Skip to main content

Slack Integration

Connect a Slack workspace so DriftWise can post scheduled-scan failure notifications to channels you choose. Installation uses Slack's OAuth flow — DriftWise never sees your workspace password, and the bot token is stored encrypted at rest.

Plan requirement

Slack integration is available on Team and Enterprise plans. Free-tier orgs will receive 402 Payment Required when attempting to install. See Plans & Billing.

What It Does

  • Posts notifications when a scheduled scan fails, and again when a schedule is auto-disabled after repeated consecutive failures
  • Supports routing different schedules to different channels via each schedule's notify_slack_channel field
  • One active installation per org — reinstalling the same workspace updates the record; installing a different workspace becomes the new active one and the prior install stops receiving notifications

Not currently delivered over Slack: ad-hoc (non-scheduled) scan results, scan-success messages, drift-change summaries. These events exist in the product but don't flow through the notification dispatcher.

Installation

Via the UI

  1. Open the Settings tab and find the Slack Integration card
  2. Click Add to Slack — the browser navigates to Slack's consent screen
  3. Pick the workspace, then approve the requested scopes (chat:write, incoming-webhook)
  4. Slack redirects back to Settings with the integration marked Connected to your workspace name

Slack will ask you to select a default channel as part of the incoming-webhook step. This is a Slack UX requirement — DriftWise does not actually post to that channel. The channel for every notification is set per schedule via notify_slack_channel (see below), so picking anything here is fine.

Only owner and admin role members can initiate or remove a Slack installation.

Via the API

Start the OAuth flow programmatically — the endpoint returns the Slack authorization URL for you to open in a browser:

curl -X POST "https://app.driftwise.ai/api/v2/orgs/$ORG_ID/slack/install" \
  -H "x-api-key: $DRIFTWISE_API_KEY"

Response:

{ "url": "https://slack.com/oauth/v2/authorize?..." }

After the user approves on Slack, Slack redirects to /api/v2/slack/callback, which exchanges the code for a bot token and completes the installation.

Inviting the Bot to Channels

After installation, invite the DriftWise bot to each channel you want notifications in:

/invite @driftwise

The bot uses the chat:write scope, which requires the bot to be a member of the channel it posts to. Once the bot is in a channel, reference the channel in your scheduled scan configuration:

curl -X PUT "https://app.driftwise.ai/api/v2/orgs/$ORG_ID/schedules/$SCHEDULE_ID" \
  -H "x-api-key: $DRIFTWISE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "notify_slack_channel": "#infra-drift" }'

Different schedules can post to different channels.

Checking Status

curl "https://app.driftwise.ai/api/v2/orgs/$ORG_ID/slack/status" \
  -H "x-api-key: $DRIFTWISE_API_KEY"

When installed:

{
  "installed": true,
  "team_id": "T01234567",
  "team_name": "Your Workspace",
  "scopes": ["chat:write", "incoming-webhook"],
  "created_at": "2026-04-12T10:30:00Z"
}

When not installed:

{ "installed": false }

When the Slack app is not configured on the server side:

{ "installed": false, "available": false }

Uninstall

curl -X DELETE "https://app.driftwise.ai/api/v2/orgs/$ORG_ID/slack/uninstall" \
  -H "x-api-key: $DRIFTWISE_API_KEY"

Uninstall revokes the bot token against Slack's API (best-effort) and deletes the installation record from DriftWise. Owner/admin only.

Audit Events

All install/uninstall actions write to the audit log:

ActionRecorded when
slack.installOAuth callback completes successfully
slack.uninstallInstallation record is deleted

Both events record the Slack team_id and team_name. The bot token is never logged.

Security Notes

  • Bot tokens are encrypted at rest with the server's encryption key and only decrypted in-memory for posting
  • OAuth state is HMAC-signed and bound to the initiating user's ID + org ID — prevents cross-org and cross-user CSRF
  • Org membership is re-verified inside the OAuth callback; if the user was removed between initiate and approve, the installation is rejected with 403
  • Plan eligibility is re-checked in the callback — a downgrade between initiate and approve causes the installation to fail closed
  • The callback endpoint is rate-limited per source IP to block amplification via repeated outbound Slack API calls