Pairing
Slack DMs default to pairing mode.
Slash commands
Native command behavior and command catalog.
Channel troubleshooting
Cross-channel diagnostics and repair playbooks.
Choosing a transport
Socket Mode and HTTP Request URLs reach feature parity for messaging, slash commands, App Home, and interactivity. Pick by deployment shape, not features.Pick Socket Mode for single-Gateway hosts, dev laptops, and on-prem networks that can reach
*.slack.com outbound but cannot accept inbound HTTPS.Pick HTTP Request URLs when running multiple Gateway replicas behind a load balancer, when outbound WSS is blocked but inbound HTTPS is allowed, or when you already terminate Slack webhooks at a reverse proxy.Relay mode
Relay mode separates Slack ingress from the OpenClaw gateway. A trusted router owns the single Slack Socket Mode connection, chooses a destination gateway, and forwards a typed event over an authenticated websocket. The gateway still uses its own bot token for outbound Slack Web API calls.wss:// unless it targets localhost. Treat the bearer token and router route table as part of the Slack authorization boundary: routed events enter the normal Slack message handler as authorized activations. A router-provided slack_identity in the websocket hello frame can set the default outbound username and icon; an explicit identity supplied by the caller still wins. The relay connection reconnects with the same bounded backoff timing as Socket Mode and clears the router-provided identity whenever it disconnects.
Enterprise Grid org-wide installs
One Slack account can receive messages from every workspace covered by an Enterprise Grid org-wide installation. Choose direct Socket Mode or HTTP Request URLs; relay mode is not supported for enterprise accounts. Both least-privilege manifests below enable only the V1message and app_mention
event path, immediate replies, and listener-owned status reactions.
Socket Mode
connections:write for Socket Mode,
then copy the bot token from the org installation. Configure the account that
uses the org-installed bot token:
HTTP Request URLs
Use HTTP mode when the Gateway has a public HTTPS endpoint and does not open a Socket Mode connection. Replace the example URL with the Gateway’s publicwebhookPath URL (default /slack/events):
enterpriseOrgInstall with Slack auth.test.
An org-installed token without the flag, or a workspace token with the flag,
fails startup. Slack remains the source of truth for which workspaces have
granted the installation; OpenClaw then applies the configured channel, user,
DM, and mention policies to each delivered event. Enterprise V1 rejects all
bot-authored message and app_mention events before dispatch, regardless of
allowBots, because org installs do not provide a stable workspace-qualified
bot identity for loop prevention.
Enterprise support is intentionally limited to direct Socket Mode or HTTP
message and app_mention events and their immediate replies. Relay mode,
slash commands, interactions, App Home, reaction event listeners, pins, Slack
action tools, Slack-native approvals, bindings, queued or scheduled delivery,
and proactive sends are unavailable for an enterprise account. Outbound
acknowledgment, typing, and status reactions are supported through the
listener-owned Slack client and require reactions:write; inbound reaction
notifications and reaction action tools remain unavailable.
Immediate replies reuse the standard Slack delivery behavior for chunks,
media, metadata, identity fallback, unfurls, and receipts, but only while the
validated listener-owned client remains in the active event turn. The
in-memory send queue and thread-participation records are partitioned by that
event’s workspace; the client itself is never serialized or persisted.
Channel policy keys and dm.groupChannels entries must use raw stable Slack channel IDs or the
channel:<id> form. OpenClaw normalizes either form to the raw channel ID for
runtime matching; slack:, group:, and mpim: prefixes fail startup.
User policy entries must use stable Slack user IDs; names, slugs, display names,
and email addresses fail startup. IDs must use Slack’s canonical uppercase
prefix and body (for example, C0123456789 or U0123456789); lowercase and
short lookalikes fail startup. Enterprise accounts cannot enable
dangerouslyAllowNameMatching. Enterprise accounts may set the global
mentionPatterns.mode, but mentionPatterns.allowIn and
mentionPatterns.denyIn fail startup because bare Slack channel IDs are not
workspace-qualified and can be reused across workspaces. Workspace installs
retain the existing scoped mention-pattern behavior. Each accepted workspace
gets separate routing, session, transcript, dedupe, history, and cache identity
even when Slack IDs overlap. Within the message stream, ordinary user messages
and user-authored file_share events are supported; other message subtypes are
rejected before authorization or system-event handling.
