This guide explains how to create a Slack App that is restricted to your own workspace (organization) and how to collect the required credentials to connect it with our Node.js Slack integration app.
Overview#
By default, Slack apps can be distributed publicly. For security and privacy reasons, this setup ensures:The app is not listed publicly in Slack's App Directory
The app can be installed only in your workspace
Tokens and credentials remain private to your organization
Prerequisites#
Before starting, make sure you have:Admin or App Management permissions in your Slack workspace
Access to your Slack workspace where the app will be installed
Our Node.js app running locally or deployed (you will need its public URL)
Step 1: Create a New Slack App#
4.
App Name: (example: Policy Assistant)
Workspace: Select your own Slack workspace
Important: Apps created this way are private by default and are NOT publicly listed.
Step 2: Confirm App Is Workspace-Only#
Slack apps are private unless you explicitly submit them to the Slack App Directory.To ensure your app stays internal:Do NOT submit the app for review
Do NOT enable "Distribution" for public sharing
1.
Opening your app dashboard
2.
Going to Manage Distribution
3.
Making sure it is not submitted for public listing
1.
In the left sidebar, click App Home
2.
Allow users to send Slash commands and messages
3.
Scroll to Bot User section
Note: This creates a bot identity for your app.
Step 4: Set OAuth Scopes (Permissions)#
Go to OAuth & Permissions.Under Bot Token Scopes, add the required permissions:Common Scopes#
app_mentions:read → View messages that directly mention the bot
channels:history → View messages and other content in channels that the bot is added in
chat:write → Send messages
groups:history → Read private channels (if needed)
im:history → Read direct messages and other content in DMs
mpim:history → Read direct messages and other content in groups
users:read → View people in a workspace
users:read.email → View email addresses of people
files:read → View files shared in channels (for attachment feature)
Security Tip: Only enable scopes you actually need for security.
Step 5: Enable Socket Mode (Recommended)#
If you are not exposing a public HTTPS endpoint, Socket Mode is recommended.3.
Generate an App-Level Token
Token Name: Example: socket-token
4.
Save the generated token.
SLACK_APP_TOKEN=xapp-xxxxxxxxxx
Step 6: Install App to Your Workspace#
1.
Go to OAuth & Permissions
2.
Click Install to Workspace
SLACK_BOT_TOKEN=xoxb-xxxxxxxxxx
Step 7: Enable Event Subscriptions#
If your bot listens to messages or events:1.
Go to Event Subscriptions
If Using Socket Mode#
Note: No Request URL is required when using Socket Mode.
Subscribe to Bot Events#
Step 8: Collect Required Keys#
You will need the following values from Slack:Required Environment Variables#
| Variable Name | Description |
|---|
SLACK_BOT_TOKEN | Bot token used to send messages |
SLACK_APP_TOKEN | Socket Mode token |
Add the following environment variables to your Node.js project:SLACK_BOT_TOKEN=your_bot_token_here
SLACK_APP_TOKEN=your_app_token_here
Important: Restart your Node server after updating environment variables.
Step 10: Verify Installation#
To confirm everything is working:3.
Send a test message or mention it:
Troubleshooting#
If the bot doesn't respond, verify that all required scopes are added
Ensure both tokens are correctly set in your environment variables
Check that Socket Mode is enabled if not using a public endpoint
Verify the bot is added to the channel where you're testing
Security Best Practices#
Never commit tokens to version control
Use environment variables or secure secret management
Regularly rotate tokens if exposed
Only grant minimum required scopes
Keep your app private to your organization
