lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Discord

Discordsaas4 credentials

Credentials4 documented
01

Bot Token

discord / bot-token

Discord bot users authenticate to the Discord API and Gateway with a bot token from the application's Bot settings page. Discord documents the Authorization header format as Authorization: Bot <token>.

generated on installsecrettoken

Looks like

example
example

Discord bot token shape commonly used in bot Authorization headers

MTk4NjXXXXXXXXXXXXXXXX.XXXXXX.XXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
DISCORD_TOKEN, DISCORD_BOT_TOKEN, BOT_TOKEN
http header
Authorization

Bot token used as Authorization: Bot <token>

config file

.env files, bot config, Docker Compose files, deployment manifests

secret store

CI/CD variables, Kubernetes Secrets, cloud secret managers, hosted bot settings

source code

bot source code, examples, tests, notebooks, committed configs

logs

REST debug logs, Gateway connection logs, CI output, stack traces

Notes

Bot token blast radius depends on bot permissions, guild membership, and privileged intents. Rotate leaked tokens from the Developer Portal.

02

OAuth2 Client Secret

discord / oauth-client-secret

Discord OAuth2 applications use a client_id and client_secret for flows such as authorization code and client credentials. Discord documents that developers retrieve both values from the application settings.

generated on installsecretsecret value

Location

environment
DISCORD_CLIENT_ID, DISCORD_CLIENT_SECRET
config file

OAuth app config, .env files, deployment manifests

secret store

CI/CD variables, cloud secret managers, hosted app settings

source code

OAuth callback handlers, examples, committed config

logs

OAuth exchange logs, error traces, request dumps

Notes

The client secret authenticates the application to Discord's OAuth2 token endpoint. Client ID alone is an identifier, but it commonly leaks alongside the secret.

03

OAuth2 Access / Refresh Token

discord / oauth-access-refresh-token

Discord OAuth2 flows return access tokens and, for supported flows, refresh tokens. Access tokens authenticate with Authorization: Bearer and refresh tokens can obtain new access tokens until revoked or expired.

generated on installsecrettoken

Location

http header
Authorization

Bearer access token used for OAuth2-authenticated API calls

database

application OAuth token tables and user authorization stores

config file

local development OAuth token caches and .env files

secret store

app secret stores and cloud secret managers

logs

OAuth callback logs and token endpoint responses

http response

OAuth2 token endpoint responses containing access_token and refresh_token

Notes

OAuth tokens represent delegated user authorization, not a bot user. Scopes determine what the application can do.

04

Webhook URL / Token

discord / webhook-url-token

Discord webhooks include a webhook id and secure token. Discord documents that webhooks do not require a bot user or authentication to execute, and webhook objects may include the token and execution URL.

generated on installsecrettoken

Looks like

example
example

Discord webhook execution URL containing the webhook token

https://discord.com/api/webhooks/123456789012345678/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

config file

.env files, notification configs, CI/CD webhook settings

secret store

CI/CD variables, cloud secret managers, hosted app settings

source code

bot code, monitoring rules, deployment scripts, committed examples

logs

webhook POST traces, CI logs, application debug output

http response

OAuth2 webhook.incoming responses and webhook API responses containing url or token

Notes

A Discord webhook URL is sufficient to post messages to the target channel. Delete and recreate exposed webhooks.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.