Enterprise DMs must either be disabled (dm.enabled=false or
dmPolicy="disabled") or explicitly open with dmPolicy="open" and
an effective account allowFrom containing the literal "*". An empty
allowlist or user-specific IDs without "*" fails startup. Pairing and
per-user DM allowlists are rejected because Slack user IDs are not
workspace-qualified in those authorization stores. Channel and sender policy
continues to apply to channel messages.
Install
plugins install registers and enables the plugin. It does nothing until you configure the Slack app and channel settings below. See Plugins for general plugin install rules.
Quick setup
The manifests in this section create a workspace-scoped installation. For an Enterprise Grid organization installation, use the dedicated org-wide manifest and workflow instead.- Socket Mode (default)
- HTTP Request URLs
1
Create a new Slack app
Open api.slack.com/apps → Create New App → From a manifest → select your workspace → paste one of the manifests below → Next → Create.After Slack creates the app:
Recommended matches the Slack plugin’s full feature set: App Home, slash commands, files, reactions, pins, group DMs, and emoji/usergroup reads. Pick Minimal when workspace policy restricts scopes — it covers DMs, channel/group history, mentions, and slash commands but drops files, reactions, pins, group-DM (
mpim:*), emoji:read, and usergroups:read. See Manifest and scope checklist for per-scope rationale and additive options like extra slash commands.- Basic Information -> App-Level Tokens -> Generate Token and Scopes: add
connections:write, save, copy the App-Level Token. - Install App -> Install to Workspace: copy the Bot User OAuth Token.
2
Configure OpenClaw
Recommended SecretRef setup:Env fallback (default account only):
3
Start gateway
Socket Mode transport tuning
OpenClaw sets the Slack SDK client pong timeout to 15 seconds by default for Socket Mode. Override the transport settings only when you need workspace- or host-specific tuning:clientPingTimeout is the pong wait after the SDK sends a client ping; serverPingTimeout is the wait for Slack server pings. App messages and events remain application state, not transport liveness signals.
Notes:
socketModeis ignored in HTTP Request URL mode.- Base
channels.slack.socketModesettings apply to all Slack accounts unless overridden. Per-account overrides usechannels.slack.accounts.<accountId>.socketMode; because this is an object override, include every socket tuning field you want for that account. - Only
clientPingTimeouthas an OpenClaw default (15000).serverPingTimeoutandpingPongLoggingEnabledare passed to the Slack SDK only when configured. - Socket Mode restart backoff starts around 2 seconds and caps around 30 seconds. Recoverable start, start-wait, and disconnect failures retry until the channel stops. Permanent account and credential errors such as invalid auth, revoked tokens, or missing scopes fail fast instead of retrying forever.
Manifest and scope checklist
The base Slack app manifest is the same for Socket Mode and HTTP Request URLs. Only thesettings block (and the slash command url) differs.
Base manifest (Socket Mode default):
settings with the HTTP variant and add url to each slash command. Public URL required:
Additional manifest settings
Surface different features that extend the above defaults. The default manifest enables the Slack App Home Home tab and subscribes toapp_home_opened. When a workspace member opens the Home tab, OpenClaw publishes a safe default Home view with views.publish; no conversation payload or private configuration is included. When single slash command mode is enabled, the command hint uses channels.slack.slashCommand.name; installations using native commands or no slash commands omit that hint. The Messages tab remains enabled for Slack DMs. The manifest also enables Slack assistant threads with features.assistant_view, assistant:write, assistant_thread_started, and assistant_thread_context_changed; assistant threads route to their own OpenClaw thread sessions and keep Slack-provided thread context available to the agent.
Optional native slash commands
Optional native slash commands
Multiple native slash commands can be used instead of a single configured command with nuance:
- Use
/agentstatusinstead of/statusbecause the/statuscommand is reserved. - No more than 25 slash commands can be registered on a Slack app at once (Slack platform limit).
features.slash_commands section with a subset of available commands:- Socket Mode (default)
- HTTP Request URLs
Optional user-token scopes (read operations)
Optional user-token scopes (read operations)
If you configure
channels.slack.userToken, typical read scopes are:channels:history,groups:history,im:history,mpim:historychannels:read,groups:read,im:read,mpim:readusers:readreactions:readpins:reademoji:readsearch:read(if you depend on Slack search reads)
Token model
botToken+appTokenare required for Socket Mode.- HTTP mode requires
botToken+signingSecret. - Relay mode requires
botTokenplusrelay.url,relay.authToken, andrelay.gatewayId; it does not use an app token or signing secret. botToken,appToken,signingSecret,relay.authToken, anduserTokenaccept plaintext strings or SecretRef objects.- Config tokens override env fallback.
