Overview
Slack Secure Send integrates SparkVault's Spark system directly into Slack. Users can send
encrypted, self-destructing secrets to teammates using the /secret slash command.
Each secret is encrypted with post-quantum cryptography and automatically destroyed after being read.
Key Features
- /secret command: Send secrets from any Slack channel or DM.
/secret @useror/secret #channelpre-selects the recipient - Send to a person or channel: One conversation per secret: a user DM, public channel, private channel, or group DM
- Post-quantum encryption (ML-KEM-1024): Future-proof cryptographic security
- Burn-after-read guarantee: Secrets are destroyed immediately after viewing
- Configurable expiration: Set TTL from 1 minute to 24 hours
- Usage analytics: Track secrets sent by user, team, and time period
Secrets sent via Slack Secure Send use the same Spark infrastructure as the web app. The secret content is never stored in Slack. Only the spark ID travels through Slack, carried by the recipient's notification message. Even SparkVault cannot read the encrypted content without the burn-after-read ceremony completing.
How It Works
User Flow
- User types
/secretin any Slack channel or DM - A modal appears to enter the secret and configure options
- User selects the recipient conversation and expiration time
- SparkVault creates an encrypted Spark and posts a notification with a View Secret button to the recipient; only the spark ID travels through Slack
- The recipient clicks View Secret and confirms in a View & Destroy dialog; the secret is displayed in a Slack modal and burns on read
- The original notification is replaced with a Secret Burned notice. The secret is permanently destroyed
Command Syntax
The /secret command accepts an optional recipient argument that pre-selects the
conversation in the send modal:
| Command | Behavior |
|---|---|
/secret |
Opens the send modal with the current conversation pre-selected |
/secret @user |
Pre-selects a direct message to that user |
/secret #channel |
Pre-selects that channel |
Modal Options
Secret Configuration
| Parameter | Type | Required | Description |
|---|---|---|---|
Secret |
text | Required | The sensitive content to send (maximum 250 KB) |
Send to |
select | Required | A single conversation: a user DM, public channel, private channel, or group DM. Private channels and group DMs require the SparkVault app to already be a member; public channels are joined automatically at delivery. |
Expires in |
select | Optional | 1 min, 5 min, 15 min, 30 min, 1 hour, 6 hours, 12 hours, or 24 hoursDefault: 1 hour |
Secrets up to 250 KB can be sent, but Slack can only display up to 3,000 characters. A larger secret is refused at view time before the burn-read; the secret stays intact and expires at its scheduled TTL if unviewed.
App Home & Direct Messages
The integration also provides a SparkVault App Home inside Slack:
-
Home tab: Opening the SparkVault Home tab publishes an explainer of
burn-after-read sharing and how to use
/secret. When the account's storage or bandwidth capacity is running low or exhausted, the Home tab shows a proactive capacity warning: billing admins get an Add capacity button into the billing page, while members are directed to ask their account admin. -
Welcome message: The first time a user opens the SparkVault Messages tab,
a one-time welcome DM explains how to share secrets with
/secret. -
DM help: The app is not conversational. Direct messages to the bot receive
a help reply pointing at the
/secretcommand. This is why theim:historyscope is requested.
Installation
Slack Secure Send requires OAuth installation from the SparkVault dashboard. The app requests minimal permissions, only what's needed to receive slash commands and post messages.
Required OAuth Scopes
| Scope | Purpose |
|---|---|
commands |
Receive /secret slash command |
chat:write |
Post secret notifications to DMs, channels, and groups |
chat:write.public |
Post to public channels the app has not joined |
channels:join |
Join a public channel to deliver a secret when not already a member |
users:read |
Resolve sender and recipient names |
channels:read |
Resolve public channel recipients |
groups:read |
Resolve private channel recipients |
im:read |
Resolve direct message recipients |
im:history |
Read direct messages so the app can respond to DMs |
mpim:read |
Resolve multi-person group DM recipients |
Installation Steps
- Navigate to Integrations → Slack in the SparkVault dashboard
- Click "Add to Slack" to begin the OAuth flow
- Select your Slack workspace and authorize the requested permissions
- You'll be redirected back to SparkVault with installation confirmed
- The
/secretcommand is now available in your workspace
API Endpoints
While most Slack integration happens through the slash command, the following API endpoints are available for programmatic access and integration management.
Analytics
/v1/apps/slack/analytics
Retrieve usage analytics for your Slack Secure Send integration. Requires standard SparkVault authentication (JWT or API key); the account is derived from your credentials, never from query parameters.
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
start_date |
string | Optional | Start date in YYYY-MM-DD format |
end_date |
string | Optional | End date in YYYY-MM-DD format |
date |
string | Optional | Single date for daily summary (YYYY-MM-DD) |
curl -X GET 'https://api.sparkvault.com/v1/apps/slack/analytics?start_date=2024-01-01&end_date=2024-01-31' \
-H "Authorization: Bearer YOUR_JWT_TOKEN"
{
"type": "usage_records",
"data": {
"records": [
{
"date": "2024-01-15",
"slack_user_id": "U1234567890",
"slack_username": "john.doe",
"sparks_created": 12,
"sparks_read": 10
},
{
"date": "2024-01-16",
"slack_user_id": "U1234567890",
"slack_username": "john.doe",
"sparks_created": 8,
"sparks_read": 7
}
],
"truncated": false,
"totals": {
"sparks_created": 20,
"sparks_read": 17
},
"installation": {
"team_id": "T1234567890",
"team_name": "Acme Corp",
"installed_at": "2024-01-01T00:00:00.000Z"
}
}
}
truncated is true only when the requested window exceeded the
analytics read cap; totals would then be partial sums over the returned records.
