What the Slack Discovery API is, who can access it, what it does, and how security and compliance teams use it for real-time DLP, e-discovery, legal hold, and audit-ready evidence on Slack Enterprise Grid.
The Slack Discovery API is the gold-standard interface for DLP, security, and content governance on Slack Enterprise Grid. It streams every message, file, edit, and reaction across every workspace, channel, DM, and Slack Connect conversation — and lets approved partners take remediation actions like redaction, tombstoning, and deletion. Strac is an officially listed Slack Marketplace app that uses the Discovery API to deliver real-time data loss prevention, historical content scans, and audit-ready DLP evidence across every Slack surface.
The Slack Discovery API is a Slack-provided HTTP API for approved partners that perform e-discovery, data loss prevention, compliance archiving, and information governance for organizations on the Slack Enterprise Grid plan.
Unlike standard Slack Web API tokens — which are scoped to a single workspace and rely on user OAuth grants — the Discovery API operates at the Org level. A single Discovery integration sees every message, file, channel, DM, group DM, and Slack Connect conversation across every workspace in the Enterprise Grid, without requiring any per-workspace install.
It is built for two distinct use cases:
Both use cases share the same plumbing — a real-time event stream, content retrieval endpoints, and a small set of mutation endpoints (tombstone, edit, delete) that let approved partners take remediation action.
Access is restricted in two ways:
In practice this means there is a short list of approved Discovery partners — primarily DLP vendors, e-discovery archives, and compliance archiving products. Strac DLP Enterprise is one of them, and is listed on the Slack Marketplace alongside other vetted partners.
This gating is intentional. The Discovery scope is one of the most powerful in Slack's permission model — an approved app sees content in private channels, DMs, and Slack Connect rooms that no individual user could ever see in a single workspace. Slack runs the apps through security review, vulnerability disclosure requirements, and a documented data-handling audit before approving the scope.
The Discovery API is organized around three primitives:
.webp)
discovery.enterprise.info and the events feedA long-lived stream of every event in the org:
message_created, message_edited, message_deleted, message_reaction_addedfile_uploaded, file_shared, file_deleted, file_unsharedchannel_created, channel_archived, channel_renamed, channel_membership_changeduser_added_to_workspace, user_left_workspace, user_role_changedEach event carries a tenancy stamp (which workspace, which channel) plus enough identifiers to retrieve the full content body via the content endpoints.
discovery.chats.info, discovery.files.info, discovery.channels.infoLookup endpoints for the full body of a message, the binary of a file, or the metadata of a channel. Used both in real-time (when an event fires, fetch the message body to scan it) and historically (to backfill old conversations into an archive or to retroactively apply a new DLP policy).
discovery.chats.tombstone, discovery.chats.edit, discovery.chats.deleteThis is what differentiates Discovery from a passive archive. Approved partners can:
This is the difference between a tool that watches and a tool that protects.
Most Slack apps you see on the Marketplace use the standard Web API (chat.postMessage, conversations.history, etc.) with user or bot OAuth scopes. Those apps work fine for productivity use cases but break down for DLP and e-discovery for three reasons:
If you've evaluated a Slack DLP tool that only supports Pro or Business+ plans, it is almost certainly built on the standard Web API. That approach cannot give you Enterprise Grid-wide visibility or org-wide remediation.
Some security engineering teams ask whether they should build their own DLP on top of the Discovery API rather than buy a vendor. The trade-off is steeper than it looks.
What "build" actually requires:
In practice, most teams that start a build pivot to buy after the second quarter, because the detection layer is the hard part — not the API plumbing.
Strac DLP Enterprise is an officially listed Slack Marketplace app that uses the Discovery API to deliver:
Every message and file event from Discovery is run through Strac's detection layer in milliseconds:
When a violation is detected, Strac takes action:
Roll out a new policy ("no PCI data in Slack") and Strac uses Discovery's content endpoints to replay the message archive and apply the new policy to historical content — without disrupting live conversations.
When legal teams need to preserve and export content for litigation or regulatory request, Strac uses Discovery to lock the targeted content from deletion and produce defensible exports in the format the auditor or court needs.
Strac generates its own tamper-evident DLP event log — every detection, every remediation action, every policy decision — mapped to SOC 2 (CC6.x), HIPAA (Security Rule), PCI DSS (Req 10), ISO 27001 (A.12.4), GDPR (Art. 32), and NIST AI RMF. Auditors get a timestamped record of every sensitive-data event Strac handled in Slack, without screenshots or spreadsheet exports.
Slack is one of 50+ data sources Strac protects. The same detection engine, vault, and evidence pack also cover Google Workspace, Microsoft 365, Salesforce, Zendesk, SharePoint, OneDrive, Notion, Jira, Intercom, GitHub, AWS S3, Azure, GCP, and every major SaaS in the enterprise stack. See the full integration catalog.
The API documentation is public on api.slack.com, but the scope is gated. To call the Discovery endpoints in production, your app needs to be approved by Slack for the discovery:read and discovery:write scopes, and the customer's Org Owner has to install the app with explicit grant on Enterprise Grid.
The Discovery API itself is Enterprise Grid only — that's a Slack constraint, not a Strac constraint. Strac DLP also works on Free, Pro, and Business+ plans via Slack's standard Web API and event subscriptions; you get most of the detection and remediation, with some Enterprise-Grid-only features (org-wide install, all-channels coverage including DMs you're not a member of) unavailable until you upgrade.
Only the parts your policy requires. By default, Strac stores violation events (the message ID, the detected pattern type, the redacted version) plus what's needed for audit evidence. Original message content is not retained unless your policy explicitly opts in (for example, for legal hold). All storage is AES-256 at rest, TLS 1.2+ in transit, hosted in AWS, and isolated per tenant.
Yes. Strac supports legal hold, defensible export, and chain-of-custody documentation for litigation and regulatory inquiries. The same Discovery API that powers Strac's real-time DLP also powers e-discovery exports.
OAuth-based install in under 10 minutes. No proxy, no TLS interception, no certificate deployment. The Strac team handles the Slack Org Owner install conversation if you need an introduction.
Yes. Strac DLP Enterprise is officially listed on the Slack Marketplace, which means the app has passed Slack's security review, scope justification, and vulnerability disclosure requirements.
Strac's pricing depends on three things: the surfaces you protect (Slack only vs. Slack + Google Workspace + others), the integrations you connect (see the full integration list), and your employee headcount band. The fastest way to get a quote is to book a 30-minute call — we send a written quote within 24 hours.
Yes. A 30-minute live demo on your own Slack workspace is the fastest way to see Strac in action. Book a demo.
.avif){kind=icon}
.gif)
