Discord
Discordsaas4 credentials
Bot Token
discord / bot-token
Discord bot users authenticate to the Discord API and Gateway with a bot token from the application's Bot settings page. Discord documents the Authorization header format as Authorization: Bot <token>.
Looks like
exampleMTk4NjXXXXXXXXXXXXXXXX.XXXXXX.XXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
DISCORD_TOKEN, DISCORD_BOT_TOKEN, BOT_TOKENAuthorizationBot token used as Authorization: Bot <token>
.env files, bot config, Docker Compose files, deployment manifests
CI/CD variables, Kubernetes Secrets, cloud secret managers, hosted bot settings
bot source code, examples, tests, notebooks, committed configs
REST debug logs, Gateway connection logs, CI output, stack traces
Notes
Bot token blast radius depends on bot permissions, guild membership, and privileged intents. Rotate leaked tokens from the Developer Portal.
OAuth2 Client Secret
discord / oauth-client-secret
Discord OAuth2 applications use a client_id and client_secret for flows such as authorization code and client credentials. Discord documents that developers retrieve both values from the application settings.
Location
DISCORD_CLIENT_ID, DISCORD_CLIENT_SECRETOAuth app config, .env files, deployment manifests
CI/CD variables, cloud secret managers, hosted app settings
OAuth callback handlers, examples, committed config
OAuth exchange logs, error traces, request dumps
Notes
The client secret authenticates the application to Discord's OAuth2 token endpoint. Client ID alone is an identifier, but it commonly leaks alongside the secret.
OAuth2 Access / Refresh Token
discord / oauth-access-refresh-token
Discord OAuth2 flows return access tokens and, for supported flows, refresh tokens. Access tokens authenticate with Authorization: Bearer and refresh tokens can obtain new access tokens until revoked or expired.
Location
AuthorizationBearer access token used for OAuth2-authenticated API calls
application OAuth token tables and user authorization stores
local development OAuth token caches and .env files
app secret stores and cloud secret managers
OAuth callback logs and token endpoint responses
OAuth2 token endpoint responses containing access_token and refresh_token
Notes
OAuth tokens represent delegated user authorization, not a bot user. Scopes determine what the application can do.
Webhook URL / Token
discord / webhook-url-token
Discord webhooks include a webhook id and secure token. Discord documents that webhooks do not require a bot user or authentication to execute, and webhook objects may include the token and execution URL.
Looks like
examplehttps://discord.com/api/webhooks/123456789012345678/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
.env files, notification configs, CI/CD webhook settings
CI/CD variables, cloud secret managers, hosted app settings
bot code, monitoring rules, deployment scripts, committed examples
webhook POST traces, CI logs, application debug output
OAuth2 webhook.incoming responses and webhook API responses containing url or token
Notes
A Discord webhook URL is sufficient to post messages to the target channel. Delete and recreate exposed webhooks.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.