node-slack-sdk icon indicating copy to clipboard operation
node-slack-sdk copied to clipboard
verified publisher icon slackapi

Programatically create and approve Slack apps

Open purplepenguin2 opened this issue 7 months ago • 7 comments

Apologies if this isn't the right place, but I was a bit confused since the new issue dropdown has a questions category, but the template seems to still default to bug, and this is a bit of a cross-over in terms of perhaps unclear documentation / feature request vs just a general question, but here goes:

I need to programmatically create and approve Slack apps. The approve part seems simple enough using the admin.apps.approve method along with admin.apps:write scope, but the part I'm struggling with is the create part. It seems like apps can approve other apps, but apps cannot create other apps, only users can create apps.

I know there is a configuration token you can generate that is tied to a user, not an app, but the short lived nature of it makes the use case seem like something that Slack doesn't really want people to do? I can create a fake/service user, generate a configuration token, and then create apps using the apps.manifest.create method, but is that the only way to achieve my use case?

The last sticking point is when enabling app approvals via the admin API, it disables approvals via the web UI across our entire enterprise grid, which is a nonstarter. Is there really no way to programmatically create Slack apps and approve them via an API call without (1) constantly calling tooling.tokens.rotate to get new config tokens and (2) completely taking over control of the entire enterprise?

Packages:

Select all that apply:

  • [ ] @slack/web-api
  • [ ] @slack/rtm-api
  • [ ] @slack/webhooks
  • [ ] @slack/oauth
  • [ ] @slack/socket-mode
  • [ ] @slack/types
  • [x] I don't know

Reproducible in:

The Slack SDK version

n/a

Node.js runtime version

n/a

OS info

n/a

Steps to reproduce:

n/a

Expected result:

n/a

Actual result:

n/a

Requirements

Please read the Contributing guidelines and Code of Conduct before creating this issue or pull request. By submitting, you are agreeing to those rules.

purplepenguin2 avatar Jun 03 '25 03:06 purplepenguin2

One follow-up question on this would also be how to have config tokens for a distributed service. Since the tokens need to be constantly refreshed, you have to regularly call the rotate endpoint, but if you do that across multiple instances of a service, the token automatically gets revoked after 2 rotate calls it seems, so that would make it a dead end to programmatically create apps.

purplepenguin2 avatar Jun 03 '25 21:06 purplepenguin2

Hi there!

I'm afraid that's correct;

  1. The configuration token associated with your user which is able to call the manifest APIs expires after 12 hours and

  2. an approvals app would replace the UI process across the entire org.

vegeris avatar Jun 04 '25 01:06 vegeris

Since the tokens need to be constantly refreshed, you have to regularly call the rotate endpoint

👋 Following on what @vegeris shared, this is true and as I understand a distributed setup might use a consistent database to store and retrieve the rotated tokens.

I'm not sure if this matches a setup being used, but let us know of more detail or related questions! 👾 ✨

zimeg avatar Jun 04 '25 17:06 zimeg

Yeah, it's unfortunate, but we'll have to store the token outside the running containers and then ensure only one process is ever trying to rotate it while the rest just read.

This might be outside the scope of this thread / SDK in general, but do you have any context as to why those limitations exist? They seem very arbitrary / needlessly restrictive for no gain, but perhaps I'm missing something. I'd put in some type of feature request, but being bluntly honest, I highly doubt Slack would ever change it :(

Otherwise, that answers everything I had, appreciate the confirmation.

purplepenguin2 avatar Jun 04 '25 21:06 purplepenguin2

Sorry, one last thing I just noticed, is there no way to programmatically request to install an app? It looks like the config token allows you to create the app, but you can't actually request to install it via the API. And the admin APIs don't seem to have any endpoints for installing or creating a request either, unless I'm missing something. Even if you programmatically create an app using the app manifest API, do you still need to manually go to the UI to request to install it?

Put another way, using various APIs you can:

  • create an app
  • update an app
  • delete an app
  • approve an app
  • deny an app
  • uninstall an app

But seemingly the only thing you can't do via the API is request to install? I feel like I have to be missing something.

purplepenguin2 avatar Jun 04 '25 22:06 purplepenguin2

the only thing you can't do via the API is request to install?

I believe installation for these apps would need to go through the OAuth flow. An app that programmatically creates other apps is likely not a well-supported use case.

Another option might be to explore using the Slack CLI to create workflow apps via a shell script

vegeris avatar Jun 05 '25 01:06 vegeris

Yeah, the part that's extra confusing is we're trying to use automation rules for app approvals, and I have no idea how the OAuth flow would work with those. The sticking point is how we'd get the access token for the bot user after the app has been approved. We can obviously go through the Slack web UI and copy/paste the token, but the whole purpose behind this is to automate the process, so we'd need an API we could call to get said token, but none exist.

I guess the biggest disconnect is that it seems like the Slack web UI has some undocumented magic where it can pull those tokens and show other information even though there doesn't seem to be any direct API equivalents.

Here's basically the flow right now:

  1. make api call using app manifest create endpoint to create app
  2. a human still has to manually request installation
  3. automation auto approves the app
  4. but since an admin isn't physically going through the oauth authorize part, how does the app get the tokens?

Are Slack automation rules that auto approve apps still supposed to hit the OAuth redirect endpoint with an authorization code?

I understand this might fall outside the normal app install process, but the fact even with essentially god mode and full access to all possible APIs, it kind of amazes me this is still impossible to actually automate and do via API calls.

The answer seems to just be none of this is possible via API calls, so I suppose you can close this out unless there are any other recommendations.

purplepenguin2 avatar Jun 05 '25 01:06 purplepenguin2

👋 It looks like this issue has been open for 30 days with no activity. We'll mark this as stale for now, and wait 10 days for an update or for further comment before closing this issue out. If you think this issue needs to be prioritized, please comment to get the thread going again! Maintainers also review issues marked as stale on a regular basis and comment or adjust status if the issue needs to be reprioritized.

github-actions[bot] avatar Jul 07 '25 00:07 github-actions[bot]

As this issue has been inactive for more than one month, we will be closing it. Thank you to all the participants! If you would like to raise a related issue, please create a new issue which includes your specific details and references this issue number.

github-actions[bot] avatar Jul 21 '25 00:07 github-actions[bot]