Tips To Expedite Slack App Approval For General Use

6 min readNov 9, 2023

Software-as-a-Service (SaaS) model of service delivery changed the methodology of software development process. Continuous releases that include new features, updates and are important to stay ahead of competition, increase the customer base and popularity.

Our company also has been trying the best to keep up with this trend with defined roadmaps, scheduled releases and sprint planning. We were excited about Integration of slack messaging in our product (an intranet product as SaaS offering) in GA release. But we realized just before the release that it must go through the review process as per the guidelines from Slack before public availability. We had to go through multiple rounds of reviews creating challenges in schedule. It was a learning to check for all such intricacies while planning the deliveries.

This blog shares important tips at initial stage to avoid multiple rounds of reviews and expedite the approval process of the slack app.

Let us first understand the basics of slack integration.

Slack Integration Building Steps

Instead of building messaging product ground up, it is preferred to leverage the well-defined Slack APIs for enhanced collaboration solution. A range of APIs that provide access to read, write, and update all kinds of data in Slack is facilitated through Slack App.

While configuring a new Slack app, it is very crucial to add correct scopes which govern the capability and permissions of the app. There are two types of scopes — User Token and Bot Token. User token scopes are used if you need to act as a specific user — for example if a specific user is sending a message. Bot tokens are used when the app is taking any action — for example a broadcast message sent to all users of the system. Few tokens like ‘ groups:write, chat:write’ fall under both the types. It is very important to decide on their type based on the functionality.

Once the app is configured and ready to use, it is integrated to the application by implementing Oauth2.0 authorization flow so that users can start using it.

Authorization With OAuth2.0

As shown in the diagram, access tokens required to use Slack APIs are generated through OAuth flow.

After successful authorization, slack app is installed in the user selected workspace. User can now send and receive the slack messages programmatically on this workspace.

Slack App For Public Use

Slack recommends providing a link or ‘Add to Slack’ button to let users install the app on a click instead of going through the application workflow.

People outside the organization cannot use the Slack feature, until the slack app is added to Slack App Directory, which is the listing of apps available for public use. People can browse the apps in the App Directory, understand its features and the problems addressed. User can install the app to their workspace through ‘Add To Slack’ link or direct install. Thus, listing in Slack App Directory, improves the visibility and broadens the scope. To be published to App Directory, the app must pass through the review process by the Slack team which assesses the quality, reliability and usefulness before approving.

Submit For Review

After testing the app and its integration with product in a QA environment, deploy the application on staging environment where all the configurations are like production. Create test accounts to be shared with the Slack team.

You are all set to fill ‘Submit to App Directory’ section. Once submitted, you will receive confirmation and your request will be queued up.

The Review Process

The review consists of the App Directory Team checking your app against guidelines and submission checklist.

As a Preliminary review, the slack review team carefully goes through the information submitted for review. Once you receive the feedback, you need to make the required changes in the app and submit the app again. During this part of the review, your place in the queue is reset each time you resubmit; hence you need to be diligent enough.

Once Preliminary review is done, a reviewer is assigned to complete the functional review. The reviewer goes through the instructions of the test document and the user flows of the application on the test environment as specified by you. The review may get rejected at this stage if there are discrepancies, defects, or poor user experience. Unlike preliminary review process, your place in the queue is not reset when you resubmit the changes.

To avoid resubmissions in Preliminary review here are some points to consider.

Points To Consider For Smooth And Effective Review

1. Create separate app for development, QA and production. Only the production app is to be submitted for review. Plan to use the same app across releases. If there is any change in the features, you will have to go through the update review process, which is quicker than creating a new app and going through review.

2. Slack recommends providing a link or button ‘Add to Slack’ to install the slack app directly without going through the application flow. This should be added in the installation doc provided for review. Slack team uses this link to verify the app during review.

3. Use ‘S’ for Slack is always capital in all the product documents.

4. Add the scopes in ‘Review Scopes’ judiciously. Importance is given to the reason for scopes added in ‘Review Scopes’ section. Think of the following:

· The scope added is absolutely required for the user flows mentioned in the document?

· Can any other scope replace it?

· Should it be User token or Bot token?

The scopes added should be functional and in use. We need to justify all the scopes added, any scope considering future requirement should be avoided.

5. Client Id and client secret are the identity of app and used for authorization during OAuth negotiations. They should be persevered and exposed under security norms. Service like AWS Secret Manager can be leveraged instead of storing them in files or database. Both should be encrypted before exposing on the network.

6. Make sure that you validate the request coming from Slack by verifying the signature added in ‘X-Slack-Signature HTTP header’ in the application code, or using Mutual TLS process by configuring TLS-terminating server to request client certificate and add header ‘X-Client-Certificate-SAN’, whose value should match with the intended domain

7. As a good practice, make sure to add a workflow to uninstall the app when not required. The app can be installed multiple times by the same user and additional users on the same workspace. This leads to ambiguity in functioning as the old apps remain in the workspace unless they are removed explicitly.

Updating The App

Once your app is published in the App Directory, the live version of your app is locked which means you will not be able to make any changes without submitting them for review.

Any updates in your app’s code such as scope changes or updated redirect URIs will not work until you have submitted and published the changes. Otherwise, your app will show customers an error and will not be able to be installed.

Summary

During roadmap discussions, planning, product management while committing the timeline, we generally tend to emphasize more on getting the features and functionality, and sometimes ignore important legal terms, regulations, license management specified in the documents. Appears to be trivial but it can turn out to be costly, if it leads to changing the work flows or user experience.

Instead, scrutinizing available documents, understanding the processes and making right provisions at the early stage of project lifecycle helps for timely deliveries, fulfilling commitments and customer satisfaction.