Discord Bot Token
Detects Discord bot tokens: three dot-separated base64url segments where the first segment is the bot's numeric snowflake ID base64-encoded (always starting M, N, or O because it encodes an ASCII digit), the second is a 6-character timestamp, and the third is an HMAC of 27 to 38 characters. A leaked bot token grants full control of the bot account, including reading every channel the bot can see and sending messages as the bot.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: the triplet structure is rigid (three exact-charset segments with tight length bounds and a structurally-derived [MNO] first character -- base64 of an ASCII digit always starts M, N, or O) and is independently attested by four detector ecosystems plus Discord's GitHub secret-scanning partnership (push protection enabled) and GitGuardian's prefixed high-recall detector. Kingfisher and GitHub's push protection fire on the bare shape in production, supporting a value-only discovery tier; TruffleHog label-gates the same regex as part of its standard PrefixRegex convention (no FP-motivated comment), the same divergence this corpus documents for other structurally-distinctive formats. The third-segment 27-38 range is a recall-protective envelope: 27 is pinned exactly by the production scanners, 38 comes only from a community regex database, and no vendor announcement documents a length change -- the envelope covers both attestations rather than asserting an unverified format timeline.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 8
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?<![A-Za-z0-9_-])[MNO][A-Za-z0-9_-]{23,27}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27,38}(?![A-Za-z0-9_-])
Corroborative evidence keywords
discord, discord.com, DISCORD_TOKEN, DISCORD_BOT_TOKEN, bot token, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database, host (+38 more)
Proximity: 300 characters
Should match
MTIzNDU2Nzg5MDEyMzQ1Njc4.AAAAAA.ABCDEFGHIJKLMNOPQRSTUVWXYZa— Discord bot token (24.6.27, the production-scanner-pinned HMAC length; first segment decodes to a sequential fake ID)DISCORD_BOT_TOKEN=NzAxMjM0NTY3ODkwMTIzNDU2Nzg5.BBBBBB.abcdefghijklmnopqrstuvwxyzABCDEFGHIJKL— Labelled bot token with a 28-char first segment and a 38-char HMAC (the community-attested envelope ceiling)ODk4NzY1NDMyMTA5ODc2NTQzMjE.CCCCCC.0123456789abcdefghijklmnopqrstuvwxyz01— Bot token with O-leading 27-char first segment and 38-char HMAC
Should not match
XYZ4NTY3ODkwMTIzNDU2Nzg5MDE.AAAAAA.ABCDEFGHIJKLMNOPQRSTUVWXYZa— First character not M/N/O (a base64-encoded numeric snowflake cannot start with X)MTIzNDU2Nzg5MDEyMzQ1Njc4.AAAAAA.ABCDEFGHIJKLMNOP— Third segment far too short (16 chars, below the 27-char floor)MTIzNDU2Nzg5MDEyMzQ1Njc4.AAAAAAAAAA.ABCDEFGHIJKLMNOPQRSTUVWXYZa— Middle timestamp segment wrong length (10 chars, not 6)the discord bot token must be regenerated in the developer portal— Prose mention without a token valuetemplate example placeholder record identifier— Template/sample context should be excluded even when anchor words are present
Known false positives
- Three-part dotted base64url runs inside longer chains (for example JWT fragments or minified code) that happen to satisfy the segment lengths. Mitigation: The rigid 6-character middle segment and [MNO] first character make coincidental matches rare; corroborative Discord keywords gate the recommended confidence tier, and boundary lookarounds reject runs glued into longer identifiers.
- Discontinued formats -- mfa.-prefixed user tokens (dead since May 2022) and 64-hex "API keys" (gitleaks' label-gated discord-api-token rule) -- are not matched. Mitigation: Documented as a deliberate scope decision; the 64-hex shape near a discord label is generic and the mfa. format no longer exists on live accounts.
- Documentation or examples showing placeholder token triplets. Mitigation: Require corroborative Discord keywords and check for placeholder markers (example, xxxx).
References
- TruffleHog production Discord detector (label-gated [A-Za-z0-9_-]{24}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27})
- Kingfisher production Discord Bot Token rule (value-only [MNO][A-Z0-9_-]{23}\.[A-Z0-9_-]{6}\.[A-Z0-9_-]{27} + entropy)
- detect-secrets DiscordBotTokenDetector ([MNO][a-zA-Z\d_-]{23,25}\.[a-zA-Z\d_-]{6}\.[a-zA-Z\d_-]{27})
- Community regex-token database (Discord [MNO][0-9A-Za-z_-]{23,25}\.[0-9A-Za-z_-]{6}\.[0-9A-Za-z_-]{27,38}; sole source for the 38-char HMAC ceiling, self-labeled approximate)
- python-discord moderation bot's operationally-validated token triplet (taken from discord-developers / the client's own parsing)
- Supported secret scanning patterns - GitHub Docs (Discord Bot Token, partner + push protection)