I’m working on a project to show my Discord activity on my website. It’s all set up and running smoothly. But I’m worried about keeping my bot token safe.
My site is on Netlify. I know I can use functions to get the token from environment variables. The problem is the token would still be visible in the network tab.
I thought about encrypting the data or adding it later with functions. But I’m not sure if that’s possible.
The bot only has access to presence updates and posting in one channel. But I want to make it more secure.
I considered using OAuth2 but I don’t want users to have to click extra buttons just to see my status.
Does anyone have ideas on how to handle this? Or is this whole thing a bad idea to begin with?
Using a proxy server or Cloudflare Workers is a solid approach, but there’s another option to consider. You could set up a separate backend service (like a small Node.js app on a free-tier cloud platform) that handles the Discord API interactions. Your website would then communicate with this service instead of directly with Discord.
This way, your bot token stays on the backend, never exposed to the client. The service can periodically fetch your status and store it, then your website retrieves this data via a simple API call. This method adds an extra layer of security and gives you more control over data caching and rate limiting.
It’s a bit more complex to set up initially, but it’s a robust solution that scales well if you decide to expand the project later.
I’ve actually implemented something similar for my personal site. Here’s what worked for me:
Instead of using the Discord bot directly, I set up a small server (I used Express.js) on a free-tier Heroku dyno. This server holds the bot token and interacts with Discord’s API.
My website pings this server every few minutes to get my latest status. The server caches the data to avoid hitting Discord’s rate limits.
For extra security, I added a simple API key system. My website sends this key with each request, and the server validates it before responding.
This setup keeps the token completely hidden from the client-side, and it’s been running smoothly for months now. It does add a bit of complexity, but the peace of mind is worth it.
Just remember to secure your server endpoints and maybe add some logging to keep an eye on things.
hey there! i’ve dealt with similar stuff before. maybe u could set up a proxy server? it’d hide ur token n still fetch the data. or u could use a service like cloudflare workers to handle the requests securely. just ideas tho, hope they help!