openclaw - 💡(How to fix) Fix [Bug]: Slack provider doesn't reliably reload after channels.slack.botToken rotation (cached singleAuthorization) [2 comments, 3 participants]

Summary

After a Slack bot token rotation (edited in panel/config and persisted to ~/.openclaw/openclaw.json), the running Slack provider does not reliably reload the new token. The cached token in @slack/bolt's singleAuthorization keeps returning the old value, so every inbound event fails auth.test with invalid_auth. Symptom looks like "Slack integration broken" — messages stop routing — even though the new token on disk is valid.

Environment

• OpenClaw 2026.5.6 (Sandpaw managed instance, container sandpaw-go-yard)
• Channel: Slack (Bolt)

Repro

1. Running gateway with a working Slack channel.
2. Edit channels.slack.botToken in ~/.openclaw/openclaw.json (or via panel "save Slack config") to a freshly rotated token.
3. Observe gateway logs around the edit timestamp.

Expected

[gateway/channels] restarting slack channel fires within the inotify debounce window, the App instance is rebuilt with the new token, and auth.test succeeds on the next inbound event.

Actual

• Earlier edits in the same session (e.g. 14:34, 14:54 UTC on 2026-05-10) did trigger the restart line.
• A later edit (15:35 UTC, same file, same key) did not trigger any restart line — the old token stayed cached in memory.
• All inbound events from then on hit invalid_auth against auth.test, even though a direct auth.test against the on-disk token succeeded.
• Workaround: docker restart <container>. After restart, Slack reconnected clean and stayed healthy.

Suspected cause

• @slack/bolt singleAuthorization caches authorization.botToken per App instance. The provider reuses the existing App rather than tearing it down and rebuilding when only the bot token changes.
• The inotify-based config watcher / config.patch path appears to debounce or skip the restart for some edit shapes (token-only change while other fields are unchanged).

Asks (either fixes the user-visible bug)

1. Reliable channel restart on token change. Gateway should always emit [gateway/channels] restarting slack channel when channels.slack.botToken (or appToken) actually changes on disk, regardless of the surrounding edit shape.
2. Or: the panel's "save Slack config" path should explicitly call gateway/channels restart-slack after persisting, so we don't depend on the watcher firing.

Notes / not this bug

• This is not "multiple Slack sessions" or "message routing splitting." A user-side hypothesis ("OpenClaw is creating multiple Slack sessions per user") was reported but did not match the logs. The actual symptom is a single stale App instance holding a cached token.
• Loosely related (different code path, already merged): #70720 fix(gateway): restart channels after secret reload — that fix targets SecretRef refresh; this issue is about plain token-string rotation in channels.slack.botToken not triggering a restart.