# Slack App
## Overview The **Keeper Slack App** helps achieve zero standing privilege and streamlines credential workflow requests and approvals directly from Slack. The customer hosts the Slack agent and Commander Service Mode, ensuring that zero knowledge is maintained with end-to-end encryption. This document describes the installation of the Keeper Slack App using a streamlined setup method that requires the use of Keeper Secrets Manager. If you don't have a Secrets Manager or KeeperPAM license, please contact your Keeper account manager. {% embed url="" %} Keeper Security Slack App Overview {% endembed %} ## Features
FeatureDescription
Record Access RequestsRequest access to specific Keeper records with justification, custom permissions and access time limits. This includes standard vault records and KeeperPAM resources.
Folder Access RequestsRequest access to specific Keeper Shared Folders with justification, custom permissions and access time limits.
One-Time Share RequestsRequest for a one-time share, password reset or other dynamic password generation with a self-destructing share link. The one-time share can also be editable, offering bi-directional sharing capabilities.
Endpoint Privilege Manager ApprovalsKeeper Endpoint Privilege Manager (KEPM) just-in-time elevation approvals in realtime through a dedicated Slack channel.
SSO Cloud Device ApprovalsPerform approvals of SSO Cloud devices directly through Slack, if the Keeper Automator service is not deployed.
*** ## Prerequisites #### System Requirements To maintain zero knowledge and full end-to-end encryption, the Keeper Slack App and Commander Service Mode containers are hosted by each customer on their own infrastructure to interact with the Slack cloud service. Commander is used locally to help set everything up.
RequirementDetails
Linux VMAny VM in the cloud or on-prem which can establish https/443 outbound connections to Slack and Keeper services.
DockerDocker is the recommended method for setting up the service
Keeper CommanderService Mode running and accessible
Keeper Secrets ManagerEither Keeper Secrets Manager or KeeperPAM license used for retrieving the secret configuration data
Slack WorkspaceRequires admin access to install and configure apps
{% hint style="warning" %} Important: The `slack-app-setup` command requires Keeper Secrets Manager (KSM) to be activated. If KSM is not available, please contact your account manager. {% endhint %} ## Setup Steps In the below setup instructions, we'll be using Commander and Slack-App Docker Images ([keeper/commander](https://hub.docker.com/r/keeper/commander) and [keeper/slack-app](https://hub.docker.com/r/keeper/slack-app)). This integration also leverages Keeper Secrets Manager to secure the configurations used by the services. Follow these five steps to configure the Slack app: 1. [Create Slack App](#step-1.-create-slack-app) 2. [Create Approvals Channel](#step-2.-create-approvals-channel) 3. [Commander Service Mode Setup](#step-3.-commander-service-mode-setup) 4. [Run Slack App Setup Command](#step-4.-run-slack-app-setup-command) 5. [Deploy to Docker Environment](#step-5.-deploy-to-docker-environment) *** ### Step 1. Create Slack App In this section, you will create the Slack App in your Slack workspace as the administrator and gather the necessary configuration values. * As the Slack Admin, go to [api.slack.com/apps](https://api.slack.com/apps) * Click **Create New App** → **From an app manifest** * Select your workspace * Paste the JSON content below into the manifest file
{% code overflow="wrap" %} ```json { "display_information": { "name": "Keeper Security", "description": "Access Keeper Vault and PEDM directly within Slack", "background_color": "#173964", "long_description": "A secure, team-friendly password manager built for Slack. Easily store, retrieve, and share credentials without leaving your workspace. With encrypted storage, access controls, and approval workflows, it helps your team manage secrets safely and efficiently." }, "features": { "app_home": { "home_tab_enabled": true, "messages_tab_enabled": true, "messages_tab_read_only_enabled": false }, "bot_user": { "display_name": "Keeper Security", "always_online": true }, "slash_commands": [ { "command": "/keeper-request-record", "description": "Request access to a Keeper record", "usage_hint": "\"Record UID or Description\" Justification message or ticket number", "should_escape": false }, { "command": "/keeper-request-folder", "description": "Request access to a Keeper folder", "usage_hint": "\"Folder UID or Description\" Justification message or ticket number", "should_escape": false }, { "command": "/keeper-one-time-share", "description": "Request a one-time share link to a Keeper record", "usage_hint": "\"Record UID or Description\" Justification message or ticket number", "should_escape": false } ] }, "oauth_config": { "scopes": { "bot": [ "chat:write", "commands", "im:write", "users:read", "channels:read", "users:read.email" ] } }, "settings": { "event_subscriptions": { "bot_events": [ "app_home_opened" ] }, "interactivity": { "is_enabled": true }, "org_deploy_enabled": false, "socket_mode_enabled": true, "token_rotation_enabled": false } } ``` {% endcode %} * Review setting of the slack app and create it. * Go to **Basic Information** → **Display Information** and upload a Keeper icon for your app's profile picture. Below is a 512x512 Keeper icon that can be downloaded for use. * On the left side, click on **Basic Information** → **App-Level Tokens** → **Generate Token and Scopes**, and generate an app-level token called "keeper-slack-app" with the `connections:write` scope. Save the token to use as the "App Token" in the next step.
