Slack Webhooks Specs | Examples

Slack uses outgoing webhooks to notify third-party apps of events such as messages sent, conversations started, files uploaded, and channels archived.

Specifications	HMAC Authentication Replay Prevention: ✅ Forward Compatibility: ✅ Zero Downtime Rotation: ❌
Supported Events	Official Doc ↗
Security Headers	Signature Header: `X-Slack-Signature` Hash: sha256 Encode: hex payload: `v0:timestamp:request_body` Timestamp Header: `X-Slack-Request-Timestamp` Timestamp Format: Unix Date
Documentation	Official Doc ↗ Official SDKs ↗
SDKs and Sample Code	Slack Bolt SDK - JavaScript ↗ Slack Bolt SDK - Python ↗ Slack Bolt SDK - Java ↗

Sample Validation

const crypto = require('crypto')
const timeHeader = 'X-Slack-Request-Timestamp'
const sigHeader = 'X-Slack-Signature'
const hashAlgo = 'sha256'
const encode = 'hex'
const hmacSecret = process.env.WEBHOOK_SECRET
app.post('/slack-webhook', (req, res) => {
    //01: Validate replay prevention with 5 minute timeframe
    const requestTimestamp = req.headers[timeHeader] * 1000;
    const tolerance = Date.now() - (5 * 60 * 1000);
    if (requestTimestamp < tolerance) {
        res.status(403).send('Request expired')
    }else{
        //02: Validate signature
        const message = `v0:${req.headers[timeHeader]}:${JSON.stringify(req.body)}`
        const digest = "v0="+
                       crypto.createHmac(hashAlgo, hmacSecret)
                       .update(message)
                       .digest(encode)
        if (request.headers[sigHeader] !== digest) {
            res.status(401).send('Request unauthorized')
        }else{
            //03: Process message
            res.json({ message: "Success" })
        }
    }
})

Specifications

Supported Events

Security Headers

Documentation

SDKs and Sample Code

Sample Validation