Resource access grants using JWT

The only access you'll need to manage when using SlackKit are grants for your users to interact with their Tenants and Objects in Knock. This is necessary because the user in this context is an end user in your application who does not have access to Knock as a member of the account. Therefore, these grants provide them elevated privileges to operate on specific resources using the API.

We've made it easy for you to tell Knock which resources your users should have access to by making it a part of their user token. In this section you'll learn how to generate these grants using the Node SDK and, if you're not using the SDK, how to structure them for other languages.


With the Node SDK

You'll need to generate a token for your user that includes access to the tenant storing the Slack access token as well as any recipient objects storing Slack channel data described in SlackKit .


  • Tenant ID: jurassic-park
  • Recipient object collection: videos
  • Recipient object ID: dinosaurs-loose

Using the above example, you can quickly generate a token with the Node SDK.

You'll need to pass this token along with the public API key to the KnockProvider that wraps KnockSlackProvider and the rest of your components. We recommend storing the generated user token in local storage so that your client application has easy access to it.

Other languages

If you're not using the Node SDK, you can still generate a user token using a JWT signing library in your preferred language. Here's an example of using Joken for the Elixir library. You'll include the key grants in the claims section of the payload and put your resource grants in there. We'll go into detail about how they work below, but if you want to skip that and just get started, here's what that will look like in a given JWT payload for the example above:

Continue reading for a deeper dive on access and how these grants are structured.

Grants in the user token

You may already be familiar with generating a user token to be used with your public API key when making client side calls if you've used authentication with enhanced security. You'll use the same process to generate the user token as described here, but you'll also be sending a list of grants to the the user needs to work with SlackKit.

The two resources you'll be granting access to are:

  • The tenant: the user needs access to this because this is where Knock stores the access token to Slack that will be used when communicating with the Slack API
  • The recipient object: the user needs access to this because this is where Knock is storing the connected Slack channels as channel data on the object

These resources need different permissions. Here are the permissions needed for each:

  • Tenant: reading slack channels
  • Recipient Object: reading channel data; writing channel data

How the grants are structured

Resource access grants in Knock are structured according to the UCAN spec. They consist of an array of maps, with each map representing a resource.

How to read a resource grant:

So to grant access for a user to read the channel data of object dinosaurs-loose in the videos collection, your grant would look like this:

Availability of resource access grants

Currently these grants are only implemented for use by SlackKit as described in this doc, and since exceptions are not used for these they will not be respected.