* On the left side, click on **Install App**, click **Install to \[Workspace]**, then save the **Bot User OAuth Token** for the next step.
After creating the app, collect these credentials:
CredentialLocation
App TokenBasic Information → App-Level Tokens → Generate
Bot TokenOAuth & Permissions → Bot User OAuth Token
Signing SecretBasic Information → App Credentials
{% hint style="info" %} Save the Generated **App Token**, **Bot Token** and **Signing Secret** for **Step 4.** {% endhint %} *** ### Step 2. Create Approvals Channel * In your Slack workspace, create a Private channel (e.g., `#keeper-vault-approvers`) * Invite the Keeper bot to the approval channel created: * **Option 1.** In the approvals channel, type /invite @Keeper Security. * **Option 2.** Click the channel name → Settings → Integrations → Add an App → Search for Keeper Security → Add * Copy the Channel ID (right-click channel → View Details → copy ID at bottom)
{% hint style="info" %} Save the **Channel ID** for **Step 4.** {% endhint %} *** ### Step 3. Commander Service Mode Setup To enable the service to authenticate and execute commands within the Keeper tenant, an authorized **Keeper Commander configuration file** must be created. This configuration can be generated on a host computer or workstation. * [Install Keeper Commander](https://docs.keeper.io/en/keeperpam/commander-cli/commander-installation-setup) locally on your machine * If required, create a new Keeper service account dedicated to this integration, ensuring it has access to the relevant records and folders and the ability to perform record and folder sharing. * Login to Commander with the Keeper Service account `(serviceuser@company.com)` ``` keeper shell My Vault> login serviceuser@company.com ``` * Complete the authentication process including any 2FA requirements. Once you are fully authenticated, proceed to Step 4. *** ### Step 4. Run Slack App Setup Command The `slack-app-setup` command generates a `docker-compose.yml` file which you will use to operate the Slack App and Commander Service Mode services. From the Commander shell, type: ``` slack-app-setup ``` **Command Line Options** The `slack-app-setup` command supports the following optional flags for customization: | Parameter | Description | Default Value | | ------------------------------- | ---------------------------------------------- | --------------------------------------- | | --folder-name (optional) | Name for the shared folder | Commander Service Mode - Slack App | | --app-name (optional) | Name for the Secrets Manager app | Commander Service Mode - KSM App | | --config-record-name (optional) | Name for the Commander config record | Commander Service Mode Docker Config | | --slack-record-name (optional) | Name for the Slack config record | Commander Service Mode Slack App Config | | --config-path (optional) | Path to config.json file | \~/.keeper/config.json | | --timeout (optional) | Device timeout setting | 30d | | --skip-device-setup (optional) | Skip device registration if already configured | false | Example with Custom Names: ``` slack-app-setup --folder-name "My Slack Integration" --timeout 7d ``` The command will guide you through the following prompts: #### **Phase 1: Docker Service Mode Setup** It automatically configures KSM and uploads the config file required for setting up service mode via Docker. ```bash Phase 1: Running Docker Service Mode Setup ═══════════════════════════════════════════════════════════ Docker Setup ═══════════════════════════════════════════════════════════ [1/7] Checking device settings... ✓ Device already registered ✓ Persistent login already enabled ✓ Setting logout timeout to 30d... [2/7] Creating shared folder 'Commander Service Mode - Slack App'... ✓ Shared folder created successfully [3/7] Creating record 'Commander Service Mode Docker Config'... ✓ Record created successfully [4/7] Uploading config.json attachment... ✓ Config file uploaded successfully [5/7] Creating Secrets Manager app 'Commander Service Mode - KSM App'... ✓ App created successfully [6/7] Sharing folder with app... ✓ Folder shared with app [7/7] Creating client device and generating config... ✓ Client device created successfully ✓ Docker Setup Complete! ``` **Service Configuration** Configure the Commander Service port:
PromptDescriptionExample
PortPort number for Commander Service Mode (1024-65535).8900
**Tunneling Configuration (Optional)** If external access is required, configure one of the following: | Prompt | Description | | ------------------------ | ---------------------------------------------------------- | | Ngrok Auth Token | Your ngrok authentication token for public URL generation. | | Ngrok Custom Domain | Custom ngrok domain (e.g., myapp.ngrok.io). | | Cloudflare Tunnel Token | Cloudflare tunnel token for public URL generation. | | Cloudflare Custom Domain | Your Cloudflare domain (e.g., slack.company.com). | {% hint style="warning" %} Ngrok and Cloudflare are mutually exclusive. Choose one if needed. This is NOT a requirement for the Slack App. But if you are using other integrations such as our Jira app, you might need to set up a cloud tunnel. {% endhint %} #### **Phase 2: Slack App Integration Setup** Enter the Slack credentials obtained from **Steps 1 and 2**:
PromptDescriptionExample
Slack App Token (required)The xapp- token from Step 1. Must be at least 90 characters.xapp-1-A0XXXXX-...
