Slack App Notifications
Configure the Slack App Veza Action for direct message delivery to Access Review reviewers.
Veza's Slack App integration sends direct message notifications to users for Access Reviews and Access Requests. Unlike webhook integration, which posts messages to Slack channels, this integration delivers notifications directly to users via the Veza Slackbot, using Block Kit for rich notification formatting and enabling interactive approval workflows.
By completing this guide, you will:
Create a Veza OAuth2 client for user authentication
Create and configure a Veza Slack app in your Slack workspace
Configure the Slack App Veza Action in Veza
Enable direct message delivery for Access Reviews and Access Requests
Optionally enable alert and digest notification delivery
Comparison with Slack Webhook Integration
This integration complements channel-based Slack integration. Both can be used together for channel announcements and direct messages to reviewers:
Message type
Direct messages to users
Posts to Slack channels
User matching
By email address
N/A
Setup
Slack App with OAuth
Webhook URL
Use case
Personal review notifications
Team-wide announcements
Format
Block Kit
Formatted text or Block Kit
Prerequisites
Admin access to your Slack workspace
Users must exist in both Veza and Slack with matching email addresses
Each reviewer must connect their Slack account to their Veza account on first use (see First-time user connection)
Feature flags enabled (contact Veza support):
UI_SLACK_APP_INTEGRATION— Enables Slack app integrationPLAT_OAUTH2_TOKEN_PROVIDER— Required for user authentication flow
Before enabling for production: Test the integration with yourself as a reviewer first. The Veza Slackbot sends direct messages to all assigned reviewers in your organization. Inform users they might receive messages from the bot. Consider keeping email notifications enabled as a backup during initial rollout.
Network requirements
The integration requires inbound connectivity to your Veza tenant from Slack's servers and user browsers:
{veza_url}/slackapp/interactions
Slack's servers
Receives button click callbacks (Approve/Deny/View)
{veza_url}/slackapp/connect
User's browser
Initiates user authentication when clicking Connect
{veza_url}/slackapp/callback
User's browser
OAuth callback after Veza login
How user matching works
User email addresses in Slack must exactly match the reviewer's email address in Veza. The Veza Slackbot matches users using the following process:
Veza identifies the reviewer: The user is assigned to a review in Veza Access Reviews
Email lookup: Veza takes the user's email address from their Veza account
Slack user search: The integration calls Slack's
users:lookupByEmailAPI to find a matching userDirect message delivery: If found, the notification is sent as a DM to that Slack user
First-time user connection
When a Slack user receives their first notification from Veza, they must connect their Slack account to their Veza account:
The notification includes a Connect button instead of action buttons
Clicking Connect redirects the user to Veza's standard login page
The user logs in with their existing Veza credentials (local account or SSO)
After successful authentication, Veza securely stores the binding between the Slack user ID and the Veza user account
All subsequent notifications include interactive buttons without requiring reconnection. Access Request notifications include Approve and Deny buttons; Access Review notifications include a View in Veza button
The connection flow uses PKCE (Proof Key for Code Exchange) for security. Connection requests expire after 10 minutes.
Global IdP not required: The Slack integration uses the email address from the Veza user account, regardless of whether you have a Global IdP configured. If you use a Global IdP, ensure the email addresses match those in Slack.
Setup Process
Step 1: Create Veza OAuth2 Client
Before creating the Slack app, you must create an OAuth2 client in Veza. This enables the user authentication flow when Slack users click interactive buttons (Connect, Approve, Deny).
Navigate to Administration > Sign-in Settings
Enable Veza OAuth2 Authorization Server
Navigate to Administration > API Keys > OAuth2 Clients
Click Add New OAuth2 Client
Veza returns credentials required for the Slack app configuration:
Save these values: You will use them as Veza OAuth Client ID and Veza OAuth Client Secret when configuring the Slack app in Veza.
Step 2: Create the Veza Slack App
Using the app manifest (recommended)
Go to https://api.slack.com/apps and click Create New App
Select From an app manifest
Choose your workspace
Paste the manifest below, replacing
{customer_cluster_url}with your Veza instance URL (e.g.,https://yourcompany.veza.cloud):Review and click Create
Navigate to Install to Workspace and authorize the app
Gather required credentials
After installation, collect these values from your Slack app:
Client ID
Basic Information > App Credentials
Alphanumeric
Client Secret
Basic Information > App Credentials
Alphanumeric
Signing Secret
Basic Information > App Credentials
Hex string
Bot Token
OAuth & Permissions > Bot User OAuth Token
Starts with xoxb-
You will also need the Veza OAuth Client ID and Veza OAuth Client Secret from Step 1. These are required to enable interactive Approve/Deny buttons for Access Requests.
