How does a Slack bot receive messages?

Through the Events API. You subscribe to events like app_mention or message.im, and Slack sends an HTTP POST to your endpoint whenever one occurs. Your server verifies the request came from Slack, acknowledges within three seconds, then processes the event — calling the LLM and posting a reply — asynchronously so you never miss the deadline.

Why must I reply within 3 seconds?

Slack requires a 200 response to its event POST within three seconds or it retries and eventually disables the subscription. LLM calls take longer than that, so the pattern is to acknowledge immediately with an empty 200, then do the model call and post the reply in the background. Never make Slack wait on the model.

How do I give the bot conversation context?

When responding in a thread, fetch the thread's replies with conversations.replies and pass them to the model as prior messages. For a richer assistant, also pull the channel's recent history. The model only knows what you send it, so the quality of the reply tracks directly with how much relevant thread context you include in the prompt.

What is the difference between slash commands and the Events API?

A slash command (/ask) is an explicit, user-invoked request that Slack sends to a command URL and expects a reply to — good for on-demand actions. The Events API is passive: it notifies you of things happening (mentions, DMs) so the bot can react. Most AI bots use both — a slash command for direct queries and app_mention events for in-conversation replies.

How do I keep the bot secure?

Verify every incoming request's signature using your Slack signing secret before processing it — this proves the request genuinely came from Slack and not an attacker hitting your public URL. Keep your bot token and signing secret in environment variables, scope the bot's OAuth permissions to only what it needs, and never log message contents containing sensitive data.

How to Build an AI Slack Bot

Building an AI assistant inside Slack

A Slack bot that calls an LLM turns your team’s chat into an AI workspace — summarise a thread, answer a question with company context, draft a reply, all without leaving Slack. The mechanics are straightforward once you understand the two ways Slack talks to your server: slash commands for explicit requests and the Events API for reacting to mentions and DMs. This guide covers both plus the non-negotiable details — the 3-second acknowledgement and signature verification — and the builder below scaffolds the event handler.

How the bot works

There are three flows. A slash command like /ask sends an HTTP POST to your command URL; you acknowledge and reply, optionally with a deferred response for slow work. An app_mention event fires when someone @-mentions the bot in a channel; the Events API POSTs it to your endpoint. A message.im event fires on a direct message.

For every incoming request the sequence is the same and the order matters. First, verify the signature using your signing secret — confirm the request really came from Slack. Second, acknowledge within 3 seconds by returning an empty 200, because Slack retries and then disables your subscription if you are slow, and LLM calls are slower than that. Third, process asynchronously: fetch thread context with conversations.replies, build the prompt, call the model, and post the answer back with chat.postMessage using the thread_ts so the reply lands in the thread.

The model only knows what you send, so the quality of replies depends on how much relevant thread or channel history you include in the prompt.

Tips and pitfalls

The two mistakes that break Slack bots are skipping signature verification (leaving your public endpoint open to spoofed requests) and doing the LLM call before acknowledging (blowing the 3-second window). Always verify first, ack immediately, work in the background. Reply in-thread with thread_ts so conversations stay tidy. Keep the bot token and signing secret in environment variables, and scope OAuth permissions to the minimum the bot needs. Use the builder below to generate an event handler that follows this order correctly.