Connecting Slack — user scopes vs bot scopes

This guide covers connecting Slack to Harriet, with special attention to the configuration that trips up most setups: User Token Scopes vs Bot Token Scopes.

You'll need: permission to create apps in your Slack workspace, and access to Harriet's Company settings → Integrations.

How access works (before you start)

Harriet connects to Slack with each user's own account, not a shared bot. Installing the connector registers an OAuth app; afterwards, every user authorizes Slack individually under Profile → Integrations, and Harriet acts with that user's own Slack permissions — they can only see the channels and messages they could see in Slack themselves.

User scopes, not bot scopes

This is the single most common Slack misconfiguration:

• Bot Token Scopes grant abilities to a bot user. Harriet does not use a bot token, so bot scopes have no effect on what Harriet can do.
• User Token Scopes are granted to each connecting user. These are the only scopes that matter for the Harriet connector.

If Slack capabilities appear limited or read-only — for example, search works but posting doesn't — the cause is almost always missing User Token Scopes on your Slack app. Adding the same scopes under Bot Token Scopes does not fix it.

Step 1 — Create a Slack app

1. Go to https://api.slack.com/apps and click Create New App → From scratch.
2. Name it (e.g. Harriet) and pick your workspace.

Step 2 — Add the redirect URLs

Under OAuth & Permissions → Redirect URLs, add both:

https://hrharriet.com/bots/integrations/mcp/oauth/callback/
https://harriethq.com/bots/integrations/mcp/oauth/callback/

The match must be exact, including the trailing slash.

Step 3 — Add the User Token Scopes

Under OAuth & Permissions → Scopes, add the following under User Token Scopes (not Bot Token Scopes):

search:read.public
search:read.private
search:read.mpim
search:read.im
search:read.files
search:read.users
chat:write
channels:history
groups:history
mpim:history
im:history
canvases:read
canvases:write
users:read
users:read.email
reactions:write
reactions:read
emoji:read
files:read
channels:write
groups:write
im:write
mpim:write
channels:read
groups:read
mpim:read

You can omit scopes for capabilities you don't want — for example, leave out chat:write for a read-only rollout — but anything missing here will be missing from what Harriet can do for every user.

Step 4 — Enter the credentials in Harriet

From your Slack app's Basic Information page, copy the Client ID and Client Secret into Harriet's Install Slack dialog.

Step 5 — Review, connect, verify

1. If your organization uses Endpoint AI review, submit the connector for review and have it approved.
2. On the connector, click Sync tools so Harriet discovers the Slack actions, then enable the tools you want under Tool permissions and save.
3. Attach the connector to a skill and assign the skill.
4. Connect your own Slack account under Profile → Integrations and approve the consent screen.
5. Verify it works: ask Harriet to "find the latest messages in #general", and if you enabled write scopes, to post a test message somewhere harmless.

Troubleshooting

Symptom	Most likely cause
Search works but posting/reacting doesn't	Write scopes (chat:write, reactions:write, …) missing from User Token Scopes — or added under Bot Token Scopes by mistake.
User consent screen shows an OAuth error	Redirect URL missing or inexact (Step 2), or Client ID/secret mismatch (Step 4).
A user can't see channels others can	Expected — each user gets their own access. Harriet sees exactly what that user can see in Slack.
Scope changes don't seem to apply	Users who connected before the change must disconnect and reconnect Slack under Profile → Integrations to grant the new scopes.

See also How to create an MCP connector (Company settings) and MCP authorization and stored credentials.