SLACK_BOT_TOKEN,SLACK_APP_TOKEN, andSLACK_USER_TOKENenv fallback each apply only to the default account.userTokendefaults to read-only behavior (userTokenReadOnly: true).
- Slack account inspection tracks per-credential
*Sourceand*Statusfields (botToken,appToken,signingSecret,userToken). - Status is
available,configured_unavailable, ormissing. configured_unavailablemeans the account is configured through SecretRef or another non-inline secret source, but the current command/runtime path could not resolve the actual value.- In HTTP mode,
signingSecretStatusis included; in Socket Mode, the required pair isbotTokenStatus+appTokenStatus.
Actions and gates
Slack actions are controlled bychannels.slack.actions.*.
Available action groups in current Slack tooling:
Current Slack message actions include
send, upload-file, download-file, read, edit, delete, pin, unpin, list-pins, member-info, and emoji-list. download-file accepts Slack file IDs shown in inbound file placeholders and returns image previews for images or local file metadata for other file types.
Access control and routing
- DM policy
- Channel policy
- Mentions and channel users
channels.slack.dmPolicy controls DM access. channels.slack.allowFrom is the canonical DM allowlist.pairing(default)allowlistopen(requireschannels.slack.allowFromto include"*")disabled
dm.enabled(default true)channels.slack.allowFromdm.allowFrom(legacy)dm.groupEnabled(group DMs default false)dm.groupChannels(optional MPIM allowlist)
channels.slack.accounts.default.allowFromapplies only to thedefaultaccount.- Named accounts inherit
channels.slack.allowFromwhen their ownallowFromis unset. - Named accounts do not inherit
channels.slack.accounts.default.allowFrom.
channels.slack.dm.policy and channels.slack.dm.allowFrom still read for compatibility. openclaw doctor --fix migrates them to dmPolicy and allowFrom when it can do so without changing access.Pairing in DMs uses openclaw pairing approve slack <code>.Threading, sessions, and reply tags
- DMs route as
direct; channels aschannel; MPIMs asgroup. - Slack route bindings accept raw peer IDs plus Slack target forms such as
channel:C12345678,user:U12345678, and<@U12345678>. - With default
session.dmScope=main, Slack DMs collapse to agent main session. - Channel sessions:
agent:<agentId>:slack:channel:<channelId>. - Ordinary top-level channel messages stay on the per-channel session, even when
replyToModeis non-off. - Slack thread replies use the parent Slack
thread_tsfor session suffixes (:thread:<threadTs>), even when outbound reply threading is disabled withreplyToMode="off". - OpenClaw seeds an eligible top-level channel root into
agent:<agentId>:slack:channel:<channelId>:thread:<rootTs>when that root is expected to start a visible Slack thread, so the root and later thread replies share one OpenClaw session. This applies toapp_mentionevents, explicit bot or configured mention-pattern matches, andrequireMention: falsechannels with non-offreplyToMode. channels.slack.thread.historyScopedefault isthread;thread.inheritParentdefault isfalse.channels.slack.thread.initialHistoryLimitcontrols how many existing thread messages are fetched when a new thread session starts (default20; set0to disable).channels.slack.thread.requireExplicitMention(defaultfalse): whentrue, suppress implicit thread mentions so the bot only responds to explicit@botmentions inside threads, even when the bot already participated in the thread. Without this, replies in a bot-participated thread bypassrequireMentiongating.
channels.slack.channels.<id>.replyToMode: per-channel override for Slack channel/private-channel messageschannels.slack.replyToMode:off|first|all|batched(defaultoff)channels.slack.replyToModeByChatType: perdirect|group|channel- legacy fallback for direct chats:
channels.slack.dm.replyToMode
[[reply_to_current]][[reply_to:<id>]]
message tool, set replyBroadcast: true with action: "send" and threadId or replyTo to ask Slack to also broadcast the thread reply to the parent channel. This maps to Slack’s chat.postMessage reply_broadcast flag and is only supported for text or Block Kit sends, not media uploads.
