Restarting bot token programatically
Is there any way that we can reset a bot's token? If there is no official method or underlying api endpoint I can use, what would a possible solution be to accomplish this?
10 Replies
- What's your exact discord.js
npm list discord.js and node node -v version?
- Not a discord.js issue? Check out #other-js-ts.
- Consider reading #how-to-get-help to improve your question!
- Explain what exactly your issue is.
- Post the full error stack trace, not just the top part!
- Show your code!
- Issue solved? Press the button!At one point I was thinking of just having the bot publish a git gist with the token inside of it but there must be a better way
Why do you need to do this?
Requires some background info: it's a bot that is added to some high member count servers, and it requires permissions that can be damaging if the token is compromised, and since the bot has a single purpose i plan to just leave in some event listeners to see if it's doing something it should not be rather than putting security in the server's hands
You misunderstood, obviously exposing the token online is very bad, and you should never do that. But why do you think you needed to do that in the first place?
I was generally saying it as a workaround because I know that if you expose your token to a public github repo, Discord will reset it automatically
I really don't, but I need to assure the people I need to work with on something other than my ability to keep a token safe, and this would be a method that works 100% of the time
If you all don't think that it's a good idea I will respect that and try to find another method, but please lmk!
You’re skipping a lot of steps of security. At which point would your token get compromised unless you were to share it? You don’t need to check if your bot is doing something malicious because by the time your bot detects it, it’s already been compromised and the malicious code executed. And in order for them to get access to the token they would need to either gain access to your discord account or your hosting. Seems completely pointless imo.
I appreciate your response, and want to explain a little. I'm not skipping steps of security, I know how to secure my token and didn't claim I wasn't securing my host. By the time my bot detects it, it can change the token. I'd rather have 10-20 actions to clean up rather than 200-500. I'm speaking of token compromise, not host compromise.
I don't think there's an endpoint for it, not even with oauth
it really pretty much just relies on your ability to keep your token safe, and there shouldn't be many ways to expose it, if any
actually the most common approach of compromising a bot is to compromise the owner's account, since that's way easier, in modern days the human factor is always the weakest link
and you can easily avoid that by just securing your account: secure password, 2fa, etc
maybe even using a separate account apart from your personal one, just for the bot
though I'm not sure if that's against dev tos, I wouldn't think so but you should probably ask discord
managing apps - creating, deleting, generating tokens, transferring to teams, etc. is a user-only action and does not have an app-authorized endpoint
automating user accounts is strictly against ToS