How to test a Slack bot with your Vercel preview deployment

When you deploy a Slack bot on Vercel, it needs to interact with Slack's webhook verification system. When you enable deployment protection, Slack cannot verify your webhook URL. This guide shows you how to bypass deployment protection so you can test your bot on preview deployments.

• A Vercel account with a deployed project
• A Slack workspace where you can create apps
• Deployment protection enabled on your Vercel project

1. Go to api.slack.com/apps and create a new app
2. Choose "From scratch" and give your app a name
3. Select your development workspace

Use the Slack Agent Template to get started quickly:

1. Clone the template repository
2. Deploy it to Vercel
3. Note your deployment URL

When you enable deployment protection, Vercel generates a secret you can use to bypass it:

1. Go to your project in the Vercel dashboard
2. Navigate to Settings > Deployment Protection
3. Under "Protection Bypass for Automation", copy the secret

This secret is also available as the VERCEL_AUTOMATION_BYPASS_SECRET environment variable in your deployment.

This is the key step. Add the bypass secret as a query parameter to your webhook URL:

https://your-app.vercel.app/api/slack?x-vercel-protection-bypass=YOUR_SECRET

In your Slack app settings:

1. Go to Event Subscriptions
2. Enable events
3. Enter your Request URL with the bypass parameter included
4. Slack will verify the URL successfully

Slack's URL verification sends a challenge request to your endpoint. Without the bypass secret, Vercel's deployment protection blocks this request. By adding x-vercel-protection-bypass as a query parameter, Vercel allows the request through. Slack includes this parameter in all subsequent webhook calls, so your bot works seamlessly.

If you have control over the HTTP headers, you can also bypass protection by setting the x-vercel-protection-bypass header. The query parameter approach works with services like Slack that do not allow custom headers.

Including the bypass secret as a query parameter introduces security risks you should be aware of:

What gets exposed:

• The secret is visible in the Slack app configuration UI to anyone with access
• Query parameters appear in server logs, proxy logs, and monitoring tools
• If screenshots of your Slack configuration are shared, the secret is visible

Why this approach is necessary: Slack's Event Subscriptions do not support custom headers, so the query parameter approach is the only way to bypass deployment protection for webhook verification.

1. Rotate regularly - The bypass secret is rotatable. Generate a new secret in your project settings regularly if you will be using the slack bot with preview deployments for an extended period
2. Limit access to Slack configuration - Restrict who can view and edit your Slack app configuration to minimize exposure.
3. Use proper authentication in your app - The bypass secret only bypasses deployment protection. Always implement proper authentication in your Slack bot code using Slack's signing secret verification.

The bypass secret only allows requests to reach your preview deployment - it does not provide access to your application logic, database, or other resources. Your Slack bot should still verify that requests come from Slack using the signing secret.

For local development, use vercel dev --tunnel to expose your local server to Slack. This creates a public URL that Slack can reach. The Chat SDK implements middleware for switching between local and preview deployments.

• Slack Agent Template
• Protection Bypass for Automation docs