Slack Secure Send v1

Overview

Slack Secure Send integrates SparkVault's Spark system directly into Slack. Users can send encrypted, self-destructing secrets to teammates using the /secret slash command. Each secret is encrypted with post-quantum cryptography and automatically destroyed after being read.

ML-KEM-1024
Post-Quantum Encryption
Burn
After Read
24h Max
Expiration Window
Analytics
Per-User Tracking

Key Features

  • /secret command: Send secrets from any Slack channel or DM. /secret @user or /secret #channel pre-selects the recipient
  • Send to a person or channel: One conversation per secret: a user DM, public channel, private channel, or group DM
  • Post-quantum encryption (ML-KEM-1024): Future-proof cryptographic security
  • Burn-after-read guarantee: Secrets are destroyed immediately after viewing
  • Configurable expiration: Set TTL from 1 minute to 24 hours
  • Usage analytics: Track secrets sent by user, team, and time period
Security Model

Secrets sent via Slack Secure Send use the same Spark infrastructure as the web app. The secret content is never stored in Slack. Only the spark ID travels through Slack, carried by the recipient's notification message. Even SparkVault cannot read the encrypted content without the burn-after-read ceremony completing.

How It Works

User Flow

  1. User types /secret in any Slack channel or DM
  2. A modal appears to enter the secret and configure options
  3. User selects the recipient conversation and expiration time
  4. SparkVault creates an encrypted Spark and posts a notification with a View Secret button to the recipient; only the spark ID travels through Slack
  5. The recipient clicks View Secret and confirms in a View & Destroy dialog; the secret is displayed in a Slack modal and burns on read
  6. The original notification is replaced with a Secret Burned notice. The secret is permanently destroyed

Command Syntax

The /secret command accepts an optional recipient argument that pre-selects the conversation in the send modal:

Command Behavior
/secret Opens the send modal with the current conversation pre-selected
/secret @user Pre-selects a direct message to that user
/secret #channel Pre-selects that channel

Modal Options

Secret Configuration

ParameterTypeRequiredDescription
Secret text Required The sensitive content to send (maximum 250 KB)
Send to select Required A single conversation: a user DM, public channel, private channel, or group DM. Private channels and group DMs require the SparkVault app to already be a member; public channels are joined automatically at delivery.
Expires in select Optional 1 min, 5 min, 15 min, 30 min, 1 hour, 6 hours, 12 hours, or 24 hoursDefault: 1 hour
In-Slack Display Limit

Secrets up to 250 KB can be sent, but Slack can only display up to 3,000 characters. A larger secret is refused at view time before the burn-read; the secret stays intact and expires at its scheduled TTL if unviewed.

App Home & Direct Messages

The integration also provides a SparkVault App Home inside Slack:

  • Home tab: Opening the SparkVault Home tab publishes an explainer of burn-after-read sharing and how to use /secret. When the account's storage or bandwidth capacity is running low or exhausted, the Home tab shows a proactive capacity warning: billing admins get an Add capacity button into the billing page, while members are directed to ask their account admin.
  • Welcome message: The first time a user opens the SparkVault Messages tab, a one-time welcome DM explains how to share secrets with /secret.
  • DM help: The app is not conversational. Direct messages to the bot receive a help reply pointing at the /secret command. This is why the im:history scope is requested.

Installation

Slack Secure Send requires OAuth installation from the SparkVault dashboard. The app requests minimal permissions, only what's needed to receive slash commands and post messages.

Required OAuth Scopes

Scope Purpose
commands Receive /secret slash command
chat:write Post secret notifications to DMs, channels, and groups
chat:write.public Post to public channels the app has not joined
channels:join Join a public channel to deliver a secret when not already a member
users:read Resolve sender and recipient names
channels:read Resolve public channel recipients
groups:read Resolve private channel recipients
im:read Resolve direct message recipients
im:history Read direct messages so the app can respond to DMs
mpim:read Resolve multi-person group DM recipients

Installation Steps

  1. Navigate to Integrations → Slack in the SparkVault dashboard
  2. Click "Add to Slack" to begin the OAuth flow
  3. Select your Slack workspace and authorize the requested permissions
  4. You'll be redirected back to SparkVault with installation confirmed
  5. The /secret command is now available in your workspace
Install Slack App

API Endpoints

While most Slack integration happens through the slash command, the following API endpoints are available for programmatic access and integration management.

Analytics

GET /v1/apps/slack/analytics

Retrieve usage analytics for your Slack Secure Send integration. Requires standard SparkVault authentication (JWT or API key); the account is derived from your credentials, never from query parameters.

Query Parameters

ParameterTypeRequiredDescription
start_date string Optional Start date in YYYY-MM-DD format
end_date string Optional End date in YYYY-MM-DD format
date string Optional Single date for daily summary (YYYY-MM-DD)
bash Request
curl -X GET 'https://api.sparkvault.com/v1/apps/slack/analytics?start_date=2024-01-01&end_date=2024-01-31' \
  -H "Authorization: Bearer YOUR_JWT_TOKEN"
json Response (Usage Records)
{
  "type": "usage_records",
  "data": {
    "records": [
      {
        "date": "2024-01-15",
        "slack_user_id": "U1234567890",
        "slack_username": "john.doe",
        "sparks_created": 12,
        "sparks_read": 10
      },
      {
        "date": "2024-01-16",
        "slack_user_id": "U1234567890",
        "slack_username": "john.doe",
        "sparks_created": 8,
        "sparks_read": 7
      }
    ],
    "truncated": false,
    "totals": {
      "sparks_created": 20,
      "sparks_read": 17
    },
    "installation": {
      "team_id": "T1234567890",
      "team_name": "Acme Corp",
      "installed_at": "2024-01-01T00:00:00.000Z"
    }
  }
}

truncated is true only when the requested window exceeded the analytics read cap; totals would then be partial sums over the returned records.

json Response (Daily Summary)
{
  "type": "daily_summary",
  "data": {
    "date": "2024-01-15",
    "total_sparks_created": 45,
    "total_sparks_read": 38,
    "users": [
      { "slack_user_id": "U1234567890", "slack_username": "john.doe", "sparks_created": 15, "sparks_read": 12 },
      { "slack_user_id": "U0987654321", "slack_username": "jane.smith", "sparks_created": 10, "sparks_read": 9 }
    ]
  }
}

users lists per-user counts for the requested day, sorted by sparks_created descending.

