Skip to content

Instantly share code, notes, and snippets.

@Vap0r1ze

Vap0r1ze/discord_oauth2.md

Last active September 20, 2025 15:13
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Vap0r1ze/776b0f841ce01fc2b0801933b79960df to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Vap0r1ze/776b0f841ce01fc2b0801933b79960df to your computer and use it in GitHub Desktop.
Download ZIP
Discord OAuth2 Flow
Raw
discord_oauth2.md

Discord OAuth2

Step 1

You: Redirect User to https://discordapp.com/api/oauth2/authorize

Query Params
name value
client_id Your application's Client ID
scope A list of scopes, delimited by spaces
redirect_uri The uri to send the user after authorization

Step 2

Discord: Redirect User to redirect_uri

Query Params
name value
code Temporary code for requesting access token

Step 3

You: POST https://discordapp.com/api/oauth2/token

"Form Data" means the body must be sent as application/x-www-form-urlencoded

Form Data
name value
client_id Your application's client id
client_secret Your application's client secret
code Temporary code for requesting access token
grant_type "authorization_code"
redirect_uri The uri to send the user after authorization
Response JSON Data
name value
access_token Token used to make api requests as user
refresh_token Token used to get a new access token
expires_in Expiry time relative to now in seconds
scope List of scopes the access token has

Refreshing an access token

You: POST https://discordapp.com/api/oauth2/token

Form Data
name value
client_id Your application's client id
client_secret Your application's client secret
refresh_token Refresh token for desired user
grant_type "refresh_token"
@KenCOCOCO
Copy link

KenCOCOCO commented Oct 9, 2020

@valentin-b99 the refresh token only expires when the user unauthorizes the application through their settings

The refresh token expires once the "expires_in" parameter has passed. This is usually 7 days.

@Vap0r1ze
Copy link
Author

Vap0r1ze commented Oct 10, 2020
edited
Loading

The refresh token expires once the "expires_in" parameter has passed. This is usually 7 days.

@KenCOCOCO This is untrue. The access token is what expires when the expires_in parameter has passed; the refresh token is used to refresh the access token — agnostic of if the access token has expired.

Reread this 5 years later and this is obviously true. I was so silly lol

@ascooper57
Copy link

ascooper57 commented Mar 1, 2021
edited
Loading

Step 3, calling from axios, tried passing data as depicted below and JSON.stringified() always get a 400 error. Perhaps there are headers required?

{
"method": "POST",
"url": "https://discordapp.com/api/oauth2/token",
"data": {
"client_id": "#############6944",
"client_secret": "**********************************",
"code": "hOA6snQVHePUKB9eyjq2Bxf6CDusfz",
"grant_type": "authorization_code",
"redirect_uri": "https://stardust.auth.us-east-1.amazoncognito.com/oauth2/idpresponse"
}
}

2021-03-01T23:36:58.188Z ERROR Token for (hOA6snQVHePUKB9eyjq2Bxf6CDusfz, j349qxcnz5.execute-api.us-east-1.amazonaws.com/Prod, Request failed with status code 400) failed: %s

================================================================================================

const params = {
method: 'POST',
url: ${urls.oauthToken},
data: {
client_id: DISCORD_CLIENT_ID,
client_secret: DISCORD_CLIENT_SECRET,
code: code,
grant_type: 'authorization_code',
redirect_uri: COGNITO_REDIRECT_URI,
},
};
const response = axios(params).then(check)

@ascooper57
Copy link

ascooper57 commented Mar 2, 2021

The solution was to use qs to stringify and