When a message tool call runs inside a Slack thread and targets the same channel, OpenClaw normally inherits the current Slack thread according to the effective account, chat-type, or per-channel replyToMode. Automatic replies and same-channel send or upload-file calls use the same per-channel override. Set topLevel: true on action: "send" or action: "upload-file" to force a new parent-channel message instead. threadId: null is accepted as the same top-level opt-out.
replyToMode="off" disables outbound Slack reply threading, including explicit [[reply_to_*]] tags. It does not flatten inbound Slack thread sessions: messages already posted inside a Slack thread still route to the :thread:<threadTs> session. This differs from Telegram, where explicit tags are still honored in "off" mode. Slack threads hide messages from the channel while Telegram replies stay visible inline.Ack reactions
ackReaction sends an acknowledgement emoji while OpenClaw is processing an inbound message. ackReactionScope decides when that emoji is actually sent.
By default, the acknowledgement stays static while Slack’s native assistant thread status shows progress with rotating loading messages. Set messages.statusReactions.enabled: true to opt into the queued/thinking/tool/done/error reaction lifecycle instead.
Emoji (ackReaction)
Resolution order:
channels.slack.accounts.<accountId>.ackReactionchannels.slack.ackReactionmessages.ackReaction- agent identity emoji fallback (
agents.list[].identity.emoji, else"eyes"/ 👀)
- Slack expects shortcodes (for example
"eyes"). - Use
""to disable the reaction for the Slack account or globally.
Scope (messages.ackReactionScope)
The Slack provider reads scope from messages.ackReactionScope (default "group-mentions"). There is no Slack-account or Slack-channel-level override today; the value is global to the gateway.
Values:
"all": react in DMs and groups, including ambient room events."direct": react in DMs only."group-all": react on every group message except ambient room events (no DMs)."group-mentions"(default): react in groups, but only when the bot is mentioned (or in group mentionables that opted in). DMs are excluded."off"/"none": never react.
The default scope (
"group-mentions") does not fire ack reactions in direct messages or ambient room events. To see the configured ackReaction (for example "eyes") on inbound Slack DMs and quiet room events, set messages.ackReactionScope to "all". messages.ackReactionScope is read at Slack provider startup, so a gateway restart is needed for the change to take effect.Text streaming
channels.slack.streaming controls live preview behavior:
off: disable live preview streaming.partial(default): replace preview text with the latest partial output.block: append chunked preview updates.progress: show progress status text while generating, then send final text.streaming.preview.toolProgress: when draft preview is active, route tool/progress updates into the same edited preview message (default:true). Setfalseto keep separate tool/progress messages.streaming.preview.commandText/streaming.progress.commandText: set tostatusto keep compact tool-progress lines while hiding raw command/exec text (default:raw).
channels.slack.streaming.nativeTransport controls Slack native text streaming when channels.slack.streaming.mode is partial (default: true).
Slack native progress task cards are opt-in for progress mode. Set channels.slack.streaming.progress.nativeTaskCards to true with channels.slack.streaming.mode="progress" to send a Slack-native plan/task card while work is running, then update the same task card at completion. Without this flag, progress mode keeps the portable draft-preview behavior.
- A reply thread must be available for native text streaming and Slack assistant thread status to appear. Thread selection still follows
replyToMode. - Channel, group-chat, and top-level DM roots can still use the normal draft preview when native streaming is unavailable or no reply thread exists.
- Top-level Slack DMs stay off-thread by default, so they do not show Slack’s thread-style native stream/status preview; OpenClaw posts and edits a draft preview in the DM instead.
- Media and non-text payloads fall back to normal delivery.
- Media/error finals cancel pending preview edits; eligible text/block finals flush only when they can edit the preview in place.
- If streaming fails mid-reply, OpenClaw falls back to normal delivery for remaining payloads.
channels.slack.streamMode(replace | status_final | append) is a legacy alias forchannels.slack.streaming.mode.- boolean
channels.slack.streamingis a legacy alias forchannels.slack.streaming.modeandchannels.slack.streaming.nativeTransport. - top-level
channels.slack.chunkModeandchannels.slack.nativeStreamingare legacy aliases forchannels.slack.streaming.chunkModeandchannels.slack.streaming.nativeTransport. - Legacy aliases are not read at runtime; run
openclaw doctor --fixto rewrite persisted Slack streaming config to the canonical keys.
Typing reaction fallback
typingReaction adds a temporary reaction to the inbound Slack message while OpenClaw is processing a reply, then removes it when the run finishes. This is most useful outside of thread replies, which use a default “is typing…” status indicator.
Resolution order:
channels.slack.accounts.<accountId>.typingReactionchannels.slack.typingReaction
- Slack expects shortcodes (for example
"hourglass_flowing_sand"). - The reaction is best-effort and cleanup is attempted automatically after the reply or failure path completes.
