I just created a new slack app and add a bot to it.
Now I have 2 tokens available:
Which token should I use when writing my bot application?
According to doc:
Bot user tokens have a broad set of permissions that cannot be modified
I guess I can use xoxb token for RTM and Web API since it has a built-in scopes.
But I don't know what beyond "a broad set of permissions", and in which case should I use xoxp token (+ config some scopes) rather than xoxb token.
In general you always want use the bot token for all web API calls, since it represents your bot user as opposed to the "Oauth Access token" aka "user token", which represents the user who installed your app.
That means that actions performed with the bot token will always like coming from the bot user, while actions performed with the user token can look like coming from the user which installed the app. (e.g. posting a message)
Another benefit it that it comes with a lot of permissions build in, so you do not need to request additional permissions for your app.
However, there are some API methods that do not (fully) support the bot token (e.g. team.accessLogs). For those you need to use the user token (and request necessary permissions).
You can see in the documentation for each Web API endpoint which token types are supported. Note that some API method will support the bot token only for bot related actions, bot not actions related to other users. e.g. chat.delete will only work to delete message created by the bot, but not by other users.