How to Prevent Leaking Your Discord Bot’s Token
With how many people start programming with Discord bots, token leaks are a common occurrence. Here’s how you can prevent your sensitive information from being exposed.
Keep your secrets separate from your code
A common mistake made by new developers is putting tokens and passwords directly in their code. This opens you up to all kinds of security issues and should be avoided in any situation. There are several methods of storing secrets, but we’ll only be focusing on the two most popular for this tutorial.
Config files
The easiest way to use secrets in an application is to store them in a config file. All you need to do is pick your favorite config language, put your secrets and settings in, and import them into your code.
Here’s an example of using a JSON config file in JavaScript:
Environment variables
Another popular method is to use environment variables for your secrets. You can either pass environment variables when running an application or you can use a .env
file.
For those of you not on Windows you can pass variables like so:TOKEN="you_token_here" node ./index.js
If you want to do this cross-platform check out cross-env.
An easier and more maintainable way is to create a .env
file. These contain one variable per line, formatted as VAR="VALUE"
. This file can then be loaded through packages such as dotenv.
Keeping your config out of Git repos
So you’ve moved your token out of your code. That’s great, but how do you keep it off your GitHub repo?
There’s a special file used by Git called .gitignore
. It contains a list of file patterns to exclude from git commits. If you don’t already have a gitignore file grab one from GitHub’s templates. At the end of your file add a section like the one below, and Git will ignore them in all your commits.
Removing an ignored file from a Git repo
If you’ve already committed your token to a repo then ignoring the file won’t make it go away. You need to remove it from your git repo manually. To do this run these commands:
After this commit is pushed, even if you remove the token from your entire commit history, it can still be found. Do not assume that it is safe to keep around and use.
A leaked token can never be used again
If your token has been posted somewhere it needs to be regenerated immediately. Go to the Discord developer portal, select your app, select the “Bot” section, and click “Regenerate”. If you keep a leaked token valid then anyone using it could potentially destroy your servers and ruin your bot.
Protecting eval commands
Many bots have eval commands, allowing execution results to be sent in Discord. This is fine, but it can potentialy leak your token.
To prevent such an incident from occurring you can run all messages (or just eval) through a filter. An example token filter is shown below.
TL;DR: Please stop putting tokens in your code and committing them to GitHub. API secrets are sensitive information and must be protected.