> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coderabbit.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Slack permissions

> Review the Slack app install, user OAuth, and sign-in permissions CodeRabbit Agent requests.

**Understand why each Slack permission is needed.** CodeRabbit Agent for Slack uses three distinct permission surfaces, each for a different purpose:

* **App install scopes** are granted to the workspace-installed Slack app
* **User OAuth scopes** are granted only when a user explicitly connects their Slack account for actor-scoped behavior
* **Slack sign-in scopes** are used for web authentication and session bootstrap

## App install scope categories

| Capability                         | Example scopes                                                                                                                               | Why CodeRabbit Agent needs them                                                                                    |
| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
| Start and route work               | `app_mentions:read`, `assistant:write`, `commands`                                                                                           | Lets CodeRabbit Agent respond to mentions, direct messages, and slash commands                                     |
| Read conversation context          | `channels:history`, `groups:history`, `im:history`, `mpim:history`                                                                           | Lets the Agent read the thread history and surrounding conversation where it is allowed to operate                 |
| Discover Slack surfaces and people | `channels:read`, `groups:read`, `im:read`, `mpim:read`, `team:read`, `users:read`, `users:read.email`, `usergroups:read`                     | Helps the Agent identify the workspace, resolve channels, and map users and groups during setup and access control |
| Write back into Slack              | `chat:write`, `reactions:write`, `files:write`, `canvases:write`, `im:write`, `mpim:write`                                                   | Lets the Agent post replies, upload artifacts, update canvases, and signal progress                                |
| Search and additional context      | `search:read.files`, `search:read.public`, `search:read.users`, plus related read scopes such as bookmarks, pins, canvases, lists, and emoji | Expands the context the Agent can inspect when the product flow calls for it                                       |

## User OAuth scopes

User OAuth scopes are the explicit “act as you” path.

They are useful when CodeRabbit Agent needs user-scoped behavior that should not be performed broadly with the bot token alone.

| Capability                     | Example scopes                                                   | Why it matters                                                                              |
| ------------------------------ | ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------- |
| User-authored Slack actions    | `chat:write`, `reactions:write`, `files:write`, `canvases:write` | Lets the Agent take selected actions on behalf of the connected user after explicit consent |
| Private search                 | `search:read.private`, `search:read.im`, `search:read.mpim`      | Allows more private, actor-scoped search behavior where the user has the right visibility   |
| Workspace lookup in user flows | selected read scopes for channels and users                      | Supports channel selection, people lookup, and setup UX tied to the authenticated user      |

## Slack sign-in scopes

Slack sign-in scopes are only for identity and session establishment.

| Scope family                 | Why it matters                                                                                                    |
| ---------------------------- | ----------------------------------------------------------------------------------------------------------------- |
| `openid`, `profile`, `email` | Lets the web app authenticate the Slack user and bind the correct Slack identity to the correct workspace session |

## Notes

* App install scopes are the baseline workspace permissions.
* User OAuth scopes are an explicit escalation path, not the default for every interaction.
* Slack sign-in scopes are used for identity, not for general bot runtime behavior.
* Slack's permission wording can be broader than the exact operation used in one specific workflow.

## What's next

<CardGroup cols={1}>
  <Card title="Admin roles and security" href="/slack-agent/admin-and-security" icon="lock" horizontal>
    See how Slack admin status and CodeRabbit roles map to workspace permissions.
  </Card>

  <Card title="Quickstart" href="/slack-agent/onboarding" icon="rocket" horizontal>
    Walk through the setup flow that triggers these permission grants for the first time.
  </Card>

  <Card title="Connections" href="/slack-agent/connections" icon="plug" horizontal>
    Learn how OAuth and API key credentials are managed for external service access.
  </Card>
</CardGroup>