Discord Bot Token

Detects Discord bot tokens: three dot-separated base64url segments where the first segment is the bot's numeric snowflake ID base64-encoded (always starting M, N, or O because it encodes an ASCII digit), the second is a 6-character timestamp, and the third is an HMAC of 27 to 38 characters. A leaked bot token grants full control of the bot account, including reading every channel the bot can see and sending messages as the bot.

Type
regex
Engine
universal
Confidence
high
Confidence justification
High confidence: the triplet structure is rigid (three exact-charset segments with tight length bounds and a structurally-derived [MNO] first character -- base64 of an ASCII digit always starts M, N, or O) and is independently attested by four detector ecosystems plus Discord's GitHub secret-scanning partnership (push protection enabled) and GitGuardian's prefixed high-recall detector. Kingfisher and GitHub's push protection fire on the bare shape in production, supporting a value-only discovery tier; TruffleHog label-gates the same regex as part of its standard PrefixRegex convention (no FP-motivated comment), the same divergence this corpus documents for other structurally-distinctive formats. The third-segment 27-38 range is a recall-protective envelope: 27 is pinned exactly by the production scanners, 38 comes only from a community regex database, and no vendor announcement documents a length change -- the envelope covers both attestations rather than asserting an unverified format timeline.
Jurisdictions
global
Regulations
Criminal Code Act 1995 (Cth)
Frameworks
CIS Controls, ISO 27001, NIST CSF, SOC 2
Data categories
credentials, security
Scope
narrow
Risk rating
8
Platform compatibility
Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported

Pattern

(?<![A-Za-z0-9_-])[MNO][A-Za-z0-9_-]{23,27}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27,38}(?![A-Za-z0-9_-])

Corroborative evidence keywords

discord, discord.com, DISCORD_TOKEN, DISCORD_BOT_TOKEN, bot token, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database, host (+38 more)

Proximity: 300 characters

Should match

Should not match

Known false positives

References