From 0d019dc62b7086bd5070018ece0b6674d94974de Mon Sep 17 00:00:00 2001
From: Waleed Latif <walif6@gmail.com>
Date: Thu, 28 May 2026 16:03:45 -0700
Subject: [PATCH 1/2] fix(slack): only parse scoped user id for oauth
 credentials

---
 apps/sim/app/api/tools/slack/channels/route.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/apps/sim/app/api/tools/slack/channels/route.ts b/apps/sim/app/api/tools/slack/channels/route.ts
index f7e2c2a3d9..791714a86b 100644
--- a/apps/sim/app/api/tools/slack/channels/route.ts
+++ b/apps/sim/app/api/tools/slack/channels/route.ts
@@ -93,7 +93,11 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       accessToken = resolvedToken
       logger.info('Using OAuth token for Slack API')
 
-      if (authz.resolvedCredentialId) {
+      // resolvedCredentialId is an account.id only for OAuth credentials; the
+      // service_account path returns a credential.id, which must not be used as
+      // an account lookup key. Slack never uses service accounts, but guard
+      // explicitly so the lookup is correct by construction.
+      if (authz.credentialType === 'oauth' && authz.resolvedCredentialId) {
         const [accountRow] = await db
           .select({ accountId: account.accountId })
           .from(account)

From 23645a164f32ca88ec1c2e68c16a6014cbf535e7 Mon Sep 17 00:00:00 2001
From: Waleed Latif <walif6@gmail.com>
Date: Thu, 28 May 2026 16:06:30 -0700
Subject: [PATCH 2/2] chore(slack): trim guard comment

---
 apps/sim/app/api/tools/slack/channels/route.ts | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/apps/sim/app/api/tools/slack/channels/route.ts b/apps/sim/app/api/tools/slack/channels/route.ts
index 791714a86b..4eaeae69cd 100644
--- a/apps/sim/app/api/tools/slack/channels/route.ts
+++ b/apps/sim/app/api/tools/slack/channels/route.ts
@@ -93,10 +93,8 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       accessToken = resolvedToken
       logger.info('Using OAuth token for Slack API')
 
-      // resolvedCredentialId is an account.id only for OAuth credentials; the
-      // service_account path returns a credential.id, which must not be used as
-      // an account lookup key. Slack never uses service accounts, but guard
-      // explicitly so the lookup is correct by construction.
+      // resolvedCredentialId is an account.id only for OAuth credentials
+      // (the service_account path returns a credential.id).
       if (authz.credentialType === 'oauth' && authz.resolvedCredentialId) {
         const [accountRow] = await db
           .select({ accountId: account.accountId })