jtalk22/slack-mcp-server

v3.0.0 - Secure-Default Hosted HTTP, Local-First Paths Unchanged

v3.0.0 flips hosted /mcp from permissive to secure-default without breaking local workflows.

Post-release note (February 28, 2026): mobile/public demo surfaces were polished on main with no runtime contract changes.

npx -y @jtalk22/slack-mcp --setup
npx -y @jtalk22/slack-mcp@latest --version
npx -y @jtalk22/slack-mcp@latest --doctor
npx -y @jtalk22/slack-mcp@latest --status

Quick demo proof:

• Share card: https://jtalk22.github.io/slack-mcp-server/public/share.html
• 20-second mobile clip: https://jtalk22.github.io/slack-mcp-server/docs/videos/demo-claude-mobile-20s.mp4

@jtalk22/[email protected] hardens hosted HTTP defaults while preserving local operator workflows (stdio, web).

Hosted-only breaking scope: existing hosted deployments must configure auth and CORS environment variables before upgrade.

What Changed

• Hosted /mcp now requires Authorization: Bearer <SLACK_MCP_HTTP_AUTH_TOKEN> by default.
• Hosted CORS now uses SLACK_MCP_HTTP_ALLOWED_ORIGINS allowlisting.
• Structured auth/CORS errors are returned for missing token config, invalid bearer, and denied origin.
• Web verification now checks demo media reachability to prevent stale or broken public assets.
• Publish payload was reduced by curating packaged files while preserving runtime/docs compatibility paths.
• Worker compatibility behavior keeps tool-facing contracts stable (channel_id|channel, user_id|user).

Why Major Version

Hosted HTTP defaults changed from permissive behavior to secure-by-default behavior. That change can affect existing hosted deployments, so the release is versioned as 3.0.0.

Breaking Scope (Hosted Only)

• A hosted /mcp endpoint now requires SLACK_MCP_HTTP_AUTH_TOKEN and bearer headers.
• Browser-origin traffic to hosted /mcp now requires SLACK_MCP_HTTP_ALLOWED_ORIGINS.
• Local stdio and web paths are unchanged.

Who Needs to Act

• If you run only local stdio or local web, no migration is required.
• If you run hosted HTTP (node src/server-http.js), set auth and CORS env vars before upgrade.

60-Second Hosted Migration

export SLACK_TOKEN=xoxc-...
export SLACK_COOKIE=xoxd-...
export SLACK_MCP_HTTP_AUTH_TOKEN=change-this
export SLACK_MCP_HTTP_ALLOWED_ORIGINS=https://claude.ai
node src/server-http.js

Request example:

curl http://localhost:3000/mcp \
  -H "Authorization: Bearer $SLACK_MCP_HTTP_AUTH_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"test","version":"1.0.0"}}}'

Emergency local fallback only:

SLACK_MCP_HTTP_INSECURE=1 node src/server-http.js

Contract Stability

• No MCP tool names were removed or renamed.
• Diagnostics remain deterministic:
  • --doctor exits with 0|1|2|3
  • --status is read-only and non-mutating

Verify Install

npx -y @jtalk22/slack-mcp@latest --version
npx -y @jtalk22/slack-mcp@latest --doctor
npx -y @jtalk22/slack-mcp@latest --status

Support

• Deployment intake: https://github.com/jtalk22/slack-mcp-server/issues/new?template=deployment-intake.md
• Runtime troubleshooting: https://github.com/jtalk22/slack-mcp-server/blob/main/docs/TROUBLESHOOTING.md
• Discussions: https://github.com/jtalk22/slack-mcp-server/discussions
• Support ongoing maintenance: https://github.com/sponsors/jtalk22, https://ko-fi.com/jtalk22, https://buymeacoffee.com/jtalk22

Maintainer/operator: jtalk22 ([email protected])