Redact Slack Bot and Webhook Tokens
Find and redact Slack bot tokens, user tokens, and webhook URLs from configuration files and deployment scripts. Prevent unauthorized access to your Slack workspace.
Detailed Explanation
Redacting Slack Tokens
Slack tokens provide access to workspaces, channels, and user data. A compromised Slack token can be used to read private messages, post as a bot, exfiltrate files, and enumerate workspace members — making them a high-value target for attackers.
Slack Token Types
Slack uses identifiable prefixes for all token types:
| Token Type | Prefix | Description |
|---|---|---|
| Bot Token | xoxb- |
Used by Slack apps to perform actions |
| User Token | xoxp- |
Acts on behalf of a specific user |
| App Token | xapp- |
Used for Socket Mode connections |
| Legacy Token | xoxs- |
Deprecated session tokens |
| Webhook URL | hooks.slack.com/services/T.../B.../... |
Incoming webhook endpoints |
Detection Patterns
xox[bpas]-[0-9]+-[0-9]+-[A-Za-z0-9]+
For webhook URLs:
https://hooks\.slack\.com/services/T[A-Z0-9]+/B[A-Z0-9]+/[A-Za-z0-9]+
Why Slack Token Leaks Are Serious
Unlike some tokens that have limited scope, Slack tokens often have broad permissions:
- Bot tokens (
xoxb-) can post messages, read channels, manage files, and access user profiles - User tokens (
xoxp-) have all the permissions of the user who created them - Webhook URLs allow anyone to post messages to a specific channel — commonly used for phishing from a trusted source
Where Slack Tokens Appear
- Environment files —
.envfiles withSLACK_BOT_TOKEN=xoxb-... - CI/CD pipelines — Build notifications and deployment alerts
- Monitoring configurations — Alert channels in PagerDuty, Datadog, Grafana
- Custom integrations — Internal tools that post to Slack
- Documentation — Setup guides that include real tokens as examples
# Before redaction
SLACK_BOT_TOKEN=xoxb-123456789012-1234567890123-abcdefghijklmnopqrstuvwx
SLACK_WEBHOOK=https://hooks.slack.com/services/T01234567/B01234567/abcdefghijklmnopqrstuvwx
# After redaction
SLACK_BOT_TOKEN=[REDACTED_SLACK_TOKEN]
SLACK_WEBHOOK=[REDACTED_SLACK_WEBHOOK]
Post-Leak Response
If a Slack token is compromised, immediately regenerate it in the Slack app configuration page. For webhook URLs, delete the webhook and create a new one. Review Slack's audit logs to check for unauthorized activity.
Use Case
A developer is open-sourcing an internal notification service and needs to remove all Slack-specific configuration before making the repository public. The Secret Redactor identifies bot tokens, user tokens, and webhook URLs throughout the codebase, ensuring no Slack credentials survive the transition to a public repository.