Slack MCP: How to Connect Slack to AI Agents (Official + Community Servers)

Slack MCP is how AI assistants like Claude, Cursor, and Perplexity securely read and act on your Slack content. Searching messages, sending replies, managing canvases, all through the open Model Context Protocol. As of February 17, 2026, Slack ships its own first-party, Slack-hosted Slack MCP server. So connecting an AI agent to a workspace no longer means installing third-party tooling or scraping tokens. This guide covers what the Slack MCP server does, how the official server differs from the popular community alternative, how to do a clean Slack MCP setup for the clients you actually use, and the security details you shouldn't skip.

What is the Slack MCP server?

Slack's own definition is blunt and useful. The Slack MCP server "lets third-party AI assistants like Claude and Perplexity securely access your Slack content so they can search messages, find information, and take actions on your behalf" (Slack Help Center). It's made by Slack (a Salesforce company) and was announced on February 17, 2026, alongside the Real-Time Search API (Slack developer changelog). Slack and Salesforce describe both as generally available (Slack blog).

Here's the key thing. The official server is remote and hosted. There's no local install. Clients connect to the endpoint https://mcp.slack.com/mcp using JSON-RPC 2.0 over Streamable HTTP and authenticate via OAuth (Slack docs).

MCP in 60 seconds: host, client, server

The Model Context Protocol is an open standard. It gives AI agents a consistent, secure way to discover and use external tools and data. Slack's docs lay out its three roles cleanly:

• Host: the user-facing AI application (e.g. Claude or Cursor).
• Client: "a specialized bridge or adapter built into the host application."
• Server: "a separate program that acts as a secure wrapper around a system" (here, Slack).

MCP originated with Anthropic and is documented at modelcontextprotocol.io. When you "connect Slack MCP," you're pointing an MCP client at a Slack MCP server so the agent can call Slack as a tool.

Three things called "Slack MCP": don't conflate them

This is the single most confusing part of the topic. There are actually three distinct servers:

1. The official Slack MCP server: Slack-hosted, remote, OAuth, announced Feb 17 2026. This is what "Slack MCP" now usually means.
2. The deprecated reference server: the npm package @modelcontextprotocol/server-slack, an early local server configured with Slack bot tokens. Its source now lives in modelcontextprotocol/servers-archived. These reference servers are no longer maintained and carry no security guarantees. Don't build new work on it.
3. The community server: korotovsky/slack-mcp-server, a popular MIT-licensed Go project that explicitly states "This is not an official Slack product." Self-hosted, with a no-install "stealth" mode.

The rest of this guide focuses on the official server and the korotovsky community server, since those are the two real choices today.

What can an agent do with Slack over MCP?

The official server groups its tools into a few categories (Slack docs):

• Search: messages, files, users, channels, and custom emoji across the workspace.
• Messages: read channel and thread history, send messages to any conversation type, create channels and DMs, and add reactions.
• Canvases: create, update, and read Slack canvases.
• Users: fetch profile info (including custom fields and statuses) and list channel members.

Scopes-to-tools mapping

The official server uses user OAuth tokens with granular per-tool scopes, not broad bot tokens. A rough mapping from the docs:

| Capability | Example OAuth scopes | | --- | --- | | Search messages/channels | search:read.public, search:read.private, search:read.mpim, search:read.im | | Search / read files | search:read.files, files:read | | Send a message | chat:write | | Read channel/thread history | channels:history, groups:history, mpim:history, im:history | | Create conversations | channels:write, groups:write, im:write, mpim:write | | Reactions | reactions:write | | Canvases | canvases:read, canvases:write | | User profiles / members | users:read, users:read.email, channels:read, groups:read |

Granting only the scopes a given agent needs is your first and best line of defense.

