- App install scopes are granted to the workspace-installed Slack app
- User OAuth scopes are granted only when a user explicitly connects their Slack account for actor-scoped behavior
- Slack sign-in scopes are used for web authentication and session bootstrap
App install scope categories
| Capability | Example scopes | Why Slack Agent needs them |
|---|---|---|
| Start and route work | app_mentions:read, assistant:write, commands | Lets Slack Agent respond to mentions, assistant entry points, and slash commands such as /plan, /learn, and /automations |
| Read conversation context | channels:history, groups:history, im:history, mpim:history | Lets Slack Agent read the thread history and surrounding conversation where it is allowed to operate |
| Discover Slack surfaces and people | channels:read, groups:read, im:read, mpim:read, team:read, users:read, users:read.email, usergroups:read | Helps Slack Agent identify the workspace, resolve channels, and map users and groups during setup and access control |
| Write back into Slack | chat:write, reactions:write, files:write, canvases:write, im:write, mpim:write | Lets Slack Agent post replies, upload artifacts, update canvases, and signal progress |
| Search and additional context | search:read.files, search:read.public, search:read.users, plus related read scopes such as bookmarks, pins, canvases, lists, and emoji | Expands the context Slack Agent can inspect when the product flow calls for it |
User OAuth scopes
User OAuth scopes are the explicit “act as you” path. They are useful when Slack Agent needs user-scoped behavior that should not be performed broadly with the bot token alone.| Capability | Example scopes | Why it matters |
|---|---|---|
| User-authored Slack actions | chat:write, reactions:write, files:write, canvases:write | Lets Slack Agent take selected actions on behalf of the connected user after explicit consent |
| Private search | search:read.private, search:read.im, search:read.mpim | Allows more private, actor-scoped search behavior where the user has the right visibility |
| Workspace lookup in user flows | selected read scopes for channels and users | Supports channel selection, people lookup, and setup UX tied to the authenticated user |
Slack sign-in scopes
Slack sign-in scopes are only for identity and session establishment.| Scope family | Why it matters |
|---|---|
openid, profile, email | Lets the web app authenticate the Slack user and bind the correct Slack identity to the correct workspace session |
Notes
- App install scopes are the baseline workspace permissions.
- User OAuth scopes are an explicit escalation path, not the default for every interaction.
- Slack sign-in scopes are used for identity, not for general bot runtime behavior.
- Slack’s permission wording can be broader than the exact operation used in one specific workflow.
What’s next
Admin roles and security
See how Slack admin status and CodeRabbit roles map to workspace permissions.
Quickstart
Walk through the setup flow that triggers these permission grants for the first time.
Connections
Learn how OAuth and API key credentials are managed for external service access.