Kloudless Blog

Kloudless Unified APIs enable you to code once and integrate many

Kloudless supports the Slack Discovery API as part of our Unified APIs for DLP, CASB, and e-Discovery use cases, enabling developers to integrate several software apps by writing code just once. Learn more here.

Slack includes multiple APIs to access different types of content within various editions of Slack. For example, in addition to the general workspace-based Web API, Slack also has a separate set of Discovery and Audit APIs to work with Slack Enterprise. In this article, we’ll explore some of the differences in the capabilities of these two APIs.

Apps connecting to Slack’s Discovery API encounter some key differences from the Web API. The clearest one is the scope of accessible resources. A workspace app uses an access token to access resources such as channels, messages, files, and users in a single workspace. If that user or bot connects to multiple workspaces, the app requires a separate access token to access data in each of those workspaces.

On the other hand, a Slack Enterprise app can access all resources in multiple workspaces within that Enterprise account using a single access token, as well as resources shared among those workspaces. Slack achieves this with an extra layer above workspaces called “Enterprise Grid“, that the workspaces are grouped within. Resources such as channels can be shared across workspaces in the grid.

The permissions available vary between the two types of apps. Workspace apps can request a wide range of granular permissions, which can be combined to achieve an app’s desired level of access. For example, the scopes users:read, users:read.email, channels:read, and more. An Enterprise app only has two permission levels available–discovery:read, and discovery:write. Slack’s Discovery API guide suggests requesting only discovery:read for eDiscovery use cases, while including discovery:write if the app requires DLP functionality.

The Discovery API’s methods are similar to the Web API’s, but include a subset of the available actions, with a broader range of access. Below is a table that highlights these differences.

Discovery APIWeb API
List channels
Get a single channel metadataX
Create channelX
Update channel metadataX
Delete channelX
List messages in a channel
Create messageX
Update message
Delete message
List files
List files shared to a channelX
Get a single file metadata
Upload fileX
Delete file (permanent)
Tombstone file (soft delete)X
Restore tombstone fileX
List users
Get a single user metadata
Get enterprise/workspace metadataX

Above, “channels” refers to all channel-like object types, including public channels, private channels, direct messages, and multi-party direct messages.

The comparison above demonstrates that the Discovery API aims to provide sufficient access to scan and retrieve all message and file content in the Enterprise Grid account, and remove them if needed to remediate any threats or policy violations. However, it doesn’t provide access to create new channels, messages or files.

The Kloudless API

The Kloudless unified APIs enable access to both regular and Enterprise Grid accounts via the Chat API, and full audit monitoring via the Events API. Kloudless enables developers to quickly integrate multiple cloud services with a single integration.

Categories:

Share this article:

Let’s get started. Start building for free today.