Skip to content

Instantly share code, notes, and snippets.

@darksunlight

darksunlight/discord-tokens.md

Last active June 26, 2023 09:58
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save darksunlight/8e8db86794a88e0f3f80408970fc94e5 to your computer and use it in GitHub Desktop.
Save darksunlight/8e8db86794a88e0f3f80408970fc94e5 to your computer and use it in GitHub Desktop.
Download ZIP
Understanding Discord Tokens
Raw
discord-tokens.md

Understanding Discord Tokens

There are two types of Discord tokens: normal tokens and MFA tokens.

Normal Tokens

Normal tokens can be split into 3 parts, each separated by a period/dot. The first part is the user ID string/snowflake in base64. The third part is the HMAC digest.

The second part is slightly more interesting. It is the timestamp at which the token was generated at, but depending on when the token was generated, you may have to add in an additional 1.1e9 to 1.3e9 to the retrieved timestamp to get the true timestamp.

Basic validations

If you want to verify if a token is real, but don't want to test token against Discord's servers, you can use the rules above (for the first and second parts) to filter out obvious fake tokens.

As an example, here is a token: OTM1NTY2MjUwNTg1NzYzODgw.YIz98g.ffPyQbZQGxQ3tmunQx2i86AWT-M.

Of course, it is not a real token, but one that I generated with random data.

First off, you can test if a user ID is valid with the GET /users/{user.id} endpoint. In this case, upon inspecting the first part, you will notice that the user ID does belong to an existing user. This might be an indication that the token is authentic. If the user ID is non-existent, you can make a solid conclusion.

Next, the timestamp. If the string begins with X or Y, the timestamp is most likely the original one. Here, passing YIz98g to

Buffer.from('YIz98g', 'base64').readInt32BE();

yields 1619852786, or 2021-05-01T07:06:26Z. If the string begins with a different letter, add approximately 1.2e9 to the result.

Knowing the purported token generation time, you can compare it to the user creation time/timestamp, which can be conveniently obtained with (snowflake >> 22) + 1420070400000, as documented in here. In this example, the user ID is 935566250585763880, passing it through the formula gives 1643126776120 (in milliseconds!!!), which converts to 2022-01-25T16:06:16.120Z. Apparently, the token generation time is 9 months earlier than the user creation time, which is clearly impossible. Therefore, it can be concluded that the sample token is definitely invalid.

MFA Tokens

There isn't much to MFA tokens: they begin with the prefix mfa., followed by a 84-character long string. They are believed to have been discontinued in early May 2022.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment