Slack
Sign in with Slack workspace accounts using OAuth 2.0.
Get credentials
Create a Slack app
Go to api.slack.com/apps and click Create New App > From scratch. Name your app and select a development workspace.
Configure OAuth and permissions
Navigate to OAuth and Permissions. Under Redirect URLs, add:
https://auth.example.com/auth/oauth/slack/callbackUnder Scopes > User Token Scopes, add openid, email, and profile.
Copy credentials
Go to Basic Information and copy the Client ID and Client Secret under App Credentials.
KavachOS uses Slack's OpenID Connect flow (/openid/connect/authorize), not the older identity.basic scope approach. Make sure you add User Token Scopes, not Bot Token Scopes.
Configuration
import { createKavach } from 'kavachos';
import { oauth } from 'kavachos/plugins/oauth';
const kavach = await createKavach({
database: { provider: 'postgres', url: process.env.DATABASE_URL! },
secret: process.env.KAVACH_SECRET!,
baseUrl: 'https://auth.example.com',
plugins: [
oauth({
providers: [
{
id: 'slack',
clientId: process.env.SLACK_CLIENT_ID!,
clientSecret: process.env.SLACK_CLIENT_SECRET!,
},
],
}),
],
});SLACK_CLIENT_ID=1234567890.1234567890123
SLACK_CLIENT_SECRET=...Scopes
Default scopes: openid email profile
These are standard OIDC scopes that Slack supports. No additional User Token Scopes are needed for basic sign-in.
User data returned
| Field | Source | Notes |
|---|---|---|
id | sub claim | Stable Slack user ID per workspace |
email | email claim | Workspace email |
name | name claim | Display name |
image | picture claim | Profile photo URL |
The user ID is scoped to a workspace, not to the Slack user globally. If a user belongs to multiple workspaces and signs in with different ones, they will be treated as different accounts unless you implement custom linking logic.