Voice input
To speak to OpenClaw in Slack today, send a Slack audio clip to the OpenClaw app. Slackbot’s dictation microphone is a separate Slack-owned feature, not an app API.- Slackbot voice dictation lives inside the user’s private Slackbot conversation. Slack turns the recording into a Slackbot prompt but does not emit an audio file, dictation event, prompt, or input-source marker to third-party Slack apps through the Events API. The OpenClaw Slack plugin cannot enable or receive it.
- Slack audio clips are stored Slack files that can be posted in an OpenClaw DM, channel, or thread. OpenClaw downloads an accessible clip with the bot token, normalizes Slack’s clip MIME metadata, and sends it through the shared audio transcription pipeline. The recommended app manifest includes the required
files:readscope.
requireMention: true, a captionless audio clip can satisfy the gate by speaking a configured mention pattern (agents.list[].groupChat.mentionPatterns, falling back to messages.groupChat.mentionPatterns). OpenClaw authorizes the sender before downloading or transcribing the clip, then admits it only when the transcript matches. A failed or nonmatching speculative transcript is discarded with the downloaded clip; it is not retained in channel history. Native Slack @bot identity cannot be inferred from speech, so configure a spoken-name pattern or include a typed mention. If transcript echoing is enabled, the echo is sent only after admission.
Media, chunking, and delivery
Inbound attachments
Inbound attachments
Slack file attachments are downloaded from Slack-hosted private URLs (token-authenticated request flow) and written to the media store when fetch succeeds and size limits permit. File placeholders include the Slack
fileId so agents can fetch the original file with download-file.Downloads use bounded idle and total timeouts. If Slack file retrieval stalls or fails, OpenClaw keeps processing the message and falls back to the file placeholder.Runtime inbound size cap defaults to 20MB unless overridden by channels.slack.mediaMaxMb.Outbound text and files
Outbound text and files
- text chunks use
channels.slack.textChunkLimit(default8000, capped at Slack’s own message-length limit) channels.slack.streaming.chunkMode="newline"enables paragraph-first splitting- file sends use Slack upload APIs and can include thread replies (
thread_ts) - long file captions use the first Slack-safe text chunk as the upload comment and send remaining chunks as follow-up messages
- outbound media cap follows
channels.slack.mediaMaxMbwhen configured; otherwise channel sends use MIME-kind defaults from media pipeline
Delivery targets
Delivery targets
Preferred explicit targets:
user:<id>for DMschannel:<id>for channels
Commands and slash behavior
Slash commands appear in Slack as either a single configured command or multiple native commands. Configurechannels.slack.slashCommand to change command defaults:
enabled: falsename: "openclaw"sessionPrefix: "slack:slash"ephemeral: true
channels.slack.commands.native: true or commands.native: true in global configurations instead.
- Native command auto-mode is off for Slack so
commands.native: "auto"does not enable Slack native commands.
- 3-5 short-enough options: an overflow (”…”) menu
- more than 100 options, with async option filtering available: external select
- 1-2 options, or any option whose encoded value is too long for a select: button blocks
- otherwise (6-100 options, or more than 100 without async filtering): static select menu, chunked at 100 options per menu
agent:<agentId>:slack:slash:<userId> and still route command executions to the target conversation session using CommandTargetSessionKey.
Native charts
Slack’s publicdata_visualization Block Kit block
renders line, bar, area, and pie charts in messages. OpenClaw maps the portable
presentation chart block to that native shape; no additional OAuth scope,
file upload, image renderer, or Slack configuration is required beyond normal
chat:write message access.
- title and optional axis labels: 50 characters
- pie: 1-12 positive segments
- line/bar/area: 1-12 uniquely named series and 1-20 shared categories
- segment, category, and series labels: 20 characters
- every series must contain one finite value for every category; non-pie values may be negative
invalid_blocks during a phased rollout, OpenClaw
removes the rejected native data blocks, keeps any sibling controls, and sends
the complete chart representation as visible text.
Slack currently accepts up to two data_visualization blocks per message. When
a presentation contains more than two valid charts, OpenClaw keeps their order
and continues native rendering in follow-up messages, with no more than two
charts in each message.
Slack’s developer launch
documents the block as an app-facing Block Kit feature and publishes no paid
plan restriction. The Business+/Enterprise eligibility language applies to
Slackbot’s automatic AI chart generation, which is separate from an app sending
an already-structured Block Kit chart. Charts are message-only blocks, not App
Home, modal, or Canvas content.
