From df8f78ef8082861b1872ad857c79978c088877b5 Mon Sep 17 00:00:00 2001 From: leet-c1 <264029741+leet-c1@users.noreply.github.com> Date: Fri, 17 Jul 2026 19:04:24 +0000 Subject: [PATCH 1/3] docs: document Slack MCP default + optional scopes Replace the vague scopes step with a two-tier "Slack scopes" section: the 14 default read scopes C1 requests automatically (public/private/DM/group-DM read + history, users, usergroups, files, pins, search), and the optional write/management/admin scopes an admin adds manually to enable those tools. Note that scope changes apply on the next connect. Wire the register step to the new section. Co-Authored-By: Claude Opus 4.8 --- product/admin/mcp-server/slack.mdx | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/product/admin/mcp-server/slack.mdx b/product/admin/mcp-server/slack.mdx index d518f1fb..4493881d 100644 --- a/product/admin/mcp-server/slack.mdx +++ b/product/admin/mcp-server/slack.mdx @@ -49,13 +49,38 @@ https://accounts.conductor.one/auth/callback Select **Add**, then **Save URLs**. -Still on **OAuth & Permissions**, scroll to **Scopes** and add the **User Token Scopes** C1 needs for the operations you plan to govern, such as `channels:read`, `channels:history`, `users:read`, `files:read`, and `search:read`. User token scopes let the app act as each authorizing user. +Still on **OAuth & Permissions**, scroll to **Scopes** and add the **User Token Scopes** from [Slack scopes](#slack-scopes) below — the default read scopes for browsing, plus any optional scopes for write or admin tools. User token scopes let the app act as each authorizing user. In the left sidebar, open **Basic Information**. Under **App Credentials**, copy the **Client ID**, then reveal and copy the **Client Secret**. +## Slack scopes + +C1 requests the default read scopes automatically. The default is read-only; to enable write or admin tools, an admin adds the optional scopes below manually — on Slack's **OAuth & Permissions** page under **User Token Scopes**, and in C1's scopes field when configuring authentication. Grant only what you need. + +**Default scopes** browse channels and messages (public channels, private channels, DMs, and group DMs), users, user groups, files, pins, and message search: + +`channels:read`, `channels:history`, `groups:read`, `groups:history`, `im:read`, `im:history`, `mpim:read`, `mpim:history`, `users:read`, `users:read.email`, `usergroups:read`, `files:read`, `pins:read`, `search:read` + +**Optional scopes** enable the write and admin tools — add only what you need: + +| Scope(s) | Enables | +| :--- | :--- | +| `chat:write` | Send, update, schedule, and delete messages | +| `reactions:read` | View emoji reactions | +| `reminders:read`, `stars:read` | View reminders and saved items | +| `remote_files:read`, `remote_files:share` | View and share remote files | +| `users.profile:write`, `users:write` | Edit the authorized user's profile, photo, and presence | +| `channels:write`, `groups:write`, `im:write`, `mpim:write` (and the `.invites` / `.topic` variants) | Create and manage channels and DMs, invite people, and set topics | +| `dnd:read`, `calls:read` | View Do Not Disturb settings and calls | +| `admin.conversations:read` / `:write`, `admin.teams:read` / `:write`, `admin.invites:read`, `admin.users:read` / `:write` | Manage channels, workspace settings, invites, and users org-wide (**Enterprise Grid** only; requires an org-level admin install) | + + +Scope changes take effect the next time a user connects. If you add an optional scope after users have already connected, each user must reconnect their Slack account to grant it. + + ## How Slack credentials are shared With per-user OAuth, each user authorizes with their own Slack account, so tool calls run under that user's Slack identity and inherit only the access they already have. Slack attributes each action to the individual user. @@ -71,7 +96,7 @@ Register the server in C1 and connect it to the Slack app you created. Follow [Register an MCP server](/product/admin/mcp-servers#register-an-mcp-server) and select **Slack** from the catalog. -When you [configure authentication](/product/admin/mcp-servers#configure-authentication), choose per-user OAuth and enter your app's **client ID** and **client secret**. +When you [configure authentication](/product/admin/mcp-servers#configure-authentication), choose per-user OAuth and enter your app's **client ID** and **client secret**, plus the scopes you configured (see [Slack