Slack Bot Token (required)The xoxb- token from Step 1. Must be at least 50 characters.xoxb-1234567890-...
Slack Signing Secret (required)The signing secret from Step 1. Must be exactly 32 characters.a1b2c3d4e5f6...
Approvals Channel ID (required)The channel ID from Step 2.(Required)C0XXXXXXX
Enable PEDM? (optional)Enable Endpoint Privilege Manager approvals (y/n).y
PEDM Polling Interval (optional)How often to check for PEDM requests in seconds. Default: 120.120
Enable Device Approvals?(optional)Enable SSO Cloud device approvals (y/n).y
Device Approval Polling Interval (optional)How often to check for device approvals in seconds. Default: 120.120
{% hint style="info" %} In order to process Endpoint Privilege Manager approvals and SSO Cloud approvals, the Slack App service user must have administrative permissions "Manage Endpoint Privilege" and "Managing the Keeper Admin Console. {% endhint %} After the command executes successfully, it automatically performs the following actions: * Configures persistent device authentication * Creates a Shared Folder named **“Commander Service Mode – Slack App”** * Creates a KSM application with access to the shared folder * Creates a client device and generates a Base64-encoded configuration value * Creates a Docker Config record and uploads the `config.json` file from the `.keeper` directory * Creates a Slack App Config record containing the Slack App credentials. ```bash ✓ Slack App Integration Setup Complete! Resources Created: Phase 1 - Commander Service: • Shared Folder: Commander Service Mode - Slack App • KSM App: Commander Service Mode - KSM App (with edit permissions) • Config Record: XXXXXX • KSM Base64 Config: ✓ Generated Phase 2 - Slack App: • Slack Config Record: XXXXXX • Approvals Channel: XXXXXX • PEDM Integration: false • Device Approval: false ```
* Upon successful execution, a `docker-compose.yml` is generated containing both the Commander Service Mode and Slack App services, ready for deployment. {% code overflow="wrap" %} ```yaml services: commander: container_name: keeper-service ports: - 127.0.0.1:: image: keeper/commander:latest command: service-create -p -c 'search,share-record,share-folder,record-add,one-time-share,pedm,device-approve,get' -f json -q y -ur --ksm-config --record healthcheck: test: - CMD-SHELL - python -c "import sys, urllib.request; sys.exit(0 if urllib.request.urlopen('http://localhost:/health', timeout=2).status == 200 else 1)" interval: 60s timeout: 3s start_period: 10s retries: 30 restart: unless-stopped slack-app: container_name: keeper-slack-app image: keeper/slack-app:latest environment: KSM_CONFIG: COMMANDER_RECORD: SLACK_RECORD: depends_on: commander: condition: service_healthy restart: unless-stopped ``` {% endcode %} Once setup is complete, ensure that the Commander session is terminated and the local `.keeper/config.json` file is deleted to prevent device token conflicts. ``` My Vault> quit $ rm ~/.keeper/config.json ``` *** ### Step 5. Deploy to Docker Environment In this section, you will set up a Docker Compose environment on a Linux virtual machine or host where the Commander Service will run. * Launch a Linux VM or prepare a Linux host and connect to it via SSH. * Install `docker` and `docker-compose` (refer to the installation instructions [here](https://docs.keeper.io/en/keeperpam/privileged-access-manager/references/installing-docker-on-linux)) * Transfer the generated `docker-compose.yml` file from Step 4 to the target Linux server. Start up the services on the host machine: ``` docker compose up -d ``` **Service Startup Sequence** The services start sequentially: 1. Commander Service starts first, generates an API key, and saves it along with the service URL to the vault record 2. Health checks validate the Commander service is running 3. Slack App starts after health checks pass, automatically retrieving the API key and service URL from the vault record