{
"type": "daily_summary",
"data": {
"date": "2024-01-15",
"total_sparks_created": 45,
"total_sparks_read": 38,
"users": [
{ "slack_user_id": "U1234567890", "slack_username": "john.doe", "sparks_created": 15, "sparks_read": 12 },
{ "slack_user_id": "U0987654321", "slack_username": "jane.smith", "sparks_created": 10, "sparks_read": 9 }
]
}
}
users lists per-user counts for the requested day, sorted by
sparks_created descending.
Uninstall
/v1/apps/slack/uninstall
Uninstall Slack Secure Send from your SparkVault account. Removes the installation and disconnects your Slack workspace. Requires standard SparkVault authentication.
curl -X DELETE 'https://api.sparkvault.com/v1/apps/slack/uninstall' \
-H "Authorization: Bearer YOUR_JWT_TOKEN"
{
"uninstalled": true,
"account_id": "acc_01hq3vxk9m...",
"team_id": "T1234567890"
}
Uninstalling removes the OAuth connection between SparkVault and your Slack workspace, and
the /secret command will no longer work. Pending secrets are not destroyed, but
they become unretrievable via Slack: the View Secret button requires the
installation's bot token, and interactions from an uninstalled workspace are acknowledged
without action. Unviewed secrets simply expire at their scheduled TTL.
Webhook Endpoints (Internal)
The following endpoints support the integration during normal operation. The webhook endpoints are called by Slack's servers; the OAuth callback is called by the SparkVault frontend after Slack redirects back from authorization. They are documented here for transparency but should not be called directly by your application.
| Endpoint | Purpose | Auth |
|---|---|---|
POST /v1/apps/slack/webhooks/commands |
Receives the /secret slash command | Slack signature |
POST /v1/apps/slack/webhooks/interactions |
Modal submissions and button clicks | Slack signature |
POST /v1/apps/slack/webhooks/events |
Slack Events API: url_verification, app_uninstalled, tokens_revoked, app_home_opened, and direct-message help replies |
Slack signature |
POST /v1/apps/slack/oauth/callback |
OAuth code exchange after installation, called by the SparkVault frontend | JWT (account derived from auth, never the request body) |
All webhook requests from Slack are verified using the X-Slack-Signature header
and the app's signing secret. This ensures requests originate from Slack, not malicious actors.
Error Handling
Error Responses
| Status | Code | Description |
|---|---|---|
| 400 | VALIDATION_ERROR |
Invalid request parameters. Also returned when Slack is not installed for this account. |
| 401 | AUTHENTICATION_ERROR |
Missing or invalid credentials (session JWT or API key). |
| 402 | PLAN_REQUIRED |
Sending secrets requires an active SparkVault subscription. |
| 402 | QUOTA_EXCEEDED |
The account's storage or bandwidth capacity is exhausted. details.resource identifies the pool. |
| 429 | RATE_LIMIT_EXCEEDED |
Too many requests. Retry after the specified time. |
An empty analytics window is not an error: the endpoint returns an empty
records array with zero totals.
Sending is gated by an active subscription (PLAN_REQUIRED) and available account
capacity (QUOTA_EXCEEDED, with details.resource of
storage or bandwidth). When a send is gated, the sender sees an
ephemeral Slack message with a role-aware call to action: billing admins get a
Subscribe or Add capacity button linking to the billing page,
while members are directed to ask their account admin.
Billing
Slack Secure Send is included with your SparkVault subscription. Billing is license-based. There is no per-secret charge, and no per-spark cost is tracked or billed.
| Operation | Requirement |
|---|---|
| Send secret (create Spark) | Active subscription with available storage and bandwidth capacity |
| View secret (read Spark) | Free, always included |
If a capacity pool runs low, billing admins can add capacity blocks from the billing page. The SparkVault App Home tab in Slack proactively warns when capacity is running low.
Security Considerations
- Secrets never stored in Slack: Only a notification message with a View Secret button, carrying the spark ID, is posted to Slack. The encrypted content lives in SparkVault's infrastructure.
- Post-quantum encryption: All secrets use ML-KEM-1024, providing security against future quantum computer attacks.
- Burn-after-read: Once a secret is viewed, the encryption key is destroyed. There is no way to recover the content after viewing.
- Time-limited secrets: Unread secrets automatically expire after the configured TTL (max 24 hours), ensuring secrets don't linger indefinitely.
- In-Slack display cap: Slack can only display up to 3,000 characters. An oversized secret is refused at view time before the burn-read, leaving the secret intact until it expires on schedule.
- Audit trail: All secret creation and viewing events are logged with Slack user context for compliance and security monitoring.
- OAuth token security: OAuth tokens are stored encrypted and can be revoked at any time by uninstalling the app.
Best Practices
- Use short expiration times: For highly sensitive secrets, use the shortest practical expiration (1 or 5 minutes) to minimize exposure window.
- Send to specific users: When possible, send secrets directly to the intended recipient rather than posting to a channel.
- Monitor analytics: Regularly review usage analytics to identify unusual patterns or potential misuse.
- Train your team: Ensure team members understand the burn-after-read behavior and save important information before the secret is destroyed.
- Don't screenshot secrets: While we can't prevent it, encourage users not to screenshot secrets as this defeats the security model.
Get Started
Install Slack Secure Send and start sharing secrets securely with your team.