Slack's apps.connections.open returns "invalid_auth" when I send the token via request body

Question

I'm trying to call Slack's API from browser, so I ran following in Chrome's dev console, and got an error:

await (await fetch("https://slack.com/api/apps.connections.open", {
        method: 'POST',
        headers: {
            'Content-Type': 'application/x-www-form-urlencoded',
        },
        body: new URLSearchParams({'token': 'xapp-1-MYTOKEN'})
    })).json()
→ {ok: false, error: 'invalid_auth'}

I thought that providing token via request body should be fine, for the documentation says so:

Tokens should be passed as an HTTP Authorization header or alternatively, as a POST parameter.

Am I missing something?

---

I tried equivalent (I think) cURL commands and the same result.

$ curl -s --data-urlencode token@TOKEN https://slack.com/api/apps.connections.open | jq
{
  "ok": false,
  "error": "invalid_auth"
}

I made sure that my token was correct; the API call succeeds when I send the token via Authorization header:

$ curl -s -X POST -H Authorization:\ Bearer\ $(<TOKEN) https://slack.com/api/apps.connections.open | jq .ok
true

Note that Authorization header cannot used when using Fetch API, for CORS limitation (the access-control-allow-headers header doesn't include "Authorization").

---

I understand that generally it's not a good idea to call Slack API from browser, to keep token secret.

Answer 1

I contacted to Slack support, and got an answer: their documentation is currently incorrect and tokens should always be passed as an HTTP Authorization header when you use this API.