As a Workplace system administrator, you can control the capabilities offered to each integration by creating apps and granting them specific permissions. Each app can be named to reflect the service it enables. Apps come with unique access tokens and permissions to control what information is allowed to be read or written by that app.

This guide describes the app and permission model in more detail.

The permission controls when editing a custom integration app

Available Permissions

Each Workplace app can be granted its own set of permissions to control the level of functionality available to it on the Graph API and Account Management API.

When you create an app and grant permissions, those permissions are applied to every account in your community. Account holders don't need to grant additional permissions to the app in order to benefit from its functionality. This differs from the permission model on Facebook, where each user individually grants permissions to an app when logging in.

Below is a full list of the app permissions available to integrations, along with an overview of how they can be used.


Read group content

Read posts and comments in selected groups.


Use this permission when building an integration that fetches all content from selected groups.

If your integration will act as a bot in a group, use the Mention bot permission instead.

Manage group content

Manage posts and comments in selected groups.


Use this permission when building an integration that posts content to groups, such as a weekly report from an internal service, or a service status notification bot.

Read user timeline

See posts made by group members on their timeline


Use this permission when building an integration that:

  • Fetches all content from a group member's timeline
  • Subscribes to changes on the status field in the user's profile

Manage user timeline

Post and comment on any group member's timeline


Use this permission to enable an integration to create or edit a post on a group member's timeline.

Mention bot

Where mentioned in a post, see the post and reply to comments.


Use this permission for building bots in Workplace Groups.

Manage groups

Create, edit or remove selected groups and their members.


Use this permission when building an integration that auto-generates groups and populates group members based on org chart structure or project groups.

If an integration with this permission is scoped to specific groups, it won't be allowed to create new groups.

Manage accounts

Provision, update or deactivate accounts via the Account Management API.


Use this permission for any integration with an account provisioning service, such as identity providers, the Active Directory Sync Tool or a custom Account Management API client.

When you enable this permission, you'll have the option to enable the "Automatically invite people to Workplace as soon as they're added using this integration" permission.

Manage badges

Award badges to people in a Workplace community.


Use this permission to enable an integration to:

  • Award badges to a member
  • Get the list of badges awarded to a member
  • Get the list of available badges

Read user email

See any group member's email address.


This permission allows you to fetch the email account associated with a Workplace user's account.

Read work profile

Read-only access to people's directory information.


Allows an app to fetch people's department, division, organization, primary_address, primary_phone, title, and gender.

Read org chart

Read-only access to people's managers and subordinates.


Allows an app to fetch people's manager(s) and subordinate(s).

Message any member

Send and receive chat messages to and from any member of your community.


Use this permission for building bots in Work Chat.

When this permission is enabled, you'll be able to enable the "Allow this integration to work in group chats" permission.

Read all messages

Read chat messages from any member in your community.


Use this permission to enable a compliance integration that will monitor Workplace Chat usage.

Delete chat messages


Use this permission to enable an app to delete chat messages from a person's conversations, e.g., to implement a retention policy.

Read security logs

Access details of security events, including login attempts and password reset requests.


Use this permission to enable a compliance integration that will monitor Workplace Chat usage.


Log members out from all active sessions


Use this permission to log a user out of Workplace

Create link previews

Rich previews for links shared in Workplace.


Apps with this permission can generate authenticated previews for links that are shared in Workplace.

Force Password Reset

Force a user with Password authentication to reset their password.


Use this permission to force a user to reset their password. Using the endpoint


The endpoint will throw an error if the user is unclaimed, deactivated, or using SSO.

Manage Work Profiles

Read and update work profiles in Workplace.


Apps with this permission combine the reading permissions of read_user_work_profile and read_user_org_chart. Apps with this permission also are able to update account information (e.g.: Name, department, division, title, organisation, phones)

Provision User Accounts

Provision accounts in Workplace.


Apps with this permission can provision, deactivate and delete (unclaimed) Workplace accounts. This permission also allows updates to the active, email, name, hire_date, and invited member's fields.

Read group membership

List the members of a group and list the groups that a user is a member of


Apps with this permission can query the list of members of a particular group. Furthermore, it is possible to list the groups that a user is a member of.

Manage Knowledge Library content

Create, edit and delete important company information in Knowledge Library


Apps with this permission can create and modify content within Knowledge Library. Use this permission to enable an integration to:

  • Creat/Update/Delete a category
  • Create subcategories within a category
  • Update photos/videos/files to a category
  • Create/Update/Delete a quicklink

Read Knowledge Library content

Read important company information in Knowledge Library


Apps with this permission can access content from Knowledge Library. Use this permission to enable an integration to:

  • Get the list of categories
  • Get content for a specific category
  • Get the list of quicklinks

Export employee data

Export the list of current employees and their activity data in a CSV format.


