Token Syntax research

[hxr404]

I generated some tokens by changing the passwords and Discorverd something interesting: base64userid.YAwfew.randomstuff base64userid.YAwgGA.randomstuff base64userid.YAwgSA.randomstuff base64userid.YAwgew.randomstuff base64userid.YAwgtQ.randomstuff base64userid.YAwg6w.randomstuff base64userid.YAwhCA.randomstuff

The first 3 letters (of the middle block) are always the same and the letters after it are kinda similar

When doing this with Bot tokens this 6 letters are completly the same! seems like the first 3 letters represent some account info that doesn't change and the other 3 letters only change at user accounts

So this is my idea of Token Syntax:

• base64userid
• dot
• user-specific capital letter; not random
• 2 user-specific capital chars (upper/lower case letters, numbers, - or _); not random
• 3 chars (upper/lower case letters, numbers, - or _) that are userspecific for bots; not random
• dot
• 27 random chars(upper/lower case letters, numbers, - or _)

and for user accounts with mfa enabled #12

[hxr404]

What I couldn't test:

• what different accounts have as unique 3 letters and considering all parameters of those accounts (age, verified stage, id, etc.)

• How verifing E-Mail / Phone number affects the token

• How changing E-Mail / Phone number affects the token

[hxr404]

I created a PR #14 where I updated the Readme

[TKperson]

after checking, trying to confirm what you said is true - most of what you said are true - except the middle part. On my alt account, the middle part is YA8VSQ.

Anyways, do you think the last part is some kind of hash of username + password? Because every time when you change your password the token changes too.

Also, for accounts that have 2 factor verification on, will always have a token starts with mfa.

[hxr404]

@TKperson I explained it bad, the middle part is always the same for your account only (for each Token you generate) but not for others. For User Accounts its the first 3 chars and for Bot account all 6. Now we can think about what changes for user accounts but not for Bot accounts, and than we'll maybe know what they represent. But at the moment idk what this could be

I think the last part is some Kind of RNG Value, bc if you set the password exactly the same, it changes anyways. If you verify your Email/Phone it also changes. I think its just a RNG function that gets triggered by one of those actions. (Its the real "password" bc the first part can easily be calculated, and I think the 2nd part also isn't random and just represents smth.=

For 2 factor verification there is another issue, #12

[neosophaux]

the token syntax is as follows:

• user id
• the unix timestamp the token was created
• 160-bit security hash

mfa tokens are far more difficult to generate as they do not follow this syntax, so i'd enable 2fa on personal accounts

[hxr404]

oh yeah I forgot about this issue here I continued my "token research" here: https://github.com/hxr404/Discord-Console-hacks#inner-workings-of-discord

This image explains it pretty good (credit to Flam3rboy) tokens are JWT