Skip to content
ChatbotIQ

How to Connect ChatbotIQ to Slack

Connect a ChatbotIQ bot to your Slack workspace so teammates can ask it questions in channels or DMs. Each Slack thread becomes its own conversation in your ChatbotIQ dashboard, billed against the same plan as your web widget chats.

Before you start

Section titled “Before you start”
  • You must be an Admin or Owner of the ChatbotIQ workspace.
  • You must be an Owner of the Slack workspace you want to install into. Slack only allows owners to install apps that aren’t listed in the Slack Marketplace.
  • The ChatbotIQ bot you want to use must already exist (you can switch which bot answers later without re-installing).

Connect Slack to your bot

Section titled “Connect Slack to your bot”
  1. Open your bot in the dashboard.
  2. Click “Design & Deploy” to open the Playground.
  3. Switch to the Deploy tab.
  4. Scroll to the Slack panel and click “Connect to Slack”.
  5. Slack will ask you to choose a workspace and approve the requested permissions. Click Allow.
  6. You’ll land back on the bot’s Deploy tab with a green “Connected” badge.

In Slack, you can now:

  • DM the bot directly: open the bot in the sidebar (or search “ChatbotIQ” in the Apps section) and just type. DMs work immediately after install — no extra setup.
  • Mention the bot in a channel: @ChatbotIQ what's our refund policy? — but the bot has to be a member of that channel first (see below).
  • Continue in a thread: re-mention the bot — every reply in a thread requires @ChatbotIQ (this matches how Anthropic’s Claude and OpenAI’s ChatGPT Slack apps work, and is what Slack’s platform supports).

The bot acknowledges your message with an :hourglass: reaction while it’s thinking, then posts the answer in-thread. Sources used to build the answer appear as a footer with numbered citations.

Add the bot to a channel

Section titled “Add the bot to a channel”

For privacy, Slack only delivers channel mentions to bots that are members of that channel. To add the bot:

  • Type /invite @ChatbotIQ in the channel, or
  • Just @ChatbotIQ <your question> — Slack will pop a dialog saying “This person isn’t in the channel. Add ChatbotIQ?” — click Add to Channel, or
  • Open the channel’s details panel → Integrations tab → Add apps → pick ChatbotIQ.

Once it’s a member, the @mention works for that channel until someone removes it. The bot only sees messages where it’s explicitly mentioned — it doesn’t read general channel chatter (we don’t request the channels:history scope for this reason).

Bots often get auto-added to your workspace’s “everyone” channel (e.g. #all-yourcompany) on install. That’s controlled by your workspace’s default-channels settings, not by us.

Switch which bot answers in Slack

Section titled “Switch which bot answers in Slack”

Only one ChatbotIQ bot can answer per Slack workspace at a time. To switch:

  1. Open the Deploy tab for the new bot you want to use.
  2. In the Slack panel, you’ll see “Slack is currently routing to {other bot}”.
  3. Click “Use this bot in Slack instead”.

The Slack workspace stays connected — no re-install needed, no tokens reissued.

Disconnect Slack

Section titled “Disconnect Slack”

On the connected bot’s Deploy tab, click “Disconnect”. The bot stops answering in Slack immediately. Your conversation history stays in the ChatbotIQ dashboard.

If you reinstall later, you’ll go through the full OAuth flow again. We don’t keep tokens after disconnect.

Rename the bot in Slack

Section titled “Rename the bot in Slack”

By default the bot appears as ChatbotIQ in every workspace that installs the app. If you’d like to give it a custom name in your workspace — for example, Acme Support or Pricefx Helper — a Slack workspace admin can rename it from inside Slack itself.

You need to land on your workspace’s Installed Apps page first. The fastest way:

  1. In Slack, click your workspace name in the top-left, then Settings & administration. Choose whichever of these you see (the label changes by plan): Manage appsManage integrationsApps & integrations.
  2. The page that loads has the URL https://app.slack.com/apps-manage/<TEAM_ID>/integrations/installed. If the menu shortcut is hard to find, you can also paste that URL directly (replace <TEAM_ID> with your workspace ID).

Once you’re on the Installed Apps page:

  1. Find ChatbotIQ in the list (use the Description includes search box if needed) and click its name.
  2. Switch to the Configuration tab.
  3. Under Bot Users, click Edit next to the bot.
  4. Type the new name in the Edit bot name dialog and Save Changes.

The new name applies only to your workspace — other workspaces that install the app still see “ChatbotIQ”. Renaming doesn’t change the OAuth scopes, tokens, or anything on our side.

If your organisation is on Enterprise Grid, the path is similar but routed through the org: Tools & settings → Organization settings → Integrations → Installed Apps, then open ChatbotIQ from there.

Change the bot’s avatar

Section titled “Change the bot’s avatar”

The same Bot Users → Edit dialog typically lets a workspace admin upload a custom avatar alongside the name. Slack stores the avatar per workspace, just like the name. If you’d like an avatar that matches every workspace by default, contact us — that has to be set on the app-level icon at api.slack.com and is controlled by ChatbotIQ.

Security guarantees

Section titled “Security guarantees”

Slack tokens give an app significant access to a customer’s workspace. The integration is designed so that a database breach, a stolen secret, or a malicious replayed event is contained.

