SIGN · 3 of 10

Promoting @opsbot to owner requires a human signature.

A bot account is being elevated to workspace owner. The Slack API would accept the token without question. Manav adds a control, even though the platform doesn't natively require it, that demands a fresh human approval for admin-level role changes.

Privacy posture for this scene

The platform's auth is fine. The action's authority is what we sign.

We don't touch Slack's auth model. We add a receipt for the role change.
The receipt names which human authorized the elevation, scoped to this workspace.
If @opsbot is later compromised, the receipt is the audit evidence of who consented.

Admin promotion · pending

Workspace: acme-ai-labs.slack.com

@opsbot

Promote @opsbot to Workspace Owner

@opsbot is a service account. Promoting it to Workspace Owner grants the ability to delete the workspace, export all messages, and revoke any user. Slack's API would accept this with a bot token.

Current roleMember

Requested roleWorkspace Owner

Requested byapi token · automation

Manav policyrequire_human_signature_for: admin_promote

✓ @opsbot promoted to Workspace Owner

Receipt: mnav_proof_slack_4f2 · authorized by Asha Raman · scope: this workspace only · expires never

If @opsbot is later compromised and abuses owner privileges, the audit trail names the authorizing human and the exact moment of authorization. This is the evidence a post-incident review needs.

Want to ship this in your own app?

Three lines of JavaScript. Demo key mnav_test_demo works on localhost.

Get the SDK →

← Contract signature Step-up signing →