Skip to content

Feature: Support pre-authenticated tokens (xoxp/xoxb) as alternative to OAuth #43

Description

@ranyhb

Feature Request: Support pre-authenticated tokens (xoxp / xoxb) as an alternative to OAuth

Summary

Allow the Slack MCP plugin to authenticate using an existing Slack API token (xoxp user token or xoxb bot token) instead of requiring the interactive OAuth browser flow. This is especially valuable for automated, headless, and CI/CD environments where a browser callback is not practical.

Motivation

The current OAuth-only flow has several friction points for developer and automation use cases:

  • Headless / server environments — no browser available to complete the OAuth redirect
  • Short-lived tokens — as noted in OAuth access tokens expire after 1 hour with no refresh token, requiring frequent re-authentication #2, OAuth access tokens expire after 1 hour with no refresh token, requiring frequent re-authentication. A long-lived xoxp token avoids this entirely
  • Existing Slack apps — many developers already have a Slack app with a bot token (xoxb) or have previously authorized a user token (xoxp) with the required scopes. Re-doing OAuth through the plugin is redundant
  • CI/CD pipelines and scripted agents — token-based auth is the standard pattern; interactive OAuth is a blocker

Proposed Solution

Support an alternative authentication mode in .mcp.json (or environment variable) that accepts a pre-issued token directly:

{
  "mcpServers": {
    "slack": {
      "type": "http",
      "url": "https://mcp.slack.com/mcp",
      "token": "xoxb-your-bot-token-here"
    }
  }
}

Or alternatively via environment variable:

export SLACK_MCP_TOKEN=xoxb-your-bot-token-here

For cases where only a client ID and secret are available (but not a full OAuth flow), a client-credentials-style exchange could also be considered.

Token types to support

Token type Prefix Use case
Bot token xoxb- App-level access, ideal for agents and automation
User token xoxp- User-level access, same scopes as the OAuth user flow

Security considerations

This mirrors how every other Slack SDK and integration works (@slack/web-api, Bolt, the Slack CLI, etc.). Token security is the developer's responsibility — the same way it is for any Slack API token today. The plugin can document that tokens should be stored in secrets managers or environment variables, not hardcoded.

Related

Expected behavior

When a token field or SLACK_MCP_TOKEN env var is present, the plugin skips the OAuth flow and uses the provided token directly to authenticate requests to mcp.slack.com/mcp.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions