You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Feature Request: Support pre-authenticated tokens (xoxp / xoxb) as an alternative to OAuth
Summary
Allow the Slack MCP plugin to authenticate using an existing Slack API token (xoxp user token or xoxb bot token) instead of requiring the interactive OAuth browser flow. This is especially valuable for automated, headless, and CI/CD environments where a browser callback is not practical.
Motivation
The current OAuth-only flow has several friction points for developer and automation use cases:
Headless / server environments — no browser available to complete the OAuth redirect
Existing Slack apps — many developers already have a Slack app with a bot token (xoxb) or have previously authorized a user token (xoxp) with the required scopes. Re-doing OAuth through the plugin is redundant
CI/CD pipelines and scripted agents — token-based auth is the standard pattern; interactive OAuth is a blocker
Proposed Solution
Support an alternative authentication mode in .mcp.json (or environment variable) that accepts a pre-issued token directly:
For cases where only a client ID and secret are available (but not a full OAuth flow), a client-credentials-style exchange could also be considered.
Token types to support
Token type
Prefix
Use case
Bot token
xoxb-
App-level access, ideal for agents and automation
User token
xoxp-
User-level access, same scopes as the OAuth user flow
Security considerations
This mirrors how every other Slack SDK and integration works (@slack/web-api, Bolt, the Slack CLI, etc.). Token security is the developer's responsibility — the same way it is for any Slack API token today. The plugin can document that tokens should be stored in secrets managers or environment variables, not hardcoded.
When a token field or SLACK_MCP_TOKEN env var is present, the plugin skips the OAuth flow and uses the provided token directly to authenticate requests to mcp.slack.com/mcp.
Feature Request: Support pre-authenticated tokens (
xoxp/xoxb) as an alternative to OAuthSummary
Allow the Slack MCP plugin to authenticate using an existing Slack API token (
xoxpuser token orxoxbbot token) instead of requiring the interactive OAuth browser flow. This is especially valuable for automated, headless, and CI/CD environments where a browser callback is not practical.Motivation
The current OAuth-only flow has several friction points for developer and automation use cases:
xoxptoken avoids this entirelyxoxb) or have previously authorized a user token (xoxp) with the required scopes. Re-doing OAuth through the plugin is redundantProposed Solution
Support an alternative authentication mode in
.mcp.json(or environment variable) that accepts a pre-issued token directly:{ "mcpServers": { "slack": { "type": "http", "url": "https://mcp.slack.com/mcp", "token": "xoxb-your-bot-token-here" } } }Or alternatively via environment variable:
export SLACK_MCP_TOKEN=xoxb-your-bot-token-hereFor cases where only a client ID and secret are available (but not a full OAuth flow), a client-credentials-style exchange could also be considered.
Token types to support
xoxb-xoxp-Security considerations
This mirrors how every other Slack SDK and integration works (
@slack/web-api, Bolt, the Slack CLI, etc.). Token security is the developer's responsibility — the same way it is for any Slack API token today. The plugin can document that tokens should be stored in secrets managers or environment variables, not hardcoded.Related
Expected behavior
When a
tokenfield orSLACK_MCP_TOKENenv var is present, the plugin skips the OAuth flow and uses the provided token directly to authenticate requests tomcp.slack.com/mcp.