You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We validated a non-public extraction path for Slack client auth on macOS using Chrome. This is not an official Slack-supported flow, but it is useful to document publicly as a fallback path for advanced users.
Positioning:
This is not the recommended authentication path for slk.
This should not be presented as the primary setup flow.
It is acceptable to record it publicly as a reference for users who understand the tradeoffs.
What worked:
xoxc-... can be recovered from Chrome profile local storage for an already logged-in Slack Web session.
xoxd-... can be recovered from Chrome's .slack.comd cookie after decrypting the cookie store on macOS.
In this repo, the existing runtime already has partial support for consuming xoxc + xoxd.
Observed macOS Chrome locations:
Local storage: ~/Library/Application Support/Google/Chrome/<Profile>/Local Storage/leveldb
Cookies DB: ~/Library/Application Support/Google/Chrome/<Profile>/Cookies
Practical extraction path that worked during validation:
Identify Chrome profiles that already have Slack cookies.
Search the profile's local storage LevelDB files for localConfig_v2 or xoxc-.
Read the .slack.com cookie named d from the profile cookie DB.
On macOS, use the Keychain entry for Chrome Safe Storage to decrypt the cookie value.
Treat both values as sensitive credentials.
What we observed locally:
Multiple Chrome profiles had .slack.com cookies.
A Slack-active profile exposed localConfig_v2 in LevelDB and contained a recoverable xoxc-... token.
The same profile's cookie DB contained an encrypted .slack.comd cookie that could be decrypted to xoxd-....
Important caveats:
This relies on Slack Web implementation details, not a stable public API.
Chrome storage formats and cookie encryption behavior can change.
This only works when the browser profile already has a valid Slack login session.
We should avoid presenting this in the README as the default auth flow.
Practical recommendation:
Keep OAuth user token auth as the default documented path.
Treat this extraction route as an advanced fallback for users who explicitly want it.
If we ever expose it in-product, it should carry explicit warnings and clearly say that Slack does not officially support this flow.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
We validated a non-public extraction path for Slack client auth on macOS using Chrome. This is not an official Slack-supported flow, but it is useful to document publicly as a fallback path for advanced users.
Positioning:
slk.What worked:
xoxc-...can be recovered from Chrome profile local storage for an already logged-in Slack Web session.xoxd-...can be recovered from Chrome's.slack.comdcookie after decrypting the cookie store on macOS.xoxc + xoxd.Observed macOS Chrome locations:
~/Library/Application Support/Google/Chrome/<Profile>/Local Storage/leveldb~/Library/Application Support/Google/Chrome/<Profile>/CookiesPractical extraction path that worked during validation:
localConfig_v2orxoxc-..slack.comcookie nameddfrom the profile cookie DB.What we observed locally:
.slack.comcookies.localConfig_v2in LevelDB and contained a recoverablexoxc-...token..slack.comdcookie that could be decrypted toxoxd-....Important caveats:
Practical recommendation:
Beta Was this translation helpful? Give feedback.
All reactions