Step 3: Configure in Veza
Navigate to Integrations > Veza Actions
Click Add Veza Action and select Slack App
Provide the required information:
Name: Descriptive name (e.g., "Slack Direct Messages")
Client ID: From Slack app credentials
Client Secret: From Slack app credentials
Signing Secret: From Slack app credentials (verifies webhook authenticity)
Token: Bot User OAuth Token (
xoxb-...)Veza OAuth Client ID: From Step 1 (OAuth2 client creation)
Veza OAuth Client Secret: From Step 1 (OAuth2 client creation)
Click Next and Test Connection
Veza verifies the Bot Token can connect to your Slack workspace
Click Create to save
Test connection validation
The test performs these checks:
Bot Token authentication: Verifies the bot token is valid and can connect to Slack
Workspace access: Confirms the bot has access to the configured workspace
Using the Slack App Veza Action
Enable Slack delivery on a configuration
To enable Slack notifications for an individual Access Review configuration:
Navigate to Access Reviews > Configurations
Create or edit a configuration
In the Notifications step, under Delivery options, enable the Slack checkbox
If you have multiple Slack App Veza Actions configured, select the desired one from the dropdown
Enable Slack delivery for alerts
Alerts send immediate notifications when reviewers are assigned to new reviews. To enable Slack delivery for alerts:
Navigate to Access Reviews > Settings > Notifications
Under Alerts, enable the toggle
Under Delivery options, enable the Slack checkbox
If you have multiple Slack App Veza Actions configured, select the desired one from the dropdown
For more information on alert configuration, see Notifications and Reminders.
Enable Slack delivery for digest notifications
Digest notifications send periodic summaries of pending reviews. To enable Slack delivery for digests:
Navigate to Access Reviews > Settings > Notifications
Under Digest Notifications, enable the toggle
Under Delivery options, enable the Slack checkbox
If you have multiple Slack App Veza Actions configured, select the desired one from the dropdown
For more information on digest configuration, see Digest Notifications.
You can enable Email, Slack, and Microsoft Teams simultaneously. Reviewers receive notifications through all enabled channels.
Using Slack App in Access Requests
Access Request approvers can approve or deny access requests directly from Slack without needing to log in to Veza.
Configure notification settings for approvers
To send Access Request notifications via Slack:
Navigate to Lifecycle Management > Settings > Access Request Settings
Scroll to the Notifications section
Click Add Notification or edit an existing notification
Configure the notification:
Event Type: Select which event triggers the notification (e.g., Request Submitted, Request Approved)
Notification Type: Select Slack App
Slack App: Choose your configured Slack app from the dropdown
Send To: Check Approvers to send notifications to access request approvers
Click Save
Unlike Access Reviews (configured per-review), Access Request Slack notifications are configured globally in Lifecycle Management Settings and apply to all access requests.
What approvers see
When an access request requires approval, the approver receives a Slack direct message:
Button actions:
Connect (first-time only): Authenticates the Slack user with their Veza account via the OAuth flow configured in Step 1
Approve: Approves the access request directly from Slack
Deny: Rejects the access request directly from Slack
View in Veza: Opens the full request details in your browser
After clicking Approve or Deny, Slack displays a confirmation message indicating the action was successful.
Self-approval blocked: Approvers cannot approve their own access requests. If an approver attempts to approve their own request, the action will fail.
Customize notification templates
The Slack App Veza Action uses Block Kit JSON templates. Veza provides default templates for each notification event type, including review notifications, alerts, and digests. You can create custom templates to modify the content and layout.
To create a custom template:
Navigate to Access Reviews > Settings > Notifications
Click Create Template
Select the notification event type (review events, Alerts, or Digest)
Under Deliver via, select Slack
Edit the Block Kit JSON body
Save the template
You can create one custom template per event type. Alert and digest templates each support a single custom template that applies across all configurations.
For more information on template customization, see Customizing Templates.
Default templates
Veza includes default Block Kit templates for each notification event type.
Review notifications:
Review started
"The review {name} was started."
Review completed
"The review {name} has been completed."
Reviewer changed
"Assigned reviewers on {name} have changed from X to Y."
Owner changed
"The owner of review configuration {name} has changed from X to Y."
Reminder: No activity
"{name} review has had no activity from {reviewer} for X days."
Reminder: Due date
"{name} review is due in X days."
Row approved
"In the access review {name}, access for X rows was approved."
Row rejected
"In the access review {name}, access for X rows was rejected."
Alerts and digests:
Alert
"New Reviews" — lists newly assigned reviews with due dates and item counts, with a Go to My Reviews button
Digest
"My Reviews" — summarizes all pending reviews with items remaining and due dates, with a Go to My Reviews button
Each default template includes an action button linking to the review or reviews list.
