2026 OpenClaw on Slack for Linux Cloud VPS: Bot Tokens, Event Subscriptions, Callback URL to Gateway — Reproducible Setup and Tiered 403/Replay Troubleshooting FAQ

Slack’s Event Subscriptions want a stable HTTPS endpoint, verifiable signatures, and fast JSON responses. When OpenClaw’s Gateway sits on a small Linux VPS, most incidents are not “Slack is down” — they are TLS front doors, path mismatches between the Slack app config and the reverse proxy, or auth layers that return 403 before Slack’s signing secret is even consulted. Start from a reproducible layout (install, bind addresses, TLS) using OpenClaw Linux cloud VPS: curl vs Docker, checks, FAQ, then align tokens and callback URLs the same way you would for other chat surfaces in OpenClaw Telegram and Discord dual-channel setup so pairing and allowlists stay boring.

What Slack expects on the wire

Create or reuse a Slack app, enable Event Subscriptions, and paste a Request URL that hits your VPS hostname on 443. Slack first sends url_verification; your stack must return the challenge JSON within a few seconds without buffering the whole body twice. After verification, Slack delivers envelopes with X-Slack-Signature and X-Slack-Request-Timestamp. The signing secret belongs in a SecretRef or locked-down file readable only by the Gateway user — never in Git, never in a world-readable /etc drop-in. Bot tokens (xoxb-) power Web API calls such as posting replies; scope them tightly to the channels and methods you actually use so a leaked token cannot wander across the whole workspace.

Callback URL → TLS edge → loopback Gateway

Run the Gateway bound to 127.0.0.1 on the port your OpenClaw config documents, terminate TLS at Nginx or Caddy, and forward both ordinary POST bodies and WebSocket upgrades if your control surface needs them. The public path in Slack (for example /slack/events) must match the location block that terminates TLS — a trailing slash mismatch or double prefix (/openclaw/slack/slack/events) is enough for Slack to see 403 from the proxy while curl against loopback still looks “green”. Log the upstream status separately from the Gateway process so you can tell whether the edge returned before the Node worker ran.

curl -sS -D- \
  -H 'Content-Type: application/json' \
  -d '{"type":"url_verification","challenge":"ping"}' \
  https://claw.example.com/slack/events

Slash commands, shortcuts, and interactivity URLs

Event Subscriptions are only one ingress. Slash commands, message shortcuts, and Block Kit interactivity each declare their own Request URL in the Slack app settings, and each must reach the same TLS edge with the same path discipline. If you route events to OpenClaw but leave interactivity pointing at an old tunnel hostname, operators see “buttons do nothing” while DMs still flow — split-brain configs are a common post-migration footgun. Keep every callback on the same certificate and logging pipeline so 403 hunts reuse one journal query.

Reproducible setup checklist (Linux VPS)

Provision Ubuntu LTS or Debian 12, install OpenClaw with the same package channel your team pins in production, and run onboarding once from a UTF-8 shell with a dedicated UNIX user. Open 22/tcp only from admin IPs, 80/443 from the world for ACME and Slack callbacks, and keep the Gateway port off 0.0.0.0/0. After openclaw gateway status shows the loopback listener, issue certificates, reload the proxy, and only then flip Slack’s Event Subscriptions toggle on. Snapshot ~/.openclaw and the workspace before changing signing secrets so rollback is “restore tarball, reload unit”, not archaeology.

Tiered 403, replay, and duplicate delivery FAQ

When debugging, walk down the stack in order — each tier has different fingerprints in access logs and application logs.

Slack may retry event delivery; design handlers to be idempotent on event_id (or dedupe keys you derive deterministically). If you echo success before side effects finish, a retry can double-charge an external API — if you finish work first but exceed Slack’s HTTP timeout, Slack will also retry. Keep ACKs fast, push heavy work to a queue, and log the X-Slack-Retry-Num header when present so operators can separate first delivery from replays.

After any secret rotation, restart the Gateway through your unit file, confirm the process inherited the new environment, and re-send a test event from the Slack developer UI. If verification passes but live messages stall, re-check OAuth scopes and channel membership — Event Subscriptions fire only for workspaces where the bot is actually present with the right granular scopes.