Session Revocation — Slack Enterprise
Session Revocation — Slack Enterprise
Challenge resets all Slack sessions for Enterprise Grid members using Slack Admin API methods.
Session revocation for Slack requires Slack Enterprise Grid. The Admin API methods Challenge uses are not available on free or standard workspace plans.
Create a Slack app (manifest)
Use a dedicated Slack app for session revocation (separate from the Slack challenge integration app is recommended).
- Go to Slack API Apps and click Create New App → From manifest.
- Select your Enterprise Grid organization (or a workspace in the org).
- Paste the manifest below and click Create.
{ "display_information": { "name": "Veraproof Challenge Session Revocation", "description": "Reset member sessions for Challenge incident response", "background_color": "#1f2937", "long_description": "Used by Veraproof Challenge to look up users by email and reset all Slack sessions during account takeover response. Requires Enterprise Grid." }, "features": { "bot_user": { "display_name": "Veraproof Session Revoke", "always_online": false } }, "oauth_config": { "scopes": { "bot": [ "users:read.email" ], "user": [ "admin.users:write" ] } }, "settings": { "org_deploy_enabled": true, "socket_mode_enabled": false, "token_rotation_enabled": false }, "_metadata": { "major_version": 2, "minor_version": 1 }}- Open OAuth & Permissions.
- Under Scopes, confirm Bot Token Scopes includes
users:read.emailand User Token Scopes includesadmin.users:write. - Click Install to Organization (or Install to Workspace on Grid) and approve as an org/workspace admin.
- If prompted, complete user scope authorization so the app receives
admin.users:write. - Copy a bearer token that can call both APIs (see below) and paste it into Challenge as Slack bot token (admin scopes).
Obtain the API token
Challenge sends the token as a Bearer value on every Slack API call. Per Slack’s documentation:
users.lookupByEmailaccepts a bot or user token withusers:read.email.admin.users.session.resetrequires a user token withadmin.users:write(not a bot-only token).
After installation, use the User OAuth Token (xoxp-...) from OAuth & Permissions if it includes both required scopes. If lookup succeeds but session reset returns missing_scope or not_allowed_token_type, reinstall with user scopes approved or contact your Slack org admin to allow the app’s admin scopes.
Note: The Challenge field is labeled “bot token” for historical reasons; paste whichever single token your installation provides that satisfies both methods above.
API calls Challenge makes
| Step | Method | Endpoint |
|---|---|---|
| Lookup | POST | users.lookupByEmail |
| Revoke | POST | admin.users.session.reset |
Least-privilege guidance
Grant only:
| Scope | Token type | Purpose |
|---|---|---|
users:read.email | Bot or user | Resolve user by email |
admin.users:write | User | Reset all sessions for a member |
Do not add chat, slash-command, or broad admin.* scopes unless your security team requires them for unrelated reasons. See admin.users.session.reset.
Test with Responder using a non-production member account before production incidents.
Username format
Use the user’s email address.
Troubleshooting
| Symptom | Check |
|---|---|
user_not_found | Email not in the Enterprise Grid org |
missing_scope / not_allowed_token_type | Use a user token with admin.users:write |
http_403 | Org admin has not approved admin scopes |