Common template placeholders
Slack templates support placeholder tokens that are replaced with dynamic values at send time. Common placeholders include:
{{WORKFLOW_NAME}}
Name of the Access Review
{{WORKFLOW_URL}}
Link to the review in Veza
{{WORKFLOW_OWNER}}
Email of the review owner
{{WORKFLOW_CERT_REVIEWERS}}
List of reviewer emails
{{WORKFLOW_CERT_DUE_ON_DATE}}
Review due date
{{WORKFLOW_CERT_DUE_ON_PHRASE}}
Human-readable due date (e.g., "is due in 3 days")
{{WORKFLOW_CERT_LAST_ACTIVITY_REVIEWER}}
Reviewer with no recent activity
{{WORKFLOW_CERT_LAST_ACTIVITY_PHASE}}
Time since last activity (e.g., "for 3 days")
{{WORKFLOW_CERT_LAST_ACTIVITY_ROWS_NEED_SIGN_OFF}}
Rows remaining for sign-off
{{WORKFLOW_CERT_LAST_ACTIVITY_ROWS_TOTAL}}
Total rows in the review
{{REVIEW_ACCEPTED_REJECTED_ROWS_PHRASE}}
Description of approved/rejected rows
The same placeholders are available for Email, Slack, and Teams templates. For the complete list of all available placeholders organized by notification event type, see Placeholders Reference.
What users see
Reviewers receive direct messages containing Block Kit messages with review information and action buttons.
First notification (before connecting):
Veza needs to verify your identity.
[Connect]
After clicking Connect and logging in to Veza, the user's Slack account is linked to their Veza account.
Review started notification:
The review Quarterly Access Review was started.
[View in Veza]
Inactivity reminder:
Quarterly Access Review review has had no activity from Alex Wilber for 3 days.
Alex Wilber has 15 of 42 rows that need to be signed off.
[View in Veza]
Due date reminder:
Quarterly Access Review review is due in 2 days.
[View in Veza]
Digest notifications
When digest notifications are enabled, reviewers receive consolidated Block Kit summaries listing all pending reviews, items remaining, and due dates, with a Go to My Reviews action button.
Limitations
Before enabling the Slack App integration, note the following limitations:
Email matching required: Users must have matching email addresses in both Veza and Slack. The match is case-sensitive.
User connection required: Each reviewer must connect their Slack account to their Veza account by clicking Connect on their first notification and logging in. Until connected, users cannot take actions (Approve/Deny) from Slack.
No delivery failure alerts: Veza does not currently track or raise alerts when a Slack message fails to deliver. If a notification cannot be sent (for example, because the user's email doesn't match or the bot cannot reach the user), the failure is logged internally but no alert is surfaced to administrators. Consider keeping email notifications enabled as a fallback.
Troubleshooting
Users not receiving messages
Email mismatch
Verify the user's email in Veza exactly matches their email in Slack. The match is case-sensitive.
Bot not in workspace
Ensure the Slack app is installed to the workspace and the bot token is valid.
User not in workspace
The user must be a member of the Slack workspace where the app is installed.
Connection test fails
"Invalid token"
Verify the Bot User OAuth Token starts with xoxb- and was copied correctly.
"Channel not found"
Ensure the bot has been installed to the workspace and has the required OAuth scopes.
"Missing scope"
Reinstall the app or add the missing scope (chat:write, users:read, users:read.email).
Users cannot approve/deny from Slack
User not connected
The user must click Connect and log in to Veza to link their accounts.
Connection expired
Connection requests expire after 10 minutes. Have the user click Connect again.
Self-approval attempted
Approvers cannot approve their own access requests. The request must be submitted by a different user.
Interactivity URL wrong
Verify the app manifest request_url points to {veza_url}/slackapp/interactions.
Signing secret mismatch
Verify the Signing Secret in Veza matches the value in your Slack app's Basic Information.
OAuth2 client not configured
Verify the Veza OAuth2 Authorization Server is enabled and the client credentials are correct (see Step 1).
Access Request notifications not received
Auto-approval enabled
If the access request policy uses "Grant without approval," no approval notification is sent. Disable auto-approval or test with a non-admin user.
Notification not configured
Verify a Slack App notification is configured in Lifecycle Management > Settings > Access Request Settings.
Wrong event type
Ensure the notification event type matches the request lifecycle event (e.g., "Request Submitted" for new requests).
Additional resources
Slack documentation
Veza documentation
Slack Webhook Integration - Channel-based notifications using webhooks
Microsoft Teams App - Similar direct message integration for Teams
Customizing Templates - Notification template customization
Digest Notifications - Consolidated notification settings
Access Hub Catalog - Access Request user guide
Lifecycle Management - Access Request configuration
Last updated
Was this helpful?