scopes](#slack-scopes)). Save your changes. The first time a user calls a Slack tool from their AI client, they're prompted to connect their Slack account. From 350358c18a99c430549586081333016f0fca9404 Mon Sep 17 00:00:00 2001 From: leet-c1 <264029741+leet-c1@users.noreply.github.com> Date: Fri, 17 Jul 2026 19:08:55 +0000 Subject: [PATCH 2/3] docs(slack): emphasize user token scopes (C1 uses user access, not bot) C1 acts as the authorizing user, not a bot. Make the scopes section explicit: add all scopes under User Token Scopes and leave Bot Token Scopes empty. Co-Authored-By: Claude Opus 4.8 --- product/admin/mcp-server/slack.mdx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/product/admin/mcp-server/slack.mdx b/product/admin/mcp-server/slack.mdx index 4493881d..e914254a 100644 --- a/product/admin/mcp-server/slack.mdx +++ b/product/admin/mcp-server/slack.mdx @@ -58,7 +58,9 @@ In the left sidebar, open **Basic Information**. Under **App Credentials**, copy ## Slack scopes -C1 requests the default read scopes automatically. The default is read-only; to enable write or admin tools, an admin adds the optional scopes below manually — on Slack's **OAuth & Permissions** page under **User Token Scopes**, and in C1's scopes field when configuring authentication. Grant only what you need. +C1 uses **user token scopes** only — every tool call acts as the authorizing user, not as a bot. Add all of the scopes below under **User Token Scopes** on Slack's **OAuth & Permissions** page; leave **Bot Token Scopes** empty. + +C1 requests the default read scopes automatically. The default is read-only; to enable write or admin tools, an admin adds the optional scopes below manually — under **User Token Scopes** in Slack, and in C1's scopes field when configuring authentication. Grant only what you need. **Default scopes** browse channels and messages (public channels, private channels, DMs, and group DMs), users, user groups, files, pins, and message search: From 58ffe361100b627f518e5e7dd441cec2836af26b Mon Sep 17 00:00:00 2001 From: leet-c1 <264029741+leet-c1@users.noreply.github.com> Date: Fri, 17 Jul 2026 19:37:28 +0000 Subject: [PATCH 3/3] docs(slack): use 'direct messages' over 'DMs' (clarity + clears vale flag) Co-Authored-By: Claude Opus 4.8 --- product/admin/mcp-server/slack.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/product/admin/mcp-server/slack.mdx b/product/admin/mcp-server/slack.mdx index e914254a..500c318e 100644 --- a/product/admin/mcp-server/slack.mdx +++ b/product/admin/mcp-server/slack.mdx @@ -62,7 +62,7 @@ C1 uses **user token scopes** only — every tool call acts as the authorizing u C1 requests the default read scopes automatically. The default is read-only; to enable write or admin tools, an admin adds the optional scopes below manually — under **User Token Scopes** in Slack, and in C1's scopes field when configuring authentication. Grant only what you need. -**Default scopes** browse channels and messages (public channels, private channels, DMs, and group DMs), users, user groups, files, pins, and message search: +**Default scopes** browse channels and messages (public channels, private channels, direct messages, and group direct messages), users, user groups, files, pins, and message search: `channels:read`, `channels:history`, `groups:read`, `groups:history`, `im:read`, `im:history`, `mpim:read`, `mpim:history`, `users:read`, `users:read.email`, `usergroups:read`, `files:read`, `pins:read`, `search:read` @@ -75,7 +75,7 @@ C1 requests the default read scopes automatically. The default is read-only; to | `reminders:read`, `stars:read` | View reminders and saved items | | `remote_files:read`, `remote_files:share` | View and share remote files | | `users.profile:write`, `users:write` | Edit the authorized user's profile, photo, and presence | -| `channels:write`, `groups:write`, `im:write`, `mpim:write` (and the `.invites` / `.topic` variants) | Create and manage channels and DMs, invite people, and set topics | +| `channels:write`, `groups:write`, `im:write`, `mpim:write` (and the `.invites` / `.topic` variants) | Create and manage channels and direct messages, invite people, and set topics | | `dnd:read`, `calls:read` | View Do Not Disturb settings and calls | | `admin.conversations:read` / `:write`, `admin.teams:read` / `:write`, `admin.invites:read`, `admin.users:read` / `:write` | Manage channels, workspace settings, invites, and users org-wide (**Enterprise Grid** only; requires an org-level admin install) |