Hey everyone,
I’ve been working on a cool project for my personal website. I want to show my Spotify or game activity in real-time using Discord’s gateway. The feature works great, but I’m worried about keeping my bot token safe.
My site is on Netlify, and I’ve tried using functions to get the token from environment variables. But the token still shows up in the network tab. I thought about encrypting stuff or changing the payload in functions, but I’m not sure if that’s possible.
The bot only has access to presence updates and posting in one channel. But I want to make it more secure. I considered using OAuth2, but I don’t want visitors to have to click extra things just to see this info.
Does anyone have ideas on how to protect the token better? Or am I overthinking this? Thanks for any help!
Hey there! I’ve been through a similar situation with my own project. Have you looked into using a serverless backend service like AWS Lambda or Google Cloud Functions? These can act as an intermediary between your front-end and Discord’s API.
The idea is to create a function that holds your bot token securely and handles the API calls to Discord. Your website then only communicates with this function, using a separate, less sensitive key for authentication if needed. This way, your Discord token never leaves the secure environment.
I found this approach pretty straightforward to implement and it gave me peace of mind about token security. Plus, most cloud providers offer a generous free tier for these services, so it shouldn’t impact your costs much, if at all.
Just remember to set up proper CORS policies and maybe implement rate limiting to prevent abuse. It’s a bit of extra work upfront, but it’s worth it for the added security.
I’ve dealt with this issue before. One approach you might consider is implementing a WebSocket server. This allows you to maintain a persistent connection between your server and the client, pushing real-time updates without exposing your token.
You could set up a simple Node.js server (perhaps on a platform like Heroku) that handles the Discord API interactions. Your client-side code would then connect to this WebSocket server instead of directly to Discord. This way, your token remains secure on the server, and you’re only passing the necessary activity data to the client.
It’s a bit more complex to set up initially, but it provides a good balance between security and real-time functionality. Plus, it’s scalable if you decide to add more features later on.
yo, i had a similar issue. have u considered using a proxy server? it can act as a middleman between ur website and discord’s api. that way, ur token stays on the server side and never touches the client. might be a bit more work to set up, but it’s way safer. just a thought!