I'm trying to call Slack's API from browser, so I ran following in Chrome's dev console, and got an error:
await (await fetch("https://slack.com/api/apps.connections.open", {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
body: new URLSearchParams({'token': 'xapp-1-MYTOKEN'})
})).json()
→ {ok: false, error: 'invalid_auth'}
I thought that providing token via request body should be fine, for the documentation says so:
Tokens should be passed as an HTTP Authorization header or alternatively, as a POST parameter.
Am I missing something?
I tried equivalent (I think) cURL commands and the same result.
$ curl -s --data-urlencode token@TOKEN https://slack.com/api/apps.connections.open | jq
{
"ok": false,
"error": "invalid_auth"
}
I made sure that my token was correct; the API call succeeds when I send the token via Authorization header:
$ curl -s -X POST -H Authorization:\ Bearer\ $(<TOKEN) https://slack.com/api/apps.connections.open | jq .ok
true
Note that Authorization header cannot used when using Fetch API, for CORS limitation (the access-control-allow-headers header doesn't include "Authorization").
I understand that generally it's not a good idea to call Slack API from browser, to keep token secret.
I contacted to Slack support, and got an answer: their documentation is currently incorrect and tokens should always be passed as an HTTP Authorization header when you use this API.