Native tables
Slack’s currentdata_table Block Kit block
renders structured rows and columns in messages. OpenClaw maps an explicit
portable presentation table block to data_table; it does not use Slack’s
legacy table block.
No additional OAuth scope or Slack configuration is required beyond normal
chat:write message access.
raw_text cells. Numeric cells
map to raw_number, with the finite numeric value preserved for native sorting
and filtering. rowHeaderColumnIndex, when present, marks that zero-based
column as Slack row headers.
Slack’s published data_table limits are enforced before native rendering:
- 1-20 columns
- 1-100 data rows, plus the header row
- the same number of cells in every row
- at most 10,000 aggregate characters across all table cells in one message
<@U123> does not become a Slack mention.
If Slack rejects native chart or table blocks with invalid_blocks, OpenClaw
removes every native data block in one bounded recovery step, retains valid
sibling blocks such as buttons and selects, and sends complete visible chart
and table text with Slack formatting disabled. Slash-command delivery
tracks Slack’s five-call response_url budget across the command. Before each
reply batch, it selects a complete plan that fits the remaining calls or fails
before posting that batch.
Only explicit presentation table blocks are promoted to native tables.
Markdown pipe tables remain authored text; OpenClaw does not guess at table
structure or cell types. Existing trusted Slack-native producers can continue
to pass raw blocks through channelData.slack.blocks; OpenClaw derives fallback
text from valid raw data_table cells, while malformed custom blocks may
degrade to their caption or general Block Kit fallback. Portable agent, CLI,
and plugin output should use presentation.
Interactive replies
Slack can render agent-authored interactive reply controls, but this feature is disabled by default. For new agent, CLI, and plugin output, prefer the sharedpresentation buttons or select blocks. They use the same Slack interaction
path while also degrading on other channels.
Enable it globally:
[[slack_buttons: Approve:approve, Reject:reject]][[slack_select: Choose a target | Canary:canary, Production:production]]
compileSlackInteractiveReplies(...)parseSlackOptionsLine(...)isSlackInteractiveRepliesEnabled(...)buildSlackInteractiveBlocks(...)
presentation payloads and buildSlackPresentationBlocks(...) for new
Slack-rendered controls.
Notes:
- This is Slack-specific legacy UI. Other channels do not translate Slack Block Kit directives into their own button systems.
- The interactive callback values are OpenClaw-generated opaque tokens, not raw agent-authored values.
- If generated interactive blocks would exceed Slack Block Kit limits, OpenClaw falls back to the original text reply instead of sending an invalid blocks payload.
Plugin-owned modal submissions
Slack plugins that register an interactive handler can also receive modalview_submission and view_closed lifecycle events before OpenClaw compacts
the payload for the agent-visible system event. Use one of these routing
patterns when opening a Slack modal:
- Set
callback_idtoopenclaw:<namespace>:<payload>. - Or keep an existing
callback_idand putpluginInteractiveData: "<namespace>:<payload>"in the modalprivate_metadata.
ctx.interaction.kind as view_submission or
view_closed, normalized inputs, and the full raw stateValues object from
Slack. Callback-id-only routing is enough to invoke the plugin handler; include
the existing modal private_metadata user/session routing fields when the
modal should also produce an agent-visible system event. The agent receives a
compact, redacted Slack interaction: ... system event. If the handler returns
systemEvent.summary, systemEvent.reference, or systemEvent.data, those
fields are included in that compact event so the agent can reference
plugin-owned storage without seeing the complete form payload.
Native approvals in Slack
Slack can act as a native approval client with interactive buttons and interactions, instead of falling back to the Web UI or terminal.- Exec and plugin approvals can render as Slack-native Block Kit prompts.
channels.slack.execApprovals.*remains the native exec approval client enablement and DM/channel routing config.- Exec approval DMs use
channels.slack.execApprovals.approversorcommands.ownerAllowFrom. - Plugin approvals use Slack-native buttons when Slack is enabled as a native approval client for the originating session, or when
approvals.pluginroutes to the originating Slack session or a Slack target. - Plugin approval DMs use Slack plugin approvers from
channels.slack.allowFrom, named-accountallowFrom, or the account default route. - Approver authorization is still enforced: exec-only approvers cannot approve plugin requests unless they are also plugin approvers.
interactivity is enabled in your Slack app settings, approval prompts render as Block Kit buttons directly in the conversation.
When those buttons are present, they are the primary approval UX; OpenClaw
should only include a manual /approve command when the tool result says chat
approvals are unavailable or manual approval is the only path.
