Facts
- HTTP
- JavaScript
- Python
- Java
POST https://slack.com/api/openid.connect.token
app.client.openid.connect.token
app.client.openid_connect_token
app.client().openidConnectToken
application/x-www-form-urlencoded application/json Arguments
Optional arguments
client_idstringOptionalIssued when you created your application.
2141029472.691202649728client_secretstringOptionalIssued when you created your application.
e1b9e11dfcd19c1982d5de12921e17e8ccodestringOptionalThe code param returned via the OAuth callback.
4724469134.4644010092847.232b4e6d82c333b475fc30f5f5a341d294feb1a94392c2fd791f7ab7731a443d1aredirect_uristringOptionalThis must match the originally submitted URI (if one was sent).
http://example.comgrant_typestringOptionalThe grant_type param as described in the OAuth spec.
authorization_coderefresh_tokenstringOptionalThe refresh_token param as described in the OAuth spec.
xoxe-1-abcdefgUsage info
As part of Sign in with Slack, this method allows your app to receive information about a user who signs into your service with their Slack profile.
A potential gotcha: while redirect_uri is optional, it is required if your app passed it as a parameter to /openid/connect/authorize in the first step of the Sign in with Slack flow.
Response
Successful token request during the Sign in with Slack flow
{
"ok": true,
"access_token": "xoxp-1234",
"token_type": "Bearer",
"id_token": "eyJhbGcMjY5OTA2MzcWNrLmNvbVwvdGVhbV9p..."
}
The id_token in the response is a standard JSON Web Token (JWT). . When it's decoded, you'll see a payload like:
"iss": "https://slack.com",
"sub": "U0R7MFMJM",
"aud": "25259531569.11152291",
"exp": 1626874955,
"iat": 1626874655,
"auth_time": 1626874655,
"nonce": "abcd",
"at_hash": "tUbyWGBHe0V32FJEupkgVQ",
"https://slack.com/team_id": "T0RR",
"https://slack.com/user_id": "U0JM",
"email": "bront@slack-corp.com",
"email_verified": true,
"date_email_verified": 1622128723,
"locale": "en-US",
"name": "brent",
"given_name": "",
"family_name": "",
"https://slack.com/user_image_24": "https://secure.gravatar.com/avatar/bc.png",
"https://slack.com/user_image_32": "...",
"https://slack.com/user_image_48": "...",
"https://slack.com/user_image_72": "...",
"https://slack.com/user_image_192": "...",
"https://slack.com/user_image_512": "...",
"https://slack.com/team_image_34": "...",
"https://slack.com/team_image_44": "...",
"https://slack.com/team_image_68": "...",
"https://slack.com/team_image_88": "...",
"https://slack.com/team_image_102": "...",
"https://slack.com/team_image_132": "...",
"https://slack.com/team_image_230": "...",
"https://slack.com/team_image_default": true
iss, sub, aud, exp, iat, auth_time, nonce, and at_hash are each defined by the OpenID standard, but here's an overview:
isssignifies the issuer of the token.subsignifies the subject of the token.audsignifies the intended audience of the token, the client ID of the OpenID Relying Party.expsignifies the expiration time of the request, meaning that it shouldn't be trusted if it's not received by the expiration time.iatsignifies the time when the token was issued.auth_timesignifies the time when the end-user authenticated.nonceis a state variable that you pass to the/openid/connect/authorizeendpoint at the beginning of Sign in with Slack, and that Slack then returns to you at the end of the flow here. Verify that it matches thenonceyou passed to/authorize.
Errors
This table lists the expected errors that this method could return. However, other errors can be returned in the case where the service is down or other unexpected factors affect processing. Callers should always check the value of the ok parameter in the response.
access_deniedAccess to a resource specified in the request is denied.
accesslimitedAccess to this method is limited on the current network
account_inactiveAuthentication token is for a deleted user or workspace when using a bot token.
bad_client_secretThe value passed for client_secret was invalid.
bad_redirect_uriThe value passed for redirect_uri did not match the redirect_uri in the original request.
cannot_install_an_org_installed_appAn org-installed app cannot be installed on a workspace.
deprecated_endpointThe endpoint has been deprecated.
ekm_access_deniedAdministrators have suspended the ability to post a message.
enterprise_is_restrictedThe method cannot be called from an Enterprise.
fatal_errorThe server could not complete your operation(s) without encountering a catastrophic error. It's possible some aspect of the operation succeeded before the error was raised.
internal_errorThe server could not complete your operation(s) without encountering an error, likely due to a transient issue on our end. It's possible some aspect of the operation succeeded before the error was raised.
invalid_arg_nameThe method was passed an argument whose name falls outside the bounds of accepted or expected values. This includes very long names and names with non-alphanumeric characters other than _. If you get this error, it is typically an indication that you have made a very malformed API call.
invalid_argumentsThe method was called with invalid arguments.
invalid_array_argThe method was passed an array as an argument. Please only input valid strings.
invalid_authSome aspect of authentication cannot be validated. Either the provided token is invalid or the request originates from an IP address disallowed from making the request.
invalid_charsetThe method was called via a POST request, but the charset specified in the Content-Type header was invalid. Valid charset names are: utf-8 iso-8859-1.
invalid_client_idThe value passed for client_id was invalid.
invalid_codeThe value passed for code was invalid.
invalid_form_dataThe method was called via a POST request with Content-Type application/x-www-form-urlencoded or multipart/form-data, but the form data was either missing or syntactically invalid.
invalid_grant_typeThe value passed for grant_type was invalid.
invalid_post_typeThe method was called via a POST request, but the specified Content-Type was invalid. Valid types are: application/json application/x-www-form-urlencoded multipart/form-data text/plain.
invalid_refresh_tokenThe given refresh token is invalid.
method_deprecatedThe method has been deprecated.
missing_post_typeThe method was called via a POST request and included a data payload, but the request did not include a Content-Type header.
missing_scopeThe token used is not granted the specific scope permissions required to complete this request.
no_permissionThe workspace token used in this request does not have the permissions necessary to complete the request. Make sure your app is a member of the conversation it's attempting to post a message to.
not_allowed_token_typeThe token type used in this request is not allowed.
not_authedNo authentication token provided.
oauth_authorization_url_mismatchThe OAuth flow was initiated on an incorrect version of the authorization URL. The flow must be initiated via /openid/connect/authorize .
org_login_requiredThe workspace is undergoing an enterprise migration and will not be available until migration is complete.
preview_feature_not_availableThe API method is not yet available on the team.
ratelimitedThe request has been ratelimited. Refer to the Retry-After header for when to retry the request.
request_timeoutThe method was called via a POST request, but the POST data was either missing or truncated.
service_unavailableThe service is temporarily unavailable
team_access_not_grantedThe token used is not granted the specific workspace access required to complete this request.
team_added_to_orgThe workspace associated with your request is currently undergoing migration to an Enterprise Organization. Web API and other platform operations will be intermittently unavailable until the transition is complete.
token_expiredAuthentication token has expired
token_revokedAuthentication token is for a deleted user or workspace or the app has been removed when using a user token.
two_factor_setup_requiredTwo factor setup is required.