Shared responsibilities for custom Slack apps
In Isolated Cloud, Atlassian does not install a pre-built Slack app in your workspace. Instead, Atlassian provides you with a Slack App Manifest, which is a configuration file that describes the app's required settings and permissions. You can use this manifest to create a custom Slack app in your own Slack workspace, configure it, and then share the required secrets with Atlassian through Admin Hub so the integration can function.
Using a custom Slack app with Atlassian products in Isolated Cloud (IC) is a shared responsibility between you and Atlassian. This page explains the security responsibilities that Atlassian manages and what you're responsible for when you create and manage a custom Slack app in your own Slack workspace.
How it works
Atlassian generates a manifest. When you initiate Slack app setup in Admin Hub, Atlassian generates a Slack App Manifest containing the permissions (scopes) and configuration needed for the integration to work.
You create the app. You copy the manifest and use it to create a new Slack app in your Slack workspace at api.slack.com.
You share the secrets. After creating the app, Slack provides you with a set of credentials (Client ID, Client Secret, Signing Secret, and App-Level Token). You enter these into Admin Hub so Atlassian's services can process events from your app.
The integration is active. Once configured, your custom Slack app can send and receive events to and from your Atlassian products (for example, Jira or Confluence notifications, link previews, and slash commands).
Learn detailed, step-by-step instructions on Integrating Slack Workspace with an Isolated Cloud Site.
Atlassian's responsibilities
Manifest generation and integrity
What Atlassian does |
|---|
Generate a Slack App Manifest with least-privilege scopes — only the permissions required for the integration to function. |
Maintain the manifest template under change management controls. Updates to the template follow Atlassian's standard change review process. |
Store a record of each generated manifest and map it to the associated Slack App Installation ID, supporting audit and drift detection. |
Secrets storage
What Atlassian does |
|---|
Encrypt your Slack app credentials (such as Client Secret and Signing Secret) at rest and in transit. |
Ensure the secrets configuration form in Admin Hub is write-only. After you save your credentials, they are not displayed again in the Admin Hub UI. |
Isolation
What Atlassian does |
|---|
Run the backend services that process your Slack app's events and actions in infrastructure dedicated to your organisation. These services are not shared with other customers. |
Store your Slack app credentials (Client Secret and Signing Secret) in a dedicated, per-customer secrets store that is isolated from all other customers' environments. |
Isolated Cloud Customer’s responsibilities
Slack app creation and ownership
Your role |
|---|
Create the custom Slack app in your own Slack workspace using the Atlassian-provided manifest. You are the owner of this app. |
Manage the lifecycle of the app — including installation, updates, reinstallation, and decommissioning. |
Secrets management
Your role |
|---|
Securely share the app credentials (Client ID, Client Secret, and Signing Secret) with Atlassian through the Admin Hub UI after creating the app. |
Rotate your Slack app secrets on a regular basis. Atlassian recommends annual rotation. After rotating secrets in Slack, update them in Admin Hub — otherwise, the integration will stop functioning. In case of a compromise of the secrets, rotate them immediately. |
Safeguard your credentials. Do not copy, share, or persist secrets outside of Slack and Admin Hub. Treat them as sensitive credentials. |
Permissions and scopes
Your role |
|---|
Review the scopes included in the Atlassian-provided manifest before creating your Slack app. |
Optionally remove scopes that are not needed for your organisation's use case. Be aware that removing scopes may reduce available functionality. |
Do not add scopes beyond what the manifest specifies unless you understand the security implications. Adding overly broad permissions (such as admin-level scopes) increases the attack surface of your app. |
Access control
Your role |
|---|
Ensure that only authorised personnel (Slack workspace admins and Atlassian organisation admins) perform app creation and configuration. |
Enforce multi-factor authentication (MFA) for admin accounts used to access Admin Hub and the Slack workspace admin panel. |
Monitoring
Your role |
|---|
Monitor your Slack workspace for unauthorised changes to the custom app, such as unexpected scope additions or anomalous bot behaviour. |
Respond to incidents involving the custom app according to your organization's incident response procedures. |
Shared responsibilities
Area | Details |
|---|---|
Manifest integrity | Atlassian provides a secure-by-default manifest that defines the app's scopes, event subscriptions, webhook URLs, OAuth redirect URLs, and slash command configurations. You are responsible for not modifying these values when creating your Slack app. Altering webhook endpoints, redirect URLs, or event subscriptions may route sensitive data to unintended destinations or break the integration entirely. |
Feature updates | When Atlassian updates the manifest template to support new features or scopes, you may need to regenerate and reconfigure your Slack app to adopt the changes. |
Was this helpful?