Uninstall

DELETE /v1/apps/slack/uninstall

Uninstall Slack Secure Send from your SparkVault account. Removes the installation and disconnects your Slack workspace. Requires standard SparkVault authentication.

bash Request
curl -X DELETE 'https://api.sparkvault.com/v1/apps/slack/uninstall' \
  -H "Authorization: Bearer YOUR_JWT_TOKEN"
json Response
{
  "uninstalled": true,
  "account_id": "acc_01hq3vxk9m...",
  "team_id": "T1234567890"
}
Uninstall Behavior

Uninstalling removes the OAuth connection between SparkVault and your Slack workspace, and the /secret command will no longer work. Pending secrets are not destroyed, but they become unretrievable via Slack: the View Secret button requires the installation's bot token, and interactions from an uninstalled workspace are acknowledged without action. Unviewed secrets simply expire at their scheduled TTL.

Webhook Endpoints (Internal)

The following endpoints support the integration during normal operation. The webhook endpoints are called by Slack's servers; the OAuth callback is called by the SparkVault frontend after Slack redirects back from authorization. They are documented here for transparency but should not be called directly by your application.

Endpoint Purpose Auth
POST /v1/apps/slack/webhooks/commands Receives the /secret slash command Slack signature
POST /v1/apps/slack/webhooks/interactions Modal submissions and button clicks Slack signature
POST /v1/apps/slack/webhooks/events Slack Events API: url_verification, app_uninstalled, tokens_revoked, app_home_opened, and direct-message help replies Slack signature
POST /v1/apps/slack/oauth/callback OAuth code exchange after installation, called by the SparkVault frontend JWT (account derived from auth, never the request body)
Signature Verification

All webhook requests from Slack are verified using the X-Slack-Signature header and the app's signing secret. This ensures requests originate from Slack, not malicious actors.

Error Handling

Error Responses

StatusCodeDescription
400 VALIDATION_ERROR Invalid request parameters. Also returned when Slack is not installed for this account.
401 AUTHENTICATION_ERROR Missing or invalid credentials (session JWT or API key).
402 PLAN_REQUIRED Sending secrets requires an active SparkVault subscription.
402 QUOTA_EXCEEDED The account's storage or bandwidth capacity is exhausted. details.resource identifies the pool.
429 RATE_LIMIT_EXCEEDED Too many requests. Retry after the specified time.

An empty analytics window is not an error: the endpoint returns an empty records array with zero totals.

Subscription & Capacity Gates

Sending is gated by an active subscription (PLAN_REQUIRED) and available account capacity (QUOTA_EXCEEDED, with details.resource of storage or bandwidth). When a send is gated, the sender sees an ephemeral Slack message with a role-aware call to action: billing admins get a Subscribe or Add capacity button linking to the billing page, while members are directed to ask their account admin.

Billing

Slack Secure Send is included with your SparkVault subscription. Billing is license-based. There is no per-secret charge, and no per-spark cost is tracked or billed.

Operation Requirement
Send secret (create Spark) Active subscription with available storage and bandwidth capacity
View secret (read Spark) Free, always included
Capacity Blocks

If a capacity pool runs low, billing admins can add capacity blocks from the billing page. The SparkVault App Home tab in Slack proactively warns when capacity is running low.

Security Considerations

  • Secrets never stored in Slack: Only a notification message with a View Secret button, carrying the spark ID, is posted to Slack. The encrypted content lives in SparkVault's infrastructure.
  • Post-quantum encryption: All secrets use ML-KEM-1024, providing security against future quantum computer attacks.
  • Burn-after-read: Once a secret is viewed, the encryption key is destroyed. There is no way to recover the content after viewing.
  • Time-limited secrets: Unread secrets automatically expire after the configured TTL (max 24 hours), ensuring secrets don't linger indefinitely.
  • In-Slack display cap: Slack can only display up to 3,000 characters. An oversized secret is refused at view time before the burn-read, leaving the secret intact until it expires on schedule.
  • Audit trail: All secret creation and viewing events are logged with Slack user context for compliance and security monitoring.
  • OAuth token security: OAuth tokens are stored encrypted and can be revoked at any time by uninstalling the app.

Best Practices

  • Use short expiration times: For highly sensitive secrets, use the shortest practical expiration (1 or 5 minutes) to minimize exposure window.
  • Send to specific users: When possible, send secrets directly to the intended recipient rather than posting to a channel.
  • Monitor analytics: Regularly review usage analytics to identify unusual patterns or potential misuse.
  • Train your team: Ensure team members understand the burn-after-read behavior and save important information before the secret is destroyed.
  • Don't screenshot secrets: While we can't prevent it, encourage users not to screenshot secrets as this defeats the security model.

Get Started

Install Slack Secure Send and start sharing secrets securely with your team.