Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 29 additions & 2 deletions product/admin/mcp-server/slack.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
{/* Editor Refresh: 2026-06-11 */}

<Note>
**Activation required.** AI access management must be enabled for your tenant before you can use it. To get started, [contact the C1 support team](mailto:support@c1.ai) for a walkthrough.

Check warning on line 12 in product/admin/mcp-server/slack.mdx

View check run for this annotation

Mintlify / Mintlify Validation (conductorone) - vale-spellcheck

product/admin/mcp-server/slack.mdx#L12

Did you really mean 'walkthrough'?
</Note>

The Slack MCP server lets you govern access to Slack — channels, messages, users, files, and search — as tools your AI clients can call through C1.
Expand Down Expand Up @@ -49,13 +49,40 @@
Select **Add**, then **Save URLs**.
</Step>
<Step>
Still on **OAuth & Permissions**, scroll to **Scopes** and add the **User Token Scopes** C1 needs for the operations you plan to govern, such as `channels:read`, `channels:history`, `users:read`, `files:read`, and `search:read`. User token scopes let the app act as each authorizing user.
Still on **OAuth & Permissions**, scroll to **Scopes** and add the **User Token Scopes** from [Slack scopes](#slack-scopes) below — the default read scopes for browsing, plus any optional scopes for write or admin tools. User token scopes let the app act as each authorizing user.
</Step>
<Step>
In the left sidebar, open **Basic Information**. Under **App Credentials**, copy the **Client ID**, then reveal and copy the **Client Secret**.
</Step>
</Steps>

## Slack scopes

C1 uses **user token scopes** only — every tool call acts as the authorizing user, not as a bot. Add all of the scopes below under **User Token Scopes** on Slack's **OAuth & Permissions** page; leave **Bot Token Scopes** empty.

C1 requests the default read scopes automatically. The default is read-only; to enable write or admin tools, an admin adds the optional scopes below manually — under **User Token Scopes** in Slack, and in C1's scopes field when configuring authentication. Grant only what you need.

**Default scopes** browse channels and messages (public channels, private channels, direct messages, and group direct messages), users, user groups, files, pins, and message search:

`channels:read`, `channels:history`, `groups:read`, `groups:history`, `im:read`, `im:history`, `mpim:read`, `mpim:history`, `users:read`, `users:read.email`, `usergroups:read`, `files:read`, `pins:read`, `search:read`

**Optional scopes** enable the write and admin tools — add only what you need:

| Scope(s) | Enables |
| :--- | :--- |
| `chat:write` | Send, update, schedule, and delete messages |
| `reactions:read` | View emoji reactions |
| `reminders:read`, `stars:read` | View reminders and saved items |
| `remote_files:read`, `remote_files:share` | View and share remote files |
| `users.profile:write`, `users:write` | Edit the authorized user's profile, photo, and presence |
| `channels:write`, `groups:write`, `im:write`, `mpim:write` (and the `.invites` / `.topic` variants) | Create and manage channels and direct messages, invite people, and set topics |
| `dnd:read`, `calls:read` | View Do Not Disturb settings and calls |
| `admin.conversations:read` / `:write`, `admin.teams:read` / `:write`, `admin.invites:read`, `admin.users:read` / `:write` | Manage channels, workspace settings, invites, and users org-wide (**Enterprise Grid** only; requires an org-level admin install) |

<Note>
Scope changes take effect the next time a user connects. If you add an optional scope after users have already connected, each user must reconnect their Slack account to grant it.
</Note>

## How Slack credentials are shared

With per-user OAuth, each user authorizes with their own Slack account, so tool calls run under that user's Slack identity and inherit only the access they already have. Slack attributes each action to the individual user.
Expand All @@ -71,7 +98,7 @@
Follow [Register an MCP server](/product/admin/mcp-servers#register-an-mcp-server) and select **Slack** from the catalog.
</Step>
<Step>
When you [configure authentication](/product/admin/mcp-servers#configure-authentication), choose per-user OAuth and enter your app's **client ID** and **client secret**.
When you [configure authentication](/product/admin/mcp-servers#configure-authentication), choose per-user OAuth and enter your app's **client ID** and **client secret**, plus the scopes you configured (see [Slack scopes](#slack-scopes)).
</Step>
<Step>
Save your changes. The first time a user calls a Slack tool from their AI client, they're prompted to connect their Slack account.
Expand All @@ -84,7 +111,7 @@

Each tool starts as either **Pending review** or automatically **Approved**, depending on the option chosen when the server was set up or your tenant's default tool settings in **AI** > **MCP** > **Settings**. See [Require tool approval](/product/admin/enable-ai-access-management#require-tool-approval) and [Default tool classification](/product/admin/enable-ai-access-management#default-tool-classification).

Before anyone can call a Slack tool, it must be approved, added to a toolset, and bound to an access profile. Continue to [Govern tools and toolsets](/product/admin/tools-and-toolsets) to set this up.

Check warning on line 114 in product/admin/mcp-server/slack.mdx

View check run for this annotation

Mintlify / Mintlify Validation (conductorone) - vale-spellcheck

product/admin/mcp-server/slack.mdx#L114

Did you really mean 'toolset'?

<Note>
Tool discovery runs even if your credentials are incorrect, so seeing discovered tools doesn't confirm that authentication is working. You confirm your Slack credentials when an approved user successfully calls a Slack tool from their AI client.
Expand Down