Slack
Collaborationsystem_type: "slack"Proxy Slack Web API calls with PQC-sealed OAuth2 Bot tokens and signed webhook bodies.
Overview#
The Slack connector proxies Slack Web API calls (chat.postMessage, conversations.list, files.upload, etc.). OAuth2 Bot tokens are sealed in QuantaVault. Inbound webhook signatures (X-Slack-Signature) are verified before forwarding to your application.
https://api.quantaseal.io/api/v2/proxy/outboundAuth header:
X-API-Key: qs_live_...Prerequisites#
- 1A Slack app with Bot Token Scopes for the operations you need (chat:write, channels:read, files:write, etc.)
- 2Bot OAuth2 token (xoxb-...)
- 3A QuantaSeal API key
Configuration#
Follow these steps to connect Slack to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.
- 1
Create a Slack App at api.slack.com/apps. Add the required Bot Token Scopes.
- 2
Install the app to your workspace and copy the Bot User OAuth Token (xoxb-...).
- 3
Seal the token: POST /api/v2/vault/seal with credential_type: oauth2_token.
- 4
Create the integration: POST /api/v2/integrations with system_type: slack.
Authentication Types#
Store the Bot token as oauth2_token in QuantaVault. For inbound webhook verification, seal the Signing Secret as webhook_secret.
All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.
Available Operations#
QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.
| Operation | Description |
|---|---|
post_message | Send a message to a Slack channel or DM. |
list_channels | List public and private channels. |
upload_file | Upload a file to a Slack channel. |
get_user_info | Retrieve a user's Slack profile. |
add_reaction | Add a reaction emoji to a message. |
Code Example#
Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.
curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
-H "X-API-Key: qs_live_your_key_here" \
-H "Content-Type: application/json" \
-d '{
"integration_id": "int_01HZ9X2K4MNPQRSLACK000001",
"operation": "post_message",
"payload": {
"channel": "#security-alerts",
"text": "QuantaSeal: PQC credential rotation completed successfully.",
"blocks": [
{
"type": "section",
"text": {"type": "mrkdwn", "text": "*Rotation complete* - all vault entries re-encrypted with ML-KEM-768."}
}
]
}
}'
# Response - HybridCryptoEnvelope
{
"success": true,
"encrypted": {
"ciphertext_kem": "<base64 - 1088 bytes ML-KEM-768>",
"ciphertext_data": "<base64 - AES-256-GCM encrypted Slack API response>",
"nonce": "<base64 - 12 bytes>",
"tenant_id": "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
"algorithm": "ML-KEM-768"
},
"signature": {
"pqc_signature": "<base64 - ~3309 bytes ML-DSA-65>",
"hmac_signature": "<base64 - 64 bytes HMAC-SHA-512>",
"tenant_id": "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
"algorithm": "ML-DSA-65+HMAC-SHA-512"
},
"audit_event_id": "aud_01HZ9XABCDEF"
}client.encryption.decrypt(envelope). Both the ML-DSA-65 signature and the HMAC-SHA-512 signature must pass - QuantaSeal uses a bitwise & check, not short-circuit and.Troubleshooting#
not_in_channel - bot cannot post
Invite the bot to the channel: /invite @your-app-name. The bot must be a member of the channel to post.
missing_scope - chat:write
Add the chat:write scope to the Slack app and reinstall it to regenerate the Bot token. Update the vault entry with the new token.