Apps with this permission can schedule a data export job which generates a CSV file listing all Workplace users. The CSV also includes data on the user, as well as information on their recent use of Workplace features.

Group-Level Permissions

For some permissions, it's possible to limit an integration to be enabled on specific groups. This allows you to scope an integration's access to just the content you want to expose.

For example, you can allow an alert-posting integration to post only in a team's own group, or enable an employee app integration to read content only in specific open groups.

To specify group-level permissions for a custom integration, use the Group Access panel in the Edit Integration dialog.

Enabling group level permission for this integration.

Group-level permissions apply to the following permissions:

  • Read group content - Read posts, comments and member profiles in selected groups
  • Manage group content - Manage posts and comments in selected groups
  • Manage groups - Edit or remove selected groups and their members

You can configure an integration such that group-level permissions can be applied to either All groups, Specific groups as chosen by a system administrator, or Let group admins enable for their groups.

Admin Install Flow

When Let group admins enable for their groups is enabled, an admin of a group will see a new Integrations tab under the Manage Group screen, allowing them to enable the integration on their group.

An example app which can now be enabled by the group admin.

App Tokens & Usage

When you create a new app for Workplace, an access token is generated for use with the Graph API, Account Management API, or Webhooks.

This access token will only be shown once, so it's important to store the token securely for later usage in code.

The token reset flow for a custom integration app

Workplace app tokens never expire, and do not need to be refreshed unless they have been manually reset. If you edit the permissions available to a given app, the existing token will still work, and you won't need to generate a new token.

If you ever need to invalidate a token, you can reset the token via the Reset Access Token button in the Edit App dialog. A new token will be generated and displayed, and the existing token will be immediately invalidated.

Token Security

Access tokens are powerful. They grant access to your company's data on Workplace. When creating an app, consider the minimal set of permissions necessary to complete the integration features, and don't grant any unnecessary permissions.

When storing tokens or adding them to code repositories, great care should be taken to ensure that they aren't shared with the wrong people.

Never commit production access tokens into public code repositories.

You must store and use your API Credentials only in your own server environment and ensure that these values are never copied or transmitted elsewhere, e.g., to mobile apps or web browser clients.

To add an additional layer of security for integrations, you should add an IP whitelist, which will restrict token usage to servers only on the whitelisted list of IP addresses.

Adding an IP whitelist to restrict token usage to specified servers and requiring App Secret Proof

Automatic removal of unused permissions

If a custom integration makes no calls using a particular permission for 30 days, that permission will be removed. After this has happened once for a custom integration, an option will be available to stop this removal process.

If a valid webhook subscription has been set up, the webhooks sent by this count as a use of the relevant permission.

Controls for automatic removal of permissions

App Secret Proof

Access tokens for Workplace don't expire. Custom integrations can require an app secret proof to add an additional layer of security. Enabling the 'Require App Secret Proof' option ensure that API calls are only ever made from server-side code, an expiring app-secret proof will be required along with a the access token when making API calls.

To generate an expiring app-secret proof, you'll need to concatenate the token with a unix timestamp, separated by a pipe symbol |, then create a SHA-256 hash of the concatenated string, using your app secret as the key. Here's an example in PHP:

$appsecret_proof = hash_hmac('sha256', $access_token.'|'.time(), $app_secret); 

Some Operating Systems and programming languages will return a timestamp that is a float. Be sure to convert to an integer value before calculating the app-secret proof. Some programming languages create the hash as a digest object. Be sure to express the hash as a hexadecimal object.

To make API calls with your app-secret proof, pass the generated hash via the appsecret_proof parameter, along with the appsecret_time set to the timestamp you used when hashing the app secret, along with your access token.


Time-stamped app secret proofs will be considered expired after 5 minutes, so it's recommended that you generate a new proof in-line when making each Graph API call.

Exploring API Functionality with Postman

Postman is a widely used tool for working with web APIs. You may find it convenient to explore the Workplace API using Postman, but the $appsecret_proof parameter presents a complication - since this value must be calculated and expires after five minutes, it would simplify matters if Postman could generate the value at request time. In fact Postman can do so using its Prerequests Scripts & Params features. This script can be used as a starting point:

// Add to Postman's Pre-request Script Tab
var access_token = "replace-me";
var app_secret = "replace-me";
var time = (new Date().getTime()/1000|0);
postman.setEnvironmentVariable("access_token", access_token)
postman.setEnvironmentVariable("appsecret_time", time);
postman.setEnvironmentVariable("appsecret_proof", CryptoJS.HmacSHA256(access_token + '|' + time, app_secret));
1) Create an active environment (there isn't one by default), then 2) add these three parameters, which are calculated by your pre-request script.