?

‍
Yes - creating an app, installing it, and calling the Web API is free. Usage is governed by per-method rate limit tiers (roughly 1 to 100+ requests per minute, depending on the method), and some methods have additional limits for newer apps. Knit doesn't charge extra for Slack access either, and manages the rate-limit handling across connectors for you.

Sources:Tokens — Slack Developer Docs (https://docs.slack.dev/authentication/tokens)App management quickstart — Slack Developer Docs (https://docs.slack.dev/app-management/quickstart-app-settings)Installing with OAuth — Slack Developer Docs (https://docs.slack.dev/authentication/installing-with-oauth)Rate limits — Slack Developer Docs (https://docs.slack.dev/apis/web-api/rate-limits/)Slack setup — Knit Docs (https://developers.getknit.dev/docs/slack)