An app declares in its
Locations that it will be binding to,
Permissions it will require to operate. These are consented to by the
System Admin when installing Mattermost apps interactively, in
Each app when installed into Mattermost gets an OAuth2 Client ID and a secret
(not yet used), and a bot user account with a personal access token. Each call
may receive a combination of
admin_access_token as applicable.
Each call request sent to the app includes Mattermost site URL, and optionally one or more access tokens the app can use. The app then authenticates its requests to Mattermost by providing one of the tokens, usually bot access token or OAuth2 token.
What tokens the app gets, and what access the app may have with them depends on
the combination of App granted permissions, the tokens requested in
call.Expand, and their respective access rights.
If the app was granted
act_as_bot permission each call request it receives
bot_access_token in the request
Additionaly, if the app was granted
act_as_user permission, and the call’s
acting_user_access_token=all, the call receives
acting_user_access_token in the request
acting_user_access_token is empty.
Similarly, if the app was granted
act_as_admin permission, the acting user is
a System Admin, and the call’s
admin_access_token=all, the call receives
admin_access_token in the request
admin_access_token is empty.
See here to learn more about the available permissions