**Verify Successful Startup** Monitor the logs to make sure everything starts up. * Check container status: ```bash $ docker ps NAME STATUS PORTS keeper-service Up (healthy) 127.0.0.1: -> /tcp keeper-slack-app Up ``` * View Commander Service logs: ```bash $ docker logs keeper-service [2026-01-21 10:00:00] Starting Commander Service Mode... Generated API key: ****nQ= (stored in vault record: ) Commander Service starting on /api/v2 Keeper Commander Service initialization complete ``` {% hint style="info" %} The API key is redacted in Docker logs for security. Both services communicate securely via the shared vault record. {% endhint %} * View Slack App logs: ``` docker logs keeper-slack-app ``` If everything is successful, you'll see the messages below: ```bash ============================================================ Starting Keeper Slack App ============================================================ [INFO] Config: /app/slack_config.yaml =========================================================== [INFO] Initializing Keeper Commander Slack App... [INFO] Credentials fetched successfully from KSM vault: Service Mode Credentials, Slack Credentials [INFO] Loaded configuration from KSM records [OK] Configuration loaded [OK] Keeper client initialized: http://commander:/api/v2⁠ [OK] Slack app initialized [OK] All handlers registered [OK] Socket Mode handler ready [INFO] Approval channel: C0A42QVAY4A [OK] PEDM poller initialized (disabled, interval: 120s) [OK] Cloud SSO Device Approval poller initialized (disabled, interval: 120s) ============================================================ Starting Keeper Commander Slack App ============================================================ [OK] Socket Mode enabled [INFO] Listening for Slack commands and interactions... ============================================================ [OK] Keeper Service Mode is accessible [INFO] PEDM polling is disabled (set pedm.enabled=true in config to enable) [INFO] Cloud SSO Device Approval polling is disabled (set device_approval.enabled=true in config to enable) ⚡️ Bolt app is running! ``` *** ### Command Reference for Requesting User #### /keeper-request-record Request access to a specific Keeper record. Syntax: ``` /keeper-request-record Example:- /keeper-request-record kR3cF9Xm2Lp8NqT1uV6w Emergency server access /keeper-request-record "prod db EU region" Need to run migration ``` #### /keeper-request-folder Request access to a shared folder. Syntax: ``` /keeper-request-folder Example:- /keeper-request-folder kF8zQ2Nm5Wx9PtR3sY7a Need staging access /keeper-request-folder "Staging Team Folder" Need staging access ``` #### /keeper-one-time-share Request a one-time share link for a record. Syntax: ``` /keeper-one-time-share Example:- /keeper-one-time-share kR3cF9Xm2Lp8NqT1uV6w Need to share with contractor John /keeper-one-time-share "AWS Production Password" Sharing with vendor ``` *** ## Screenshots The below screenshots demonstrate the core features of the Keeper Slack App. #### Interacting with the Slack App for Requests
*** #### Requesting Access to a Record (no UID provided)
*** #### Requesting Access to a Record (with UID provided)
*** #### Record Access Request - Admin View
*** #### Requesting Access to a Folder (with UID provided)
*** #### Folder Access Request - Admin View
*** #### One-time Share Request for Password Reset
*** #### One-Time Share - Admin View with New Record Creation
*** #### One-Time Share - Admin View with Search for Existing Record
*** #### Endpoint Privilege Manager - Approval for Elevation
*** #### SSO Cloud Device Approval - Admin View
*** ## Updates #### Updating the Commander Service Mode and Slack app Container To update to the latest version of Commander or the Slack App, follow the steps below to stop the service, update the containers and start up the new containers. ```bash docker compose down docker compose pull docker compose up -d ``` *** ## Troubleshooting #### Startup Errors
ErrorCauseSolution
Commander Service Mode is prompting for master passwordMultiple config.json files are attached to the Vault recordFollow steps 4-5 to run the slack-app-setup command with new folder name again to create a new JSON config file.