Config path:
channels.slack.execApprovals.enabledchannels.slack.execApprovals.approvers(optional; falls back tocommands.ownerAllowFromwhen possible)channels.slack.execApprovals.target(dm|channel|both, default:dm)agentFilter,sessionFilter
enabled is unset or "auto" and at least one
exec approver resolves. Slack can also handle native plugin approvals through this native-client
path when Slack plugin approvers resolve and the request matches the native-client filters. Set
enabled: false to disable Slack as a native approval client explicitly. Set enabled: true to
force native approvals on when approvers resolve. Disabling Slack exec approvals does not disable
native Slack plugin approval delivery that is enabled through approvals.plugin; plugin approval
delivery uses Slack plugin approvers instead.
Default behavior with no explicit Slack exec approval config:
approvals.exec forwarding is separate. Use it only when exec approval prompts must also
route to other chats or explicit out-of-band targets. Shared approvals.plugin forwarding is also
separate; Slack native delivery suppresses that fallback only when Slack can handle the plugin
approval request natively.
Same-chat /approve also works in Slack channels and DMs that already support commands. See Exec approvals for the full approval forwarding model.
Events and operational behavior
- Message edits/deletes are mapped into system events.
- Thread broadcasts (“Also send to channel” thread replies) are processed as normal user messages.
- Reaction add/remove events are mapped into system events.
- Member join/leave, channel created/renamed, and pin add/remove events are mapped into system events.
channel_id_changedcan migrate channel config keys whenconfigWritesis enabled.- Channel topic/purpose metadata is treated as untrusted context and can be injected into routing context.
- Thread starter and initial thread-history context seeding are filtered by configured sender allowlists when applicable.
- Block actions, shortcuts, and modal interactions emit structured
Slack interaction: ...system events with rich payload fields:- block actions: selected values, labels, picker values, and
workflow_*metadata - global shortcuts: callback and actor metadata, routed to the actor’s direct session
- message shortcuts: callback, actor, channel, thread, and selected-message context
- modal
view_submissionandview_closedevents with routed channel metadata and form inputs
- block actions: selected values, labels, picker values, and
Configuration reference
Primary reference: Configuration reference - Slack.High-signal Slack fields
High-signal Slack fields
- mode/auth:
mode,enterpriseOrgInstall,botToken,appToken,signingSecret,webhookPath,accounts.* - DM access:
dm.enabled,dmPolicy,allowFrom(legacy:dm.policy,dm.allowFrom),dm.groupEnabled,dm.groupChannels - compatibility toggle:
dangerouslyAllowNameMatching(break-glass; keep off unless needed) - channel access:
groupPolicy,channels.*,channels.*.users,channels.*.requireMention - threading/history:
replyToMode,replyToModeByChatType,thread.*,historyLimit,dmHistoryLimit,dms.*.historyLimit - delivery:
textChunkLimit,streaming.chunkMode,mediaMaxMb,streaming,streaming.nativeTransport,streaming.preview.toolProgress - unfurls:
unfurlLinks(default:false),unfurlMediaforchat.postMessagelink/media preview control; setunfurlLinks: trueto opt back into link previews - ops/features:
configWrites,commands.native,slashCommand.*,actions.*,userToken,userTokenReadOnly
Troubleshooting
No replies in channels
No replies in channels
Check, in order:Useful commands:
groupPolicy- channel allowlist (
channels.slack.channels) — keys must be channel IDs (C12345678), not names (#channel-name). Name-based keys silently fail undergroupPolicy: "allowlist"because channel routing is ID-first by default. To find an ID: right-click the channel in Slack → Copy link — theC...value at the end of the URL is the channel ID. requireMention- per-channel
usersallowlist messages.groupChat.visibleReplies: normal group/channel requests default to"automatic". If you opted into"message_tool"and logs show assistant text with nomessage(action=send)call, the model missed the visible message-tool path. Final text stays private in this mode; inspect the gateway verbose log for suppressed payload metadata, or set it to"automatic"if you want every normal assistant final reply posted through the legacy path.messages.groupChat.unmentionedInbound: if it is"room_event", unmentioned allowed channel chatter is ambient context and stays silent unless the agent calls themessagetool. See Ambient room events.
