Managing Slack Workspace Credentials using Slack Bot Secret key and ID

When you make a Slack Bot, Slack provides you with client_id and client_key . Using these , we can authenticate incoming requests to add our Bot to any Slack Workspace. Workspace here means any slack subdomain or a Slack team.

Once the incoming Workspace request in authenticated, Slack API provides us with the team access_tokens. Which can be used to access the concerned workspace to listen and respond back in any added channel or DM.

While making this Bot, I was a little curious to know if saving the team credentials in our DB for monitoring and responding back to teams was the right way to mange Slack team credentials. So I emailed this query to Slack support . I was pleased with their quick reply and also to know that I was doing it right way.

Here's my query and response from Slack support

One quick question for which would help me architect my bot correctly. 
I am making the user login to my web app where the user will hit "Add to Slack" button and then

1. I'll get code and state from slack which I'll send to back end along with the the user email id and other details of that user associated to my application.
2. Then i'll authenticate this user to slack by sending the code, client_id and client_secret and redirect_uri.
3. If that's successful I will save this user slack ID along with his bot_tokens so that I can communicate with him and associate this his slack_user_id with my application user_id. So that I could send and receive data and save it for him.

Is this the right way of doing it?. Also it there any best practise guide you would recommend me to read before finalising my Bot? What all data needs to be saved to keep the bot alive for any channel? I mean we get most of the data from Slack api so I guess bot token and user_id is what is essential part of this. But again i might be wrong.

=== Respone from Support ===
Sorry for the delay in reply. It sounds like all the steps you've outlined are correct—once the user completes the oAuth process you can save all the associated information locally and use it for connecting to the API.
In terms of best practices, I recommend reviewing the following:
• Best practices: https://api.slack.com/best-practices
• Slack app blueprints: https://api.slack.com/best-practices/blueprints
• Tutorials: https://api.slack.com/tutorials
And of course always feel free to reach out with any questions!
Cheers,
Ben

=== End ===