Slack app manifest for AskVault

Written by Aashiq, Founder, AskVault · Reviewed by Aashiq

Last updated: May 15, 2026 · 4 min read

TL;DR

Create a Slack app from the AskVault manifest in about 5 minutes. The manifest declares 12 OAuth scopes, 4 event subscriptions, and 2 slash commands. Paste into api.slack.com to scaffold the app, install to your workspace, then copy the credentials back to AskVault. Available on Growth and above.

What the manifest covers

A Slack manifest is a YAML or JSON spec that describes everything Slack needs to know about the app:

• Bot user. The bot's display name, icon, and default channel.
• OAuth scopes. Permissions the app needs (read channels, post messages, etc.).
• Event subscriptions. Which Slack events the app receives (messages, app mentions, etc.).
• Slash commands. Custom commands like /askvault your users can type.
• Interactivity. Whether the app handles button clicks, modal submits, etc.

Using a manifest is faster than clicking through every scope. AskVault provides a ready-to-paste manifest under Deploy Hub > Slack > Manifest.

The AskVault manifest

Copy this YAML manifest from the dashboard. The version below is the current production spec.

display_information:
  name: AskVault Support
  description: AI-powered customer support and internal helpdesk
  background_color: "#0EA5E9"
features:
  bot_user:
    display_name: AskVault
    always_online: true
  slash_commands:
    - command: /askvault
      description: Ask a question to the AskVault bot
      usage_hint: "[your question]"
      should_escape: false
    - command: /askvault-handoff
      description: Hand off the current thread to a human agent
      should_escape: false
oauth_config:
  scopes:
    bot:
      - app_mentions:read
      - channels:history
      - channels:read
      - chat:write
      - chat:write.public
      - commands
      - groups:history
      - groups:read
      - im:history
      - im:read
      - im:write
      - reactions:read
      - team:read
      - users:read
      - users:read.email
settings:
  event_subscriptions:
    request_url: https://api.askvault.co/api/slack/events
    bot_events:
      - app_mention
      - message.channels
      - message.groups
      - message.im
  interactivity:
    is_enabled: true
    request_url: https://api.askvault.co/api/slack/interactivity
  org_deploy_enabled: false
  socket_mode_enabled: false
  token_rotation_enabled: false

Always grab the latest version from the dashboard. We update it when adding new features.

Setup walkthrough

About 5 minutes:

1. Visit api.slack.com/apps.
2. Click "Create New App > From an app manifest".
3. Pick the Slack workspace to install into.
4. Paste the YAML manifest from the dashboard.
5. Review the scopes Slack lists. Click "Create".
6. Install to workspace. Slack asks one last consent screen.
7. Copy three values from the OAuth & Permissions page:
   • Bot User OAuth Token (starts with xoxb-)
   • Signing Secret
   • App ID
8. Paste them in AskVault under Deploy Hub > Slack > Credentials.
9. Click "Verify connection". Should succeed within 30 seconds.

Test by typing /askvault What's our refund policy? in any channel where the bot is invited.

Scope-by-scope explanation

Why each scope is requested:

• app_mentions:read. Receive @AskVault mentions so the bot can respond when called.
• channels:history. Read channel message history for context when the bot is invited to a channel.
• channels:read. List channels the bot is in. Used to scope conversations.
• chat:write. Post messages as the bot.
• chat:write.public. Post in channels the bot isn't a member of (used for handoff DMs).
• commands. Receive slash-command invocations.
• groups:history. Read private-channel history when the bot is invited.
• groups:read. List private channels the bot is in.
• im:history. Read DM history.
• im:read. Get DM channel metadata.
• im:write. Send DMs (used for handoff and lead-capture confirmations).
• reactions:read. See emoji reactions on the bot's responses for feedback signal.
• team:read. Read the Slack team name and domain. Used in audit logs.
• users:read. Map Slack user IDs to display names.
• users:read.email. Read email so we can match to AskVault accounts (used for team mode).

We don't request chat:write.customize (custom username), files:read, or any DM/channel scopes beyond what's listed.

