Edit on GitHub

Authenticate with Mattermost

An app declares in its Manifest the Locations that it will be binding to, and Permissions it will require to operate. These are consented to by the System Admin when installing Mattermost apps interactively, in Mattermost.

Each app when installed into Mattermost gets an OAuth2 Client ID and a secret (not yet used), and a bot user account with a personal access token. Each call may receive a combination of bot_access_token, acting_user_access_token, and admin_access_token as applicable.

Each call request sent to the app includes Mattermost site URL, and optionally one or more access tokens the app can use. The app then authenticates its requests to Mattermost by providing one of the tokens, usually bot access token or OAuth2 token.

What tokens the app gets, and what access the app may have with them depends on the combination of App granted permissions, the tokens requested in call.Expand, and their respective access rights.

If the app was granted act_as_bot permission each call request it receives contains a bot_access_token in the request context.

Additionaly, if the app was granted act_as_user permission, and the call’s expand contained acting_user_access_token=all, the call receives acting_user_access_token in the request context. Otherwise, acting_user_access_token is empty.

Similarly, if the app was granted act_as_admin permission, the acting user is a System Admin, and the call’s expand contained admin_access_token=all, the call receives admin_access_token in the request context. Otherwise, admin_access_token is empty.

See here to learn more about the available permissions