I am inegrating slack on my server in order to handle the OAuth 2.0 install flow for my Slack App as well as the bot-functionality that comes with it.
Everything is clear to me except one thing. The docs state the following about the verification/authorization codes which are send in exchange for the code I am receiving through the redirection link I provided:
Authorization codes may only be exchanged once and expire 10 minutes after issuance.
If I understand this correctly, this means that if my server misses this authorization code, or simply does not manage to store the access_token or the bot credentials in my database, the user basically receives a half-dead app. Is that correct?
The user will still be able to run slashed commands e.g. /help but my bot won't work because I lost the bot_user_id and the bot_access_token.
So the question is whether this is accurate, and if not, how am I able to recover these credentials or do I really have only one shot here?
Yes, if your app somehow fails to receive or store the token during the installation process it will be installed (e.g. slash commands will be working, you will receive events), but you will be missing the token to call any API methods for that workspace.
To recover from this situation you should tell the user on your webpage, where he clicked the "Add To Slack" button, that the installation failed and that he should retry (e.g. click the "Add To Slack" button again). You would normally show the user the result of the installation process on your web page, which might also include standard "errors", like when the user canceled the process on the Slack side.
In addition you may want to show a user error for every slash command. You would normally have that anyway if your slash command tries to perform API calls, but it might make sense to also include an error to all the ones that does not (e.g. help or version sub commands).