Skip to content

Instantly share code, notes, and snippets.

@ggorlen

ggorlen/slack-post-from-cli.md

Created May 12, 2026 23:22
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ggorlen/f4b80e506f278ef37a236afe9c687a49 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ggorlen/f4b80e506f278ef37a236afe9c687a49 to your computer and use it in GitHub Desktop.
Download ZIP
Siphon tokens from Chrome with AppleScript
Raw
slack-post-from-cli.md

Post to Slack as yourself from the CLI (macOS + Chrome)

Slack's xoxc- session tokens require an HttpOnly d cookie that JavaScript can't read. But you don't need to extract it. By running fetch() inside Chrome's Slack tab via AppleScript, the browser attaches the cookie automatically.

No bots, no webhooks, no OAuth apps. Just your existing Slack session.

Requirements

  • macOS (uses osascript)
  • Chrome with a app.slack.com tab open
  • Chrome > View > Developer > Allow JavaScript from Apple Events

Core helper

slack_post() {
  local channel="$1" msg="$2"
  local b64=$(printf '%s' "$msg" | base64)

  osascript <<EOF
tell application "Google Chrome"
  repeat with w from 1 to count of windows
    repeat with t from 1 to count of tabs of window w
      if URL of tab t of window w starts with "https://app.slack.com" then
        tell tab t of window w
          execute javascript "
            window.__slackResult = null;
            (async () => {
              const cfg = JSON.parse(localStorage.getItem('localConfig_v2'));
              const team = Object.values(cfg.teams).find(t =>
                t.name === 'YOUR_WORKSPACE_NAME'
              );
              const body = new URLSearchParams({
                token: team.token,
                channel: '$channel',
                text: atob('$b64')
              });
              const r = await fetch('/api/chat.postMessage', {
                method: 'POST', credentials: 'include',
                headers: {'Content-Type': 'application/x-www-form-urlencoded'},
                body: body.toString()
              });
              window.__slackResult = JSON.stringify(await r.json());
            })();
          "
          delay 3
          return execute javascript "window.__slackResult"
        end tell
      end if
    end repeat
  end repeat
  return "ERROR: No Slack tab found in Chrome"
end tell
EOF
}

Usage

slack_post "C047F6T8Z7Z" "Hello from the terminal!"

How it works

  1. AppleScript finds the first Chrome tab on app.slack.com
  2. It injects JavaScript that reads the workspace token from localStorage
  3. fetch('/api/chat.postMessage', { credentials: 'include' }) makes a same-origin API call; the browser attaches the HttpOnly d session cookie automatically
  4. The message is base64-encoded in bash and decoded with atob() in JS to avoid quoting issues between bash, AppleScript, and JavaScript
  5. The result JSON is returned to the shell

Notes

  • Replace YOUR_WORKSPACE_NAME with your Slack workspace name, or remove the .find() filter if you only have one workspace
  • The delay 3 gives the async fetch time to complete before reading the result
  • Works for any Slack API method, not just chat.postMessage
  • Same technique used by tools that extract JWTs from browser localStorage (e.g. for internal admin dashboards)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment