[ERROR]: Token not valid. Slack error: invalid_auth

[gladiatx0r]

It appears that slack has changed the way authentication is performed. If you login to slack via a browser (i.e. chrome) you can not use the xoxc token by itself to authenticate to Slack.

From this SO post:

xoxc tokens are special tokens that are used by the web client. These tokens are cookie dependent, so even if the token is somehow stolen, it would not be very useful.

If you want to test this yourself, in incognito go to https://api.slack.com/methods/auth.test and try to use an XOXC token by itself. You will get invalid_auth. If you then login to slack, and try again, it will work. The reason is the browser (chrome) automatically adds the slack cookie in addition to the XOXC token to the request. If you open debugger tools (network tab) you will see the actual request that is being sent to slack includes both the token and cookie. E.g. in curl it looks like this (I stripped a bunch of unnecessary headers)

curl 'https://slack.com/api/auth.test?pretty=1' \
  -H 'cookie: d=xoxd-xxxx' \
  -H 'content-type: multipart/form-data; boundary=' \
  --data-raw $'--\r\nContent-Disposition: form-data; name="token"\r\n\r\nxoxc-xxx\r\n----\r\n'

I used https://curlconverter.com/ to convert the curl request to python, and then stuck those hardcoded header/data values at the top of the code as global variables and switched every method to POST, and passed those hardcoded values. E.g.

That seemed to work around the need for both cookie and token as I successfully received results in this way.