Official Slack MCP server vs community servers

| | Official Slack MCP server | korotovsky/slack-mcp-server | | --- | --- | --- | | Maker | Slack (Salesforce) | Community (MIT, not official) | | Hosting | Remote, Slack-hosted, no install | Self-host via npx or Docker | | Endpoint | https://mcp.slack.com/mcp | Your own (stdio / SSE / HTTP) | | Auth | OAuth 2.0 user tokens, granular scopes | xoxp (user), xoxb (bot), or xoxc+xoxd (browser) | | Admin governance | App approval, audit logs, IP allowlists | Bypasses admin governance in "stealth" mode | | Eligibility | Directory-published or internal apps only | Any account with a token | | Write actions | Via scopes | Disabled by default; enabled via env var |

Use the official server for sanctioned, enterprise, or production use. It respects each user's existing permissions and surfaces activity in Slack's audit logs. Reach for the community server only for personal or constrained scenarios where you understand the tradeoffs. The community project's "stealth" mode authenticates with browser session tokens taken from the Slack web client. Powerful, yes, but it bypasses admin governance and may violate workspace policy (korotovsky auth docs).

How to set up Slack MCP

Official server: connect Claude Code

Slack publishes a config plugin repo, slackapi/slack-mcp-plugin. Its Claude Code config points at the hosted endpoint and uses OAuth:

{
  "mcpServers": {
    "slack": {
      "type": "http",
      "url": "https://mcp.slack.com/mcp",
      "oauth": {
        "clientId": "1601185624273.8899143856786",
        "callbackPort": 3118
      }
    }
  }
}

Note: the clientId value above is an example value from the docs. Confirm the current value against the live README before using it. Once you've added the config, your client will prompt you to authorize ("Connect") into your workspace via OAuth, where you grant the scopes the app requests.

Official server: connect Cursor

Cursor uses a similar block, added via Cursor → Settings → Cursor Settings → MCP (Slack docs):

{
  "mcpServers": {
    "slack": {
      "url": "https://mcp.slack.com/mcp",
      "auth": {
        "CLIENT_ID": "3660753192626.8903469228982"
      }
    }
  }
}

Again, treat the CLIENT_ID as an example value. Documented official clients include Claude.ai, Claude Code, Perplexity, and Cursor.

One prerequisite worth knowing up front. Only directory-published or internal apps may use the official MCP server. Unlisted apps are prohibited (Slack docs). Plan for marketplace publication or internal-app status before you hit a wall.

Community server: run korotovsky via npx

The community server runs locally. The simplest invocation:

npx -y slack-mcp-server@latest --transport stdio

A Claude Desktop config using a user OAuth (xoxp) token (configuration docs):

{
  "mcpServers": {
    "slack": {
      "command": "npx",
      "args": ["-y", "slack-mcp-server@latest", "--transport", "stdio"],
      "env": {
        "SLACK_MCP_XOXP_TOKEN": "xoxp-..."
      }
    }
  }
}

Community server: run korotovsky via Docker

docker run -i --rm \
  -e SLACK_MCP_XOXC_TOKEN \
  -e SLACK_MCP_XOXD_TOKEN \
  ghcr.io/korotovsky/slack-mcp-server:latest --transport stdio

The community server supports several auth modes: SLACK_MCP_XOXP_TOKEN (user OAuth), SLACK_MCP_XOXB_TOKEN (bot, limited to invited channels and unable to use message search), or the pair SLACK_MCP_XOXC_TOKEN + SLACK_MCP_XOXD_TOKEN (browser session token plus the d cookie value). Its tools include conversations_history, conversations_replies, conversations_search_messages, channels_list, users_search, and reactions_add. One thing to watch: message posting is disabled by default. You have to explicitly set SLACK_MCP_ADD_MESSAGE_TOOL (a boolean, or a comma-separated list of allowed channel IDs) to enable the conversations_add_message tool.

Agent patterns: Slack as a tool surface

Most write-ups stop at "install it and post a message." The more interesting view is the agent-consumer one. A Slack MCP server is a tool surface that an autonomous agent calls, usually triggered by an event and acting through APIs. A few patterns teams ship:

• Standup summarizer: on a schedule, search a team channel's last 24 hours and post a digest.
• Incident correlation: when an alert fires, pull related threads and surface the likely owner.
• Customer-context aggregator: given an account name, search messages and files to brief a rep before a call.
• Release-notes generator: collect merged-PR discussion from channels into a draft canvas.
• Knowledge search: ground an internal assistant's answers in live channel context instead of stale exports.

