Slack MCP via browser session tokens (xoxc/xoxd) unreliable on Enterprise Grid — request first-class OAuth-based Slack MCP

Resolved 💬 1 comment Opened May 18, 2026 by fobaidullah Closed Jun 9, 2026

Summary

The community-recommended path for Slack access from Claude Code — korotovsky/slack-mcp-server with xoxc/xoxd browser session tokens — breaks frequently on Slack Enterprise Grid workspaces and is no longer recoverable via on-disk extraction. Requesting a first-class Slack MCP with proper OAuth or device-flow authentication.

Environment

  • Claude Code (CLI), macOS (Darwin 24.6.0)
  • Slack Enterprise Grid workspace (mozilla.enterprise.slack.com)
  • Firefox as the logged-in Slack browser

What happens

  1. The xoxc token (workspace-scoped) and d cookie (xoxd-...) rotate frequently — sometimes within hours.
  2. When they rotate, the MCP server returns invalid_auth on every call.
  3. The documented "extract from Firefox localStorage" workaround no longer works: as of 2026-01 onward, localConfig_v2 in app.slack.com localStorage shows "teams":{} even for a fully signed-in session, with workspace info shuffled into prevTeams and no xoxc token persisted anywhere on disk (verified across ls/data.sqlite, idb/reduxPersistence snappy blob, and all related slack.com origins).
  4. The only remaining extraction path is manually copying xoxc from DevTools → Network tab on every rotation, which is not a viable workflow.

Impact

  • Enterprise Grid users cannot reliably use Slack from Claude Code without IT-approved OAuth app installs (often blocked by workspace policy).
  • Every token rotation requires the user to open DevTools, find a client.boot/api/users request, copy the token form field, paste it back, and restart Claude Code. This is not sustainable.

Asks

  1. First-class Slack MCP maintained by Anthropic (or formally recommended/blessed), using OAuth or device-flow auth that survives token rotation.
  2. If that's not feasible short-term: documented guidance for Enterprise Grid users acknowledging that the xoxc/xoxd path is fragile, and the supported alternatives.
  3. Agent behavior: the assistant retried the broken extraction path multiple times based on stale instructions in its memory before recognizing it as a dead end. A bail-out heuristic ("if extraction fails twice with the same symptom, stop and escalate") would have saved real user time.

Repro

N/A — environmental. Happy to share extraction-attempt logs if useful.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