diff --git a/product/admin/mcp-server/slack.mdx b/product/admin/mcp-server/slack.mdx index d518f1fb..500c318e 100644 --- a/product/admin/mcp-server/slack.mdx +++ b/product/admin/mcp-server/slack.mdx @@ -49,13 +49,40 @@ https://accounts.conductor.one/auth/callback Select **Add**, then **Save URLs**. -Still on **OAuth & Permissions**, scroll to **Scopes** and add the **User Token Scopes** C1 needs for the operations you plan to govern, such as `channels:read`, `channels:history`, `users:read`, `files:read`, and `search:read`. User token scopes let the app act as each authorizing user. +Still on **OAuth & Permissions**, scroll to **Scopes** and add the **User Token Scopes** from [Slack scopes](#slack-scopes) below — the default read scopes for browsing, plus any optional scopes for write or admin tools. User token scopes let the app act as each authorizing user. In the left sidebar, open **Basic Information**. Under **App Credentials**, copy the **Client ID**, then reveal and copy the **Client Secret**. +## Slack scopes + +C1 uses **user token scopes** only — every tool call acts as the authorizing user, not as a bot. Add all of the scopes below under **User Token Scopes** on Slack's **OAuth & Permissions** page; leave **Bot Token Scopes** empty. + +C1 requests the default read scopes automatically. The default is read-only; to enable write or admin tools, an admin adds the optional scopes below manually — under **User Token Scopes** in Slack, and in C1's scopes field when configuring authentication. Grant only what you need. + +**Default scopes** browse channels and messages (public channels, private channels, direct messages, and group direct messages), users, user groups, files, pins, and message search: + +`channels:read`, `channels:history`, `groups:read`, `groups:history`, `im:read`, `im:history`, `mpim:read`, `mpim:history`, `users:read`, `users:read.email`, `usergroups:read`, `files:read`, `pins:read`, `search:read` + +**Optional scopes** enable the write and admin tools — add only what you need: + +| Scope(s) | Enables | +| :--- | :--- | +| `chat:write` | Send, update, schedule, and delete messages | +| `reactions:read` | View emoji reactions | +| `reminders:read`, `stars:read` | View reminders and saved items | +| `remote_files:read`, `remote_files:share` | View and share remote files | +| `users.profile:write`, `users:write` | Edit the authorized user's profile, photo, and presence | +| `channels:write`, `groups:write`, `im:write`, `mpim:write` (and the `.invites` / `.topic` variants) | Create and manage channels and direct messages, invite people, and set topics | +| `dnd:read`, `calls:read` | View Do Not Disturb settings and calls | +| `admin.conversations:read` / `:write`, `admin.teams:read` / `:write`, `admin.invites:read`, `admin.users:read` / `:write` | Manage channels, workspace settings, invites, and users org-wide (**Enterprise Grid** only; requires an org-level admin install) | + + +Scope changes take effect the next time a user connects. If you add an optional scope after users have already connected, each user must reconnect their Slack account to grant it. + + ## How Slack credentials are shared With per-user OAuth, each user authorizes with their own Slack account, so tool calls run under that user's Slack identity and inherit only the access they already have. Slack attributes each action to the individual user. @@ -71,7 +98,7 @@ Register the server in C1 and connect it to the Slack app you created. Follow [Register an MCP server](/product/admin/mcp-servers#register-an-mcp-server) and select **Slack** from the catalog. -When you [configure authentication](/product/admin/mcp-servers#configure-authentication), choose per-user OAuth and enter your app's **client ID** and **client secret**. +When you [configure authentication](/product/admin/mcp-servers#configure-authentication), choose per-user OAuth and enter your app's **client ID** and **client secret**, plus the scopes you configured (see [Slack scopes](#slack-scopes)). Save your changes. The first time a user calls a Slack tool from their AI client, they're prompted to connect their Slack account.