Best way to obfuscate/hide token

BielNS · July 14, 2021, 8:23pm

ok soo i got this 10 line script from a thread that sends a message to my bot in discord which then sends in a channel, however idk anything about http but i believe that if i show this token to anyone they will have full acess to my bot and be able to send messages in that channel, soo i want to obfuscate my script soo people cant use it incase i accidentally show that script while doing a dev coding video, heres the code (not showing the token ok)

local HttpService = game:GetService("HttpService")
local lua = {}

function lua.sendmsg(msg)
	local channelid = "not showing the id ok"
	local token = "not showing the token ok"
	local messageContent = msg
	
	HttpService:RequestAsync({
		Url = ("https://discord.com/api/v8/channels/%s/messages"):format(channelid),
		Method = "POST",
		Headers = {
			["Authorization"] = "Bot "..token,
			["Content-Type"] = "application/json"
		},
		Body = HttpService:JSONEncode({["content"] = messageContent})
	})
end

return lua

plz help

Daw588 · July 14, 2021, 8:26pm

You will want to create a ModuleScript that could be called env which will store all of your secrets.

Make sure to put it in the ServerStorage or ServerScriptService so players will not have access to it. You also want to have a Script that will access it.

return {
	webhookToken = "some super secret token"
}

In the Script, you want to require the env module, and you will no longer able to see your secrets unless you open the env module or print one out.

local ServerStorage = game:GetService("ServerStorage")
local env = require(ServerStorage:FindFirstChild("env"))
print(env.webhookToken)

Just keep in mind that your collaborators that have access to your place will able to see them if they open the env module.

env stands for environment, it’s a well-known file for storing secrets that you don’t want to put in your code so that you can share your code without worrying about exposing your secrets such as tokens, API keys, and whatever else you want to hide.

majdTRM · July 14, 2021, 8:26pm

I’ve heard of people using the DataStore to store tokens, but not totally sure about that.

Also if this is a server script, I’m pretty sure the client can’t see it anyway, unless it is collaborators you are worried are going to see this.

If this is a localscript, consider changing the handling to be on the server side instead via a RemoteEvent

BielNS · July 14, 2021, 8:28pm

im worried that incase i decide to record a vid doing deving i may accidentally go in that script and end up showing it to everyone

BielNS · July 14, 2021, 8:31pm

ok imma try that
(chaaaaaaaaaar limit)

majdTRM · July 14, 2021, 8:31pm

I realized this is a modulescript.

As Daw588 has said, put your modulescript in ServerStorage or ServerScriptService, and change all references to it to use it from there.

If it is being used by localscripts, you should use remoteevents instead and store it on the server

majdTRM · July 14, 2021, 8:32pm

Yes, in that case then you should follow Daw558’s advice and store it in a ModuleScript that you shall always keep closed and never open again (except for updated the token).

BielNS · July 14, 2021, 8:35pm

ok i did that now i feel safer thx