How should Slack bot tokens be stored?

I'm building my first Slack bot and I've got the basics mostly working... sending API requests, receiving commands and events, etc. But the part I'm left a bit confused about is what I'm supposed to do with the "Bot User OAuth Access Token".

The token appears to be shared across teams/workspaces, but it is returned to be during authentication of individual users with a call to /oauth.v2.access. Currently I'm storing the returned credentials payload in a table that has three columns:

• My app's internal user ID
• The Slack user ID embedded in the payload as authed_user.id
• The entire JSON payload itself (jsonb in postgres if you're curious)

This allows me to initiate new API calls for actions that take place in my app (find by internal user ID) and also for interactions within Slack (find by Slack user ID).

What has left me a bit puzzled is what the convention is for when a user interacts with my bot that hasn't added my app. This can happen when a person ("Jose") adds my app and then their colleague ("Mary") discovers it in Slack and views the home screen, sends it a message, etc.

In order to take some action, such as prompt for the user to install my app, I need a token. Of course I have a token for Jose but not for Mary. I also have Jose's team ID stored in my table and Mary's team ID as part of the incoming event. So technically I could do something like this to get a working token to interact with Mary:

select credential_json from slack_credentials
where credential_json->>'type' = 'bot' and credential_json->'team'->>'id' = :marysTeamId

... which would pull out the bot token I captured when Jose added the app. This works, but it feels very wrong. I suppose if I just stored bot tokens in a separate table that looked like this:

• The Slack team ID embedded in the payload as team.id
• A subset of the JSON payload (ex: access_token, scope, bot_user_id, etc but not authed_user)

Then it wouldn't feel so yucky. But the docs + API ergonomics don't suggest this is a common approach either. So I'm curious what others do. If I don't hear anything back, I suppose my plan is to break out the bot tokens into a team-centric table.

Thanks!

The basic concept of Slack apps is that they are installed per workspace, not per user.

So while it's true that the app's token is derived from the user who installed your app to a new workspace, most the apps function are available to all users of the workspace.

e.g. slash commands will work for every user in every channel
e.g. posts of your app will be visible to all users of the related channel.

Therefore the best approach for storing tokens usually is with a primary key of Slack Team ID, Slack User ID.

And just to clarify. You do not need a token to prompt a user to install you app. Every app can be installed from webpage hosted by you (with the "Add to Slack button") or directly from the App Directory.