[WARN] Warning: Cannot reach Keeper Service ModeService Mode not running or wrong URLVerify the service URL in the vault record is as expected
invalid_authWrong Slack bot tokenVerify bot_token starts with xoxb- (not xapp- or xoxp-)
Socket Mode not enabledApp-level token missing or wrongGenerate App-Level Token with connections:write scope
*** #### Slack API Errors | Error | Cause | Solution | | ------------------- | ------------------------------------ | --------------------------------------------------------------------------------------- | | channel\_not\_found | Bot not invited to approvals channel | Run /invite @Keeper Commander in the channel | | not\_in\_channel | Bot removed from channel | Re-invite the bot to the channel | | missing\_scope | Bot lacks required permissions | Reinstall app; ensure scopes: chat:write, commands, im:write, users:read, channels:read | | invalid\_blocks | Malformed Block Kit message | Check logs for specific block error; usually a data formatting issue | | user\_not\_found | Invalid Slack user ID | User may have been deactivated from workspace | *** #### Service Mode Errors | Error | Cause | Solution | | ---------------------------------- | ------------------------------------------------- | ----------------------------------------------------------- | | Failed to submit command: HTTP 403 | API key invalid or missing | Verify api\_key in config vault record matches service mode | | Failed to submit command: HTTP 404 | Wrong API endpoint version | Use V2 endpoint: /api/v2/ (not /api/v1/) | | Failed to submit command: HTTP 405 | Using wrong HTTP method | Ensure Service Mode is running with queue enabled | | Command timed out or failed | Service Mode overloaded or command not registered | Register command in Service Mode; increase timeout | | No request\_id received from API | Service Mode not using queue/async mode | Restart Service Mode with queue enabled (V2) | *** #### Access Grant Errors | Error | Cause | Solution | | -------------------------------------------- | -------------------------------------------------- | ------------------------------------------------------------------------------ | | Record Not Found | Invalid UID or record deleted | Verify the record UID exists in Keeper vault | | Folder Not Found | Invalid folder UID | Verify the folder UID exists in Keeper vault | | Invalid UID Type (record vs folder) | Used wrong command for item type | Use /keeper-request-folder for folders, /keeper-request-record for records | | This user already has time-limited access... | Conflict with existing share | Revoke existing access first, then grant new permission | | Share permissions require permanent access | Trying to use duration with Can Share/Edit & Share | Share permissions (Can Share, Edit & Share, Change Owner) are always permanent | | User share...failed | Permission conflict on folder | User may have incompatible existing access; revoke and re-grant | *** #### Search & Modal Errors | Error | Cause | Solution | | ---------------------------------------- | --------------------------------------- | ----------------------------------------------------------------------- | | No records found matching... | Search query too specific or no matches | Try broader search terms; check record exists in vault | | Search command timed out | Service Mode slow or vault very large | Increase max\_wait in \_poll\_for\_result() or use more specific search | | Error processing search modal submission | Modal data corrupted or expired | Close modal and try again; check logs for specific error | | Modal shows "Searching..." forever | Poll result never returned | Check Service Mode logs; verify search command is registered | *** #### One-Time Share Errors | Error | Cause | Solution | | ------------------------------------------------------- | --------------------------------------- | -------------------------------------------------------------------- | | one-time share links can not be created for PAM records | Commander doesn't support | Request for non-pam records | | Share link created but URL not found in response | Unexpected Service Mode response format | Check Service Mode version; verify one-time-share command registered | | Failed to create one-time share | Record may not be shareable | Verify user has share permissions on the record | *** #### Record Creation Errors | Error | Cause | Solution | | --------------------------------------------- | ---------------------------------------- | ---------------------------------------------------------- | | Failed to create record | Missing required fields or command error | Ensure title, login, and password are provided | | Record created but UID could not be retrieved | Search after creation failed | Record exists but search timed out; manually search for it | *** #### KEPM Errors | Error | Cause | Solution | | ----------------------------------- | ------------------------------------ | -------------------------------------------------------------------------------------------------------------- | | No data returned | KEPM feature not enabled | Enable KEPM in your Keeper enterprise settings. Ensure that your service user has necessary admin permissions. | | KEPM sync failed | Service Mode can't reach KEPM server | Check network connectivity and KEPM configuration | | Failed to approve/deny KEPM request | Request may have expired | Check if request is still pending; it may have auto-expired | ### References * [Commander CLI Overview](https://docs.keeper.io/keeperpam/commander-cli) * [Commander Service Mode](https://docs.keeper.io/en/keeperpam/commander-cli/service-mode-rest-api) * [Endpoint Privilege Manager](https://docs.keeper.io/keeperpam/endpoint-privilege-manager) * [SSO Connect Cloud](https://app.gitbook.com/o/-LO5CAzoigGmCWBUbw9z/s/-MB_i6vKdtG6Z2n6zWgJ/)