The Slack MCP Server Without An OAuth Token: Driving The Desktop App Instead Of The API

No. Slack's official MCP server, launched in 2026, is a hosted server at slack.dev that calls Slack's REST API on your behalf (search.messages, chat.postMessage, users.list, and so on). It needs an admin to approve the MCP integration in Workspace Settings and issues an OAuth token scoped to that approval. macos-use is the opposite approach: it is a local Swift binary that drives the macOS Slack desktop app through the Accessibility APIs. No token, no admin approval, no REST calls. It works for any workspace you are already signed into on your Mac, including Enterprise Grid and workspaces where the admin has not enabled the official MCP.

The hint is in the server's own instructions string, sent to the MCP client on every initialize handshake. Look at Sources/MCPServer/main.swift:1424. The exact line reads: `Example: to type into a Slack message box and send it, use ONE click_and_traverse call with element="Message to X", text="hello", pressKey="Return"`. That sentence is the only per-app example in the entire instructions field. Every MCP client (Claude Desktop, Cursor, VS Code, Cline) receives that text when it connects. The model reads it and chains click + type + Return into a single JSON-RPC call instead of three separate ones.

That is the literal accessibility label Slack's desktop app attaches to the compose input in a channel or DM. Slack renders it as "Message to #general" for channels and "Message to Alice" for DMs. macos-use's element matcher finds elements whose AX text or AX description contains that substring, reads their x/y/w/h from the accessibility tree, and auto-centers the click at (x+w/2, y+h/2) per main.swift:1574. The model never needs to estimate coordinates from a screenshot, which is explicitly forbidden by the instructions at main.swift:1429.

Exactly one callTool request. The method name is macos-use_click_and_traverse. The arguments are { pid: <Slack pid>, element: "Message to general", text: "standup in 5", pressKey: "Return" }. The server gets the Slack PID once via NSWorkspace.shared.runningApplications (or a prior open_application_and_traverse call). The composed click → type → press is executed in order on the main run loop at main.swift:1709-1741, with a 100ms sleep between steps and an InputGuard throwIfCancelled check at every boundary. One round trip, three OS-level effects.

No. This is the point of the page. The macOS Accessibility framework lets any app with the Accessibility permission read and synthesize events against any other app on the machine. Slack's AXUIElement tree is exposed to the OS the same way Safari's or Mail's is. There is no HTTP, no OAuth, no scopes, no rate limits. If you can click in Slack on your laptop, macos-use can click in Slack on your laptop. The downside: this only works on the one Mac where the MCP client runs, and only while Slack is open and signed in there.

Three things. First, the element parameter is a substring match against the accessibility tree of the target PID, so the model has to name the channel: `element: "Message to #standups"` targets that channel, not whatever is open. Second, every disruptive tool call engages InputGuard.swift, which shows a full-screen overlay with a pulsing orange dot and a "press Esc to cancel" hint for the duration. Third, plain Esc (keycode 53, no modifiers) is hard-wired as a cancel key at InputGuard.swift:345, cancels anywhere on the OS, and writes /tmp/macos-use/esc_pressed.txt as a ground-truth marker. You can always verify the cancel landed.

A compact text summary (built at main.swift:731) plus a pair of files on disk under /tmp/macos-use/. The .txt file is the flat accessibility tree of Slack after the Return was pressed; each line is `[AXRole] "text" x:N y:N w:W h:H visible`. The .png file is a screenshot of the Slack window, produced by a sibling binary called screenshot-helper so that ReplayKit's persistent ~19% CPU cost dies with the subprocess (Sources/MCPServer/main.swift:435-510). The client uses grep on the .txt to confirm the message now appears in the channel and optionally reads the .png to eyeball the result.

macOS runs each signed-in Slack workspace as a separate window inside one Slack.app process, not as separate processes. macos-use's window matcher at main.swift:393-425 gets every on-screen window owned by the Slack PID, filters to layer 0, and if a traversalWindowBounds was captured (typically from an open_application_and_traverse call that activated the intended workspace), scores each candidate by intersection overlap and picks the highest-scoring window. Practically, the way to disambiguate is to open the target workspace first with Cmd-Option-1/2/3, then call open_application_and_traverse, then send the message. Overlap scoring does the rest.

Only what is visible in the Slack UI. macos-use does not call search.messages. To read past messages, the model scrolls the message list (macos-use_scroll_and_traverse), reads the resulting accessibility tree from /tmp/macos-use/<timestamp>_scroll.txt, and greps for the phrase. This is fast for recent history but becomes slower than the REST API for deep search. For a cross-workspace full-history index, use Slack's official MCP. For single-workspace interactive use where you do not have or want an API token, the desktop approach is more than enough.

Yes. Both. macos-use sees Slack.app as a normal macOS accessibility tree. There is no HTTP path that an admin could block. The Enterprise Grid workspace picker, the per-org DM lists, the connected-workspace channels all render through the same AXUIElement hierarchy the OS exposes for any signed-in workspace. The official MCP at docs.slack.dev/ai/slack-mcp-server explicitly requires admin enablement per workspace; macos-use inherits whatever permissions the human user already has in Slack.

Call macos-use_open_application_and_traverse with bundleId com.tinyspeck.slackmacgap (or name "Slack") first. The server activates the app, waits 500ms for it to become frontmost, captures the initial accessibility tree and screenshot, and returns the PID you will use for the following click_and_traverse. If the app is already running, the open call just activates it and re-reads the tree; it is idempotent. After the open, the model has a PID and a baseline, and the next call can do the compose-and-send chain in one request.

Use the `text` parameter for the body, then pressKey. The type path at main.swift posts CGEvent keystrokes with .hidSystemState so InputGuard lets them through (main.swift:1709-1733). Newlines inside `text` are typed as raw newline keystrokes, which Slack interprets as Shift-Enter because Slack's compose field is in rich-text mode and Return is the send key. If you want a truly multi-line draft, pass the body with embedded \n characters and pressKey="Return" at the end. The composed path waits 100ms between actions so Slack's React input has time to reconcile.

Two things specifically. First, the Slack example literally lives in the server's MCP instructions string at main.swift:1424, so every MCP client that connects is told about Slack by name. Second, the combined click + type + pressKey contract at main.swift:1709-1741 means a Slack send is one JSON-RPC round trip, not three. A naive wrapper would expose separate click, type, and keypress tools and leave the orchestration to the model; macos-use teaches the model to chain them, then enforces the chain on the server side with per-step InputGuard checks and a shared pid_t traversal context.