About

This is a repository with everything you need to know about abusing the Discord API (with the help of our buddy Python).

Self-bots: their uses, risks, frameworks, and some communities.

Uses

A selfbot can be useful for quick Discord utilities; it's a bot running on a user account.

Risks

A selfbot is always risky due to its being against Discord's terms, although Discord won't notice unless you use it to carry out certain risky actions.

Frameworks

DisCum.py (powerful wrapper with lowest chance of getting caught, though hard to master) (example here)
discord.py-self (same syntax as discord.py, accesses same gateways so it's at a high chance of getting caught) (example here)
Anarchy.NET (powerful wrapper w/low chance of getting caught, weird syntax though) (example here)

Communities

Tokens & UserIDs

A Discord token is the authorization for your account; a userid is your account's unique identifier (userids follow the snowflake format).

More About Tokens

Example token: ODU4OTMyMDU4NjAwMjQzMjMw.YY4OOw.1hs4tL-J0dBMS_yKSTN6iuhqcPo

The first section (before the first period) is the account's userid, encoded in base64.
In the example token, It's ODU4OTMyMDU4NjAwMjQzMjMw, which decodes to 858932058600243230. Running a lookup on discord.id will show that this is, indeed, the token's owner.
The second section (after the first period, before the second period) is the token's mint (creation) date, in unix time. The unix is first converted to hex, and then base64. So, to decode it, you can convert this part of the token from base64 to hex. Next, you can take the hex number and convert it to the decimal format (you'll end up with 1636699707 if you do this with the example token). If you run this through a unix to date converter, you'll get the token's mint date.
The third (and final) section is a cryptographic verification system (HMAC/Hash based Message Authentication Code) that occurs on Discord's end. Not much can be done with this alone.

This token format can be abused and used to create a token bruteforcer.

Here's a chart (CREDIT: ImLorio):

a chart denoting the discord token format

More about UserIDs

First, you convert the userid to binary.
First 42 bits of the binary can be converted to the decimal format, and the remaining integer is the amount of time since the Discord Epoch, 1420070400000.
The next 5 bits are an internal worker id
The next 5 bits are an internal process id
The last 12 bits are a count of every discord id, ever.

Here's a chart (CREDIT: ImLorio)

a chart with the discord userid, broken down into its simplest form

Discord and Log-ins: What to Know & How to Abuse It (CREDIT: Monst3red AND hxr404)

The Discord login (in the browser's context, frontend) works as an iframe with the token inside, and it reloads to log you in. This can be abused (and it was, by m-Phoenix852) for a token login script. Because of this, you can log into the Discord webapp with a user token using selenium's webdrivers.

# SCRIPT TAKEN FROM "https://github.com/Monst3red/Discord-Token-Login-Tool"

import selenium
from selenium import webdriver

token = input("Token here: ")

script = '''
    const login = (token) => {
        setInterval(() => document.body.appendChild(document.createElement `iframe`).contentWindow.localStorage.token = `"${token}"`, 50);
        setTimeout(() => location.reload(), 2500);
    };''' + f'login("{token}")' # adapated from "https://gist.github.com/m-Phoenix852/b47fffb0fd579bc210420cedbda30b61"

driver = webdriver.Chrome("chromedriver.exe")
driver.get("https://discord.com/login")
driver.execute_script(script)

The Discord login (in the API's context, backend) works as a WebSocket connection to the url wss://gateway.discord.gg/?encoding=json&v=9&compress=zlib-stream. I don't know much about this part, however, Hornwitser has a good documentation of Discord's WebSockets on his site.

API Endpoints

I'm not gonna include all of them here, but right here and here each have tons of them listed.

Notes and hacks relating to Discord and its API

About

Self-bots: their uses, risks, frameworks, and some communities.

Uses

Risks

Frameworks

Communities

Tokens & UserIDs

More About Tokens

This token format can be abused and used to create a token bruteforcer.

Here's a chart (CREDIT: ImLorio):

More about UserIDs

Here's a chart (CREDIT: ImLorio)

Discord and Log-ins: What to Know & How to Abuse It (CREDIT: Monst3red AND hxr404)

API Endpoints

One of the most notable URLs (in my opinion) is `https://discord.com/api/v[current_version]/science`; it's Discord's data collection URL.

John

Tracking development of the Class Schedule Siri Shortcut, an iOS program that checks the type of school day and tells you class scheduling

More granular intermediaries for legacy Minecraft versions

About

Self-bots: their uses, risks, frameworks, and some communities.

Uses

Risks

Frameworks

Communities

Tokens & UserIDs

More About Tokens

This token format can be abused and used to create a token bruteforcer.

Here's a chart (CREDIT: ImLorio):

More about UserIDs

Here's a chart (CREDIT: ImLorio)

Discord and Log-ins: What to Know & How to Abuse It (CREDIT: Monst3red AND hxr404)

API Endpoints

One of the most notable URLs (in my opinion) is https://discord.com/api/v[current_version]/science; it's Discord's data collection URL.

Tracking development of the Class Schedule Siri Shortcut, an iOS program that checks the type of school day and tells you class scheduling

More granular intermediaries for legacy Minecraft versions

You might also like...

One of the most notable URLs (in my opinion) is `https://discord.com/api/v[current_version]/science`; it's Discord's data collection URL.