Release Notes

Slack App Notifications

Configuring Veza's Slack App for Direct Message Notifications

Early Access Feature: The Slack App integration requires the UI_SLACK_APP_INTEGRATION feature to be enabled for your organization. Contact Veza support to request access.

Overview

Veza's Slack App integration sends direct message notifications to users assigned access reviews. Unlike webhook integration, which posts messages to connected Slack channels, this integration delivers notifications directly to users via the Veza Slackbot.

Comparison with Slack Webhook Integration

This integration complements the prior webhook-based Slack integration with the Veza platform. Both the Veza Slackbot and webhook-based integration with Slack can be used in tandem for both channel announcements and direct messages to reviewers:

Feature

Veza Slackbot App (This Doc)

Webhook-based integration to Slack

Message Type

Direct notification messages

Notifications to specific Slack channels

User Matching

By email address

N/A

Setup

OAuth

Webhook URL

Use Case

Personal notifications

General notifications

The Veza Slackbot requires dual-step authentication:

  1. A Veza Slackbot User OAuth Token (xoxb-...) from your Slack app installation allows Veza to send direct messages to users, look up users by email address, and test the connection to your workspace.

  2. When Slack users first connect to the Veza Slackbot, they authenticate through Veza's login system (using SSO or a local login), creating a persistent identity mapping between their Slack user ID and Veza account.

The user connection flow uses PKCE (Proof Key for Code Exchange) for added security.

Prerequisites

  • Admin access to your Slack workspace

  • Users must exist in both Veza and Slack with matching email addresses

  • Feature flag UI_SLACK_APP_INTEGRATION enabled (contact Veza support to enable)

Before enabling for production use: Test the integration with yourself as a reviewer first. The Veza Slackbot will send direct messages to all assigned reviewers in your organization, so ensure users are informed they'll receive DMs from the bot. Consider keeping email notifications enabled as a backup during initial rollout.

Network Requirements

The integration requires inbound connectivity to your Veza tenant:

Endpoint
Accessible From
Purpose

{veza_url}/slackapp/interactions

Slack's servers

Receives button click callbacks (Approve/Deny/View)

{veza_url}/slackapp/connect

User's browser

Initiates user authentication when clicking Connect

{veza_url}/slackapp/callback

User's browser

OAuth callback after Veza login

How User Matching Works

User email addresses in Slack must exactly match the reviewer's email address in Veza for proper notification flow. The Veza Slackbot matches users between Veza and Slack using the following process:

  1. Veza identifies the reviewer. This is the user assigned to a review in Veza Access Reviews.

  2. Email lookup - Veza takes the user's email address from their Veza account

  3. Slack user search - The integration calls Slack's API (GetUserByEmail) to find a user with that exact email address

  4. Direct message delivery - If found, the notification is sent as a DM to that Slack user

First-Time User Connection

When a Slack user receives their first notification from Veza, they may need to connect their Slack account to their Veza account:

  1. If Veza hasn't previously linked the Slack user ID to a Veza account, the notification includes a "Connect" button

  2. Clicking "Connect" redirects the user to Veza's standard login page

  3. The user logs in with their existing Veza credentials (local account or SSO, depending on your configuration)

  4. After successful authentication, Veza securely stores the binding between the Slack user ID and the Veza user account

  5. All subsequent notifications will include interactive buttons ("View", "Approve", "Deny") without requiring reconnection

Global IdP Not Required: The Slack integration uses the email address from the Veza user account, regardless of whether you have a Global IdP configured. However, if you do use a Global IdP, ensure the email addresses in your identity provider match those in Slack.

Known Limitations

  • No digest notifications: Currently, each notification is sent individually. Digest or summary notifications are not yet supported.

  • No customizable templates: Notification message templates are not customizable at this time. All users receive the same message format.

  • Email matching required: Users must have matching email addresses in both Veza and Slack for notifications to work

Create the Veza Slack App

Using the App Manifest (Recommended)

  1. Go to https://api.slack.com/apps and click Create New App

  2. Select "From an app manifest"

  3. Choose your workspace

  4. Replace {customer_cluster_url} with your Veza instance URL (e.g., https://yourcompany.veza.cloud)

  5. Paste this manifest, updating {customer_cluster_url} to match your environment:

    {
    "display_information": {
        "name": "Veza",
        "description": "Veza Slack Integration",
        "background_color": "#184ded"
    },
    "features": {
        "bot_user": {
            "display_name": "Veza",
            "always_online": false
        }
    },
    "oauth_config": {
        "scopes": {
            "bot": [
                "chat:write",
                "users.profile:read",
                "users:read",
                "users:read.email"
            ]
        }
    },
    "settings": {
        "interactivity": {
            "is_enabled": true,
            "request_url": "{customer_cluster_url}/slackapp/interactions"
        },
        "org_deploy_enabled": false,
        "socket_mode_enabled": false,
        "token_rotation_enabled": false
    }
}

  6. Review and click Create

  7. Navigate to Install to Workspace and authorize the app

Gather Required Credentials

After installation, collect these values:

  1. Basic Information > App Credentials:

    • Client ID

    • Client Secret

    • Signing Secret

  2. OAuth & Permissions > OAuth Tokens:

    • Bot User OAuth Token (starts with xoxb-)

Configure in Veza

  1. Navigate to Integrations > Veza Actions

  2. Click Create Veza Action and select Slack App

  3. Provide the required information:

    • Name: Descriptive name for this integration (e.g., "Slack Direct Messages")

    • Client ID: From Slack app credentials

    • Client Secret: From Slack app credentials

    • Signing Secret: From Slack app credentials (used to verify webhook authenticity)

    • Token: Bot User OAuth Token (xoxb-...)

  4. Click Next and Run Test Connection

  5. Click Create to save the Slack App integration

Using Slack App in Access Reviews

Configure Notification Settings

When creating or editing an Access Review:

  1. Go to Notification Settings

  2. Under Delivery options, select Slack App

  3. Choose your configured Slack app from the dropdown

  4. Select which events trigger notifications:

    • Review started

    • Review completed

    • Reviewer changed

    • Reminder notifications

    • Escalation notifications

You can enable both Email and Slack App delivery simultaneously. The same events can also trigger webhook notifications to channels.

What Users See

With the Veza Slackbot, users may periodically receive notifications about new reviews coordinated by your organization using the Veza platform. These reviews may require immediate participation. From these notification messages, you can easily access the Veza Access Hub to review and quickly complete any assigned access reviews.

Note: Notifications are controlled by your Veza administrator. You cannot opt out of receiving these notifications when enabled.

Access Review Notifications

Reviewers receive direct messages like:

The review *Quarterly Access Review Q4 2025* was started.

[View in Veza]

The View in Veza button opens the review directly in their browser.

Additional Resources

PreviousEmail Notifications and RemindersNextIdentity Provider and HRIS Enrichment

Last updated

Was this helpful?