DM messages ignored
DM messages ignored
Check:
channels.slack.dm.enabledchannels.slack.dmPolicy(or legacychannels.slack.dm.policy)- pairing approvals / allowlist entries (
dmPolicy: "open"still requireschannels.slack.allowFrom: ["*"]) - group DMs use MPIM handling; enable
channels.slack.dm.groupEnabledand, if configured, include the MPIM inchannels.slack.dm.groupChannels - Slack Assistant DM events: verbose logs mentioning
drop message_changedusually mean Slack sent an edited Assistant-thread event without a recoverable human sender in message metadata
Socket mode not connecting
Socket mode not connecting
Validate bot + app tokens and Socket Mode enablement in Slack app settings.
The App-Level Token needs
connections:write, and the Bot User OAuth Token
bot token must belong to the same Slack app/workspace as the app token.If openclaw channels status --probe --json shows botTokenStatus or
appTokenStatus: "configured_unavailable", the Slack account is
configured but the current runtime could not resolve the SecretRef-backed
value.Logs such as slack socket mode failed to start; retry ... are recoverable
start failures. Missing scopes, revoked tokens, and invalid auth fail fast
instead. A slack token mismatch ... log means the bot token and app token
appear to belong to different Slack apps; fix the Slack app credentials.HTTP mode not receiving events
HTTP mode not receiving events
Validate:
- signing secret
- webhook path
- Slack Request URLs (Events + Interactivity + Slash Commands)
- unique
webhookPathper HTTP account - the public URL terminates TLS and forwards requests to the Gateway path
- the Slack app
request_urlpath exactly matcheschannels.slack.webhookPath(default/slack/events)
signingSecretStatus: "configured_unavailable" appears in account
snapshots, the HTTP account is configured but the current runtime could not
resolve the SecretRef-backed signing secret.A repeated slack: webhook path ... already registered log means two HTTP
accounts are using the same webhookPath; give each account a distinct path.Native/slash commands not firing
Native/slash commands not firing
Verify whether you intended:
- native command mode (
channels.slack.commands.native: true) with matching slash commands registered in Slack - or single slash command mode (
channels.slack.slashCommand.enabled: true)
commands.native: "auto" does not enable Slack native commands; use true and create the matching commands in the Slack app. In HTTP mode, every Slack slash command must include the Gateway URL. In Socket Mode, command payloads arrive over the websocket and Slack ignores slash_commands[].url.Also check commands.useAccessGroups, DM authorization, channel allowlists,
and per-channel users allowlists. Slack returns ephemeral errors for
blocked slash-command senders, including:This channel is not allowed.You are not authorized to use this command here.
Attachment media reference
Slack can attach downloaded media to the agent turn when Slack file downloads succeed and size limits permit. Audio clips can be transcribed, image files can pass through the media-understanding path or directly to a vision-capable reply model, and other files remain available as downloadable file context.Supported media types
Inbound pipeline
When a Slack message with file attachments arrives:- OpenClaw downloads the file from Slack’s private URL using the bot token.
- The file is written to the media store on success.
- Downloaded media paths and content types are added to the inbound context.
- Audio clips are routed to the shared transcription pipeline; image-capable model/tool paths can use image attachments from the same context.
- Other files remain available as file metadata or media references for tools that can handle them.
Thread-root attachment inheritance
When a message arrives in a thread (has athread_ts parent):
- If the reply itself has no direct media and the included root message has files, Slack can hydrate the root files as thread-starter context.
- Root files are hydrated only while seeding a new or reset thread session. Later text-only replies reuse the existing session context and do not reattach root files as fresh media.
- Direct reply attachments take precedence over root-message attachments.
- A root message that has only files and no text is represented with an attachment placeholder so the fallback can still include its files.
Multi-attachment handling
When a single Slack message contains multiple file attachments:- Each attachment is processed independently through the media pipeline.
- Downloaded media references are aggregated into the message context.
- Processing order follows Slack’s file order in the event payload.
- A failure in one attachment’s download does not block others.
Size, download, and model limits
- Size cap: Default 20 MB per file. Configurable via
channels.slack.mediaMaxMb. - Audio transcription cap:
tools.media.audio.maxBytesalso applies when the downloaded file is sent to a transcription provider or CLI. - Download failures: Files that Slack cannot serve, expired URLs, inaccessible files, oversize files, and Slack auth/login HTML responses are skipped instead of being reported as unsupported formats.
- Vision model: Image analysis uses the active reply model when it supports vision, or the image model configured at
agents.defaults.imageModel.
Known limits
Related documentation
Related
Pairing
Pair a Slack user to the gateway.
Groups
Channel and group DM behavior.
Channel routing
Route inbound messages to agents.
Security
Threat model and hardening.
Configuration
Config layout and precedence.
Slash commands
Command catalog and behavior.