Agentic Data Plane
beta

Slack Managed MCP Server

The Slack managed MCP server is the canonical user-delegated OAuth example for Redpanda ADP. Each agent caller authenticates against Slack with their own credentials, and Redpanda injects their token at call time: so messages posted by the agent appear as the user, not as a shared bot.

After reading this page, you will be able to:

  • Configure the Slack managed MCP server with user-delegated OAuth

  • Walk through the consent flow and verify the connection on the Connections page

  • Send a test message through the Inspector

What this MCP server does

The Slack managed type exposes the following tools:

  • read_thread: Read all messages in a thread, given a channel ID and thread timestamp.

  • post: Send a message to a channel, optionally as a threaded reply, using plain text or Block Kit blocks.

  • react: Add or remove an emoji reaction on a message.

Prerequisites

Before you create the server, make sure you have:

  • A Slack workspace where you can install or authorize an OAuth app.

  • A Slack OAuth app registered (your own or a Redpanda-published reference app).

  • An OAuth Provider configured in ADP under OAuth Providers, pointing at Slack’s authorize/token URLs and carrying the OAuth app’s client credentials. See Configure an OAuth Provider.

  • Familiarity with Configure User-Delegated OAuth.

Configure

Create a new Slack MCP server in ADP:

  1. Open MCP Servers > Create Server.

  2. Pick Slack from the marketplace picker.

  3. Fill in the identity fields (name, description).

  4. In the Slack configuration form:

    • Auth: Choose a Bot token (a shared xoxb- token from the secret store) or User-delegated OAuth (per-user identity).

      • For User-delegated OAuth: Pick the Slack OAuth Provider you configured and set Required scopes for the tools you use (see Authentication scopes).

    • Post options (optional): Toggle markdown formatting, link unfurling, media unfurling, and automatic link names.

    • Reaction options (optional): Maximum concurrent reaction calls. Defaults to 64.

  5. Click Create.

    There’s no workspace field: the bot token or the user’s OAuth grant determines the workspace.

After creating the server, run a tool that requires Slack authentication to verify the consent flow end-to-end:

  1. Open the Inspector tab.

  2. Run a tool that requires the user’s identity, for example post.

  3. The first call returns OAuthConnectionRequired with a Slack authorize_url. The Inspector surfaces it as a consent prompt.

  4. Click Authorize. You’re redirected to Slack; pick the workspace and approve the requested scopes.

  5. Slack redirects back to ADP. Your connection now appears under Connections.

  6. Re-run the original tool call. The message posts to Slack as your user.

Authentication scopes

When you use user-delegated OAuth, the tools need Slack scopes that match what they do:

  • post needs chat:write. To post in channels the user isn’t a member of, add chat:write.public.

  • read_thread needs a history scope for the channel type, for example channels:history (public) or groups:history (private).

  • react needs reactions:write.

Other gotchas:

  • chat:write is a user scope; chat:write.public is separate.

  • Tokens are workspace-scoped: the same user authorizing twice across two workspaces produces two separate connections.

Use with agents

Once the server is created and at least one user has consented, you can point an agent at the API URL on the server’s detail page. Each user calling the agent will trigger their own consent flow if they haven’t connected yet.

Troubleshooting

Common symptoms and fixes:

Symptom What to check

OAuthConnectionRequired even after consent

The token might be revoked or expired with no refresh. Check Connections; remove and re-add if needed.

scope_upgrade_required

The server’s required scopes were widened after the user consented. The user re-consents to grant the new scope.

"channel not found" on a channel the user can see in Slack

Reading a private channel’s thread needs the groups:history scope. Add it to the server’s required scopes and have users re-consent.

invalid_auth from Slack

The OAuth Provider’s client credentials are wrong, or the OAuth app has been suspended in Slack. Check the provider config.

Limitations

This page does not cover:

  • Configuring the Slack OAuth app: Slack-side configuration (creating the app, picking redirect URIs, choosing scopes) happens in api.slack.com, not in ADP.

  • Listing channels and looking up users: Not exposed as tools. The server reads threads, posts messages, and adds reactions.