Package
@slack/web-api, @slack/oauth
Question
Hi Slack Team,
We are working on a production Slack application with an enterprise security requirement to rotate all application secrets every 90 days.
Currently, our Slack integration uses two Slack app-level secrets:
-
client_secret
- Used during the OAuth installation and callback flow
- Used to exchange authorization codes for access/refresh tokens through
oauth.v2.access
-
signing_secret
- Used to validate incoming Slack requests and Events API payloads
- Used for request signature verification (
X-Slack-Signature)
Our application follows centralized secret-management and periodic credential rotation practices as part of our internal security compliance requirements.
Current implementation details:
Environment configuration:
const SLACK_SIGNING_SECRET_ARN = process.env['SLACK_SIGNING_SECRET_ARN'] ?? '';
const SLACK_CLIENT_SECRET_ARN = process.env['SLACK_CLIENT_SECRET_ARN'] ?? '';
Secrets retrieval:
const [signingSecret, clientSecret] = await Promise.all([
getSecret(SLACK_SIGNING_SECRET_ARN),
getSecret(SLACK_CLIENT_SECRET_ARN),
]);
Signing request verification:
const result = verifySlackSignature(
signingSecret,
body,
signature,
timestamp
);
OAuth token exchange:
await fetch('https://slack.com/api/oauth.v2.access', {
method: 'POST',
body: new URLSearchParams({
client_id: clientId,
client_secret: clientSecret,
code,
redirect_uri: redirectUrl,
}),
})
Slack SDK packages currently used:
@slack/oauth: ^3.0.3@slack/web-api: ^7.9.2
We could not find any official support or documentation for:
- Automatic regeneration of the Slack Client Secret
- Automatic regeneration of the Slack Signing Secret
- APIs for programmatic secret rotation
- SDK support for app-level secret lifecycle management
Our key questions are:
-
Does Slack currently support automatic/programmatic rotation of:
client_secretsigning_secret
-
Is there any official API or SDK support available for:
- regenerating secrets
- retrieving newly generated secrets
- rotating secrets without manual intervention
-
If not currently supported:
- Is manual regeneration through the Slack Developer Portal the only supported approach?
- Are there any recommended enterprise best practices from Slack for implementing periodic secret rotation?
Any clarification or official guidance would be greatly appreciated.
Thanks,
Gopi Chand
SDK Version
@slack/oauth@3.0.5 ├── @slack/web-api@7.15.0
Node.js Version
v22.22.0
Additional Context
No response
Package
@slack/web-api, @slack/oauth
Question
Hi Slack Team,
We are working on a production Slack application with an enterprise security requirement to rotate all application secrets every 90 days.
Currently, our Slack integration uses two Slack app-level secrets:
client_secretoauth.v2.accesssigning_secretX-Slack-Signature)Our application follows centralized secret-management and periodic credential rotation practices as part of our internal security compliance requirements.
Current implementation details:
Environment configuration:
const SLACK_SIGNING_SECRET_ARN = process.env['SLACK_SIGNING_SECRET_ARN'] ?? '';
const SLACK_CLIENT_SECRET_ARN = process.env['SLACK_CLIENT_SECRET_ARN'] ?? '';
Secrets retrieval:
const [signingSecret, clientSecret] = await Promise.all([
getSecret(SLACK_SIGNING_SECRET_ARN),
getSecret(SLACK_CLIENT_SECRET_ARN),
]);
Signing request verification:
const result = verifySlackSignature(
signingSecret,
body,
signature,
timestamp
);
OAuth token exchange:
await fetch('https://slack.com/api/oauth.v2.access', {
method: 'POST',
body: new URLSearchParams({
client_id: clientId,
client_secret: clientSecret,
code,
redirect_uri: redirectUrl,
}),
})
Slack SDK packages currently used:
@slack/oauth: ^3.0.3@slack/web-api: ^7.9.2We could not find any official support or documentation for:
Our key questions are:
Does Slack currently support automatic/programmatic rotation of:
client_secretsigning_secretIs there any official API or SDK support available for:
If not currently supported:
Any clarification or official guidance would be greatly appreciated.
Thanks,
Gopi Chand
SDK Version
@slack/oauth@3.0.5 ├── @slack/web-api@7.15.0
Node.js Version
v22.22.0
Additional Context
No response