This is exactly the architecture gamut.so (by Datawizz) is built around. An AI agent knowledge workforce where agents use MCP servers like Slack's as tools, triggered by events, acting through APIs, to do real work in the systems your team already lives in.

Security and governance you can't skip

Slack's permission model is necessary but not sufficient. The server returns whatever the authenticating user can already see. That can include credentials, PII, or source code sitting in channel history, files, and canvases. Practical guardrails:

• Least-privilege scopes. Grant only the scopes each agent needs (see the table above).
• Write off by default. On the community server, leave posting/reactions disabled unless required; scope SLACK_MCP_ADD_MESSAGE_TOOL to specific channel IDs.
• Admin approval and audit. The official server lets workspace admins approve and manage MCP integrations, enforces IP allowlists the same way the Web API does, and records activity in Slack's audit logs (Slack docs).
• Mind prompt injection. Pointing an agent at all your chat history is a real attack surface. Security researchers demonstrated data exfiltration via link unfurling against Anthropic's earlier (now-archived) reference Slack MCP server. The recommended fix was disabling link unfurling (unfurl_links: false, unfurl_media: false), and Anthropic archived the server rather than patch it (Embrace The Red advisory). Slack's guardrails are real, but they don't eliminate prompt-injection-class risk.

For the community server, the docs add the obvious-but-important stuff. Never share tokens, keep .env files private, set SLACK_MCP_API_KEY as a bearer token when exposing SSE/HTTP, and keep the host on 127.0.0.1 unless you intend to expose it.

Troubleshooting

• `missing_scope`: the token lacks a scope the tool requires. Re-authorize with the scope from the mapping table (e.g. add search:read.public for search).
• `channel_not_found`: the authenticated user/bot isn't a member of the channel, or the ID is wrong. Bot tokens on the community server only see invited channels.
• Rate limits: non-marketplace apps face stricter limits. Batch and back off.
• Unlisted-apps-prohibited: the official server only accepts directory-published or internal apps. Publish or convert to an internal app.
• Debugging the community server: inspect with npx @modelcontextprotocol/inspector ..., and on macOS tail Claude logs with tail -n 20 -f ~/Library/Logs/Claude/mcp*.log.

FAQ

What is the Slack MCP server? A server (now officially Slack-hosted) that lets AI assistants securely search Slack, read and send messages, and manage canvases on your behalf via the Model Context Protocol.

Is the Slack MCP server official, and who makes it? Yes. Slack (a Salesforce company) makes and hosts the official server, announced on February 17, 2026. Community servers like korotovsky's also exist but aren't official.

Which AI assistants work with Slack MCP? Slack documents Claude.ai, Claude Code, Perplexity, and Cursor as official clients, and says more than 50 partners (including Anthropic, Google, OpenAI, and Perplexity) are building on the platform (Slack blog).

How do I connect / authenticate the Slack MCP server? The official server uses OAuth 2.0 user tokens over https://mcp.slack.com/mcp; add the config to your client and click Connect to authorize. The community server uses xoxp, xoxb, or xoxc/xoxd tokens.

What's the difference between the official server and korotovsky/slack-mcp-server? The official server is remote, OAuth-based, and admin-governed. The community server is self-hosted and can use browser session tokens to bypass admin approval. Convenient, but riskier.

Is `@modelcontextprotocol/server-slack` the same as Slack's official server? No. That npm package is an older, deprecated reference server configured with bot tokens locally. It predates Slack's official hosted server and now lives in the archived servers-archived repo.

Can the Slack MCP server send messages? Yes, via chat:write on the official server. On the community server, posting is disabled by default and must be enabled with SLACK_MCP_ADD_MESSAGE_TOOL.

Where to go next

Connecting one AI client to your workspace? Start with the official server and the Slack MCP docs. If you're building agents that act across Slack and other systems on their own, the same MCP tool surface scales into full workflows.

Gamut.so, by Datawizz, runs an AI agent knowledge workforce where agents use MCP servers (including Slack's) as tools to act on your systems, triggered by events and acting through APIs.