Knowledge-base mode vs notification-bot mode

The same Slack app supports two operating modes:

• Knowledge-base mode. Internal teams ask the bot questions from their indexed company docs. Used for HR, IT, and engineering helpdesks. Most common.
• Notification-bot mode. AskVault pushes alerts (lead captured, conversation escalated, knowledge gap detected) to a Slack channel. Read-only, no Q&A.

Toggle between modes (or enable both) under Deploy Hub > Slack > Mode.

Slash commands

Two commands included in the default manifest:

/askvault [question]. Asks the bot anything from the indexed knowledge.

/askvault What's the SOC 2 audit timeline?

[bot replies with cited answer]

/askvault-handoff. In a customer-facing channel, escalates the conversation to a human agent. Useful for shared Slack support channels.

Custom slash commands available on Enterprise. Defined per workspace.

Event subscriptions

The manifest subscribes to 4 events:

• app_mention. When @AskVault is mentioned. Bot replies.
• message.channels. Messages in public channels the bot is in. Used for context, not auto-reply.
• message.groups. Messages in private channels the bot is in.
• message.im. Direct messages to the bot. Auto-reply.

The bot doesn't auto-reply to every channel message; only to mentions or DMs. This avoids noise.

Token rotation

Slack supports OAuth token rotation. We don't enable it by default (token_rotation_enabled: false) because:

• The standard bot token is workspace-scoped and doesn't expire.
• Rotation adds operational complexity for marginal security benefit.

For Enterprise customers requiring rotation, contact support and we'll enable it for your install.

Permissions and audit

What an admin should know:

• AskVault never reads channels the bot isn't invited to. Channel privacy is preserved.
• DMs to the bot are end-to-end via Slack. AskVault stores the message content for retrieval purposes, encrypted at rest.
• Slack audit logs. Every action AskVault takes (channel join, message post) is in Slack's audit log under "App actions". Available on Slack Enterprise Grid.

See security overview for the broader posture.

Updating the manifest

When AskVault adds new features needing new scopes:

1. We notify you via email and dashboard banner.
2. Visit api.slack.com/apps/[your-app-id]/app-manifest.
3. Paste the new manifest.
4. Slack prompts to re-approve the added scopes.
5. Click approve, redeploy.

Re-approval doesn't break existing flows; the app keeps working with old scopes during the update.

Limits

• Slack workspaces per AskVault workspace. Up to 5 on Business; unlimited on Enterprise.
• Slash commands. 2 default; up to 10 on Enterprise.
• Event handlers. AskVault processes about 100 events per second per workspace.
• Token rotation. Off by default; on by request for Enterprise.

Common pitfalls

Bot doesn't reply to mentions. Bot not invited to the channel. Type /invite @AskVault in the channel.

Slash command "dispatch_failed". AskVault endpoint not reachable from Slack. Confirm request_url in the manifest points to https://api.askvault.co/api/slack/events (no typos).

"Token invalid" error during verify. Bot token was regenerated in Slack but not updated in AskVault. Copy fresh credentials from Slack > OAuth & Permissions.

Re-installing to the same workspace breaks the connection. Each install issues a new bot token; the old one becomes invalid. Update AskVault credentials after re-install.

FAQ

Can I use the manifest as-is or do I need to edit it?

Use as-is. We've vetted every scope. Don't strip scopes; the bot needs all 15 to operate correctly.

Does this work for Slack Enterprise Grid?

Yes. Install per workspace within the Grid. Org-wide install via org_deploy_enabled: true is available on Enterprise contracts.

Can I customize the bot's display name?

Yes. Edit display_name in the manifest before pasting, or rename later under app settings.

What happens when I uninstall?

The bot is removed from Slack within 60 seconds. AskVault stops receiving events. Stored conversation history remains in AskVault until you delete the workspace.

Are slash commands available in DMs?

Yes. /askvault works in DMs, channels (where the bot is invited), and threads.

Related guides

• Slack setup
• Knowledge-base mode vs notification mode
• Internal knowledge base use case
• Escalate to human skill
• Webhooks reference

Deploy this channel in 60 seconds

Free tier covers 1 channel. Growth+ unlocks all 13.

Try AskVault Free → Book a demo

Was this page helpful? Yes No