Inbound (Slack → ChatbotIQ)

Section titled “Inbound (Slack → ChatbotIQ)”
  • HMAC signature on every webhook. Every event Slack sends is signed with your Slack app’s signing secret. We verify the signature on the raw request body (constant-time compare) before parsing JSON. A forged or tampered event is rejected with HTTP 401.
  • Replay window of 5 minutes. Events with a timestamp older than 5 minutes are rejected, even if the signature is valid. Defends against an attacker capturing a valid event and replaying it later.
  • Idempotency. Slack retries events when we don’t acknowledge within 3 seconds. We deduplicate by Slack’s event_id in Redis with a 5-minute window, so retries never cause double answers or double billing.
  • Per-team rate limit. Each Slack workspace is limited to 300 events per minute / 10,000 per hour reaching our worker, regardless of signature validity. Bounds the blast radius of any compromised secret.
  • Body-size cap. Payloads larger than 64 KB are rejected before signature verification. Slack events are normally 1–5 KB; anything bigger is either misconfigured or hostile.
  • Cross-tenant guard. After loading the install record for a Slack workspace, we re-verify that the incoming team_id matches — preventing any bug from routing one customer’s event to another customer’s bot.
  • Bot-to-bot and self-message filter. Messages posted by other bots (or by our own bot, accidentally) are dropped without processing. Defends against prompt-injection attacks via inter-bot chatter.

OAuth install flow

Section titled “OAuth install flow”
  • CSRF protection. Each install is issued a single-use, 10-minute, cryptographically random state token stored server-side in Redis. The token is deleted as soon as the OAuth callback consumes it.
  • PKCE (Proof Key for Code Exchange) on every install. Defends against authorization-code interception in transit.
  • Exact-match redirect URI. Slack enforces that the OAuth redirect URL matches what’s registered for our app, character-for-character. Stolen client_ids can’t be redirected elsewhere.
  • Admin-only install. Only ChatbotIQ workspace admins or owners can start an install. The state token binds the install to the ChatbotIQ user who initiated it.

Token storage

Section titled “Token storage”
  • Encrypted at rest. Slack access tokens and refresh tokens are encrypted with Fernet (AES-128-CBC + HMAC-SHA-256) using a key held outside the application database. A database snapshot or backup leak does not yield usable tokens.
  • Never logged. OAuth response payloads are never logged, only the error code. Decrypted tokens stay in memory for the duration of one API call.
  • Token rotation supported. If you opt in to rotation on Slack’s side, access tokens expire every 12 hours. We refresh them proactively (5-minute lead) using the encrypted refresh token, and persist the new pair atomically. A token leaked at hour 11 is invalid by hour 13.

Outbound (ChatbotIQ → Slack)

Section titled “Outbound (ChatbotIQ → Slack)”
  • Link unfurling disabled. Every chat.postMessage we send sets unfurl_links=false and unfurl_media=false. This blocks the Slack-AI-style indirect prompt-injection attack where a malicious link in the bot’s reply could exfiltrate data via Slack’s preview fetcher.
  • Minimal scopes. We request only app_mentions:read, chat:write, im:history, im:read, and reactions:write. No channels:history (we don’t see channel messages unless directly mentioned), no users:read (we don’t read user profiles), no files:read. Every scope is justifiable and used.
  • Plain-text fallback. If Slack rejects our rich message blocks for any reason, we automatically retry as plain text so the answer still reaches the user — defence-in-depth against silent failures.

Audit & compliance

Section titled “Audit & compliance”
  • Install, uninstall, and bot-reassignment events are written to the audit log with the actor’s user ID, IP address, and User-Agent.
  • The conversation, message, and citation data captured from Slack is stored the same way as web widget chats and is covered by our Security and Privacy practices.
  • The data we receive from Slack is whatever your team writes in mentions or DMs — we don’t subscribe to channel history. Slack is the data processor for your messages in transit; ChatbotIQ is a sub-processor.

Troubleshooting

Section titled “Troubleshooting”
SymptomLikely causeFix
”Connect to Slack” button does nothingBrowser blocked the redirectTry again in a non-private tab or disable popup blockers
OAuth screen says “Apologies, but ChatbotIQ can’t be installed”You’re signed into a Slack workspace where you’re not the ownerSwitch workspace (top-right of consent screen) or sign in to the one you own
Bot doesn’t reply to a channel @mentionBot isn’t a member of that channelRun /invite @ChatbotIQ in the channel, or @mention and use Slack’s “Add to Channel” prompt
Bot doesn’t reply to a thread messageYou didn’t @mention the bot in the replyRe-mention the bot — Slack only delivers thread messages to apps when explicitly mentioned
Bot replies to channel mentions but not DMsBot was uninstalled or DM scope was revokedDisconnect and reconnect from the Deploy tab
Long answer truncated with “…response truncated. Try a more specific question.”Answer was too long to fit Slack’s message block limits, so it was split into blocks and cappedAsk a narrower question; the full answer is in your dashboard under Conversations
All replies show as plain text without formattingSlack rejected the Block Kit payload and we fell back to plain textReport it to support — likely a content-shape edge case in our markdown handling

If the bot stops responding entirely, check the Conversations page in your dashboard: a row with status slack but no assistant reply means we received the event but failed to answer (worker error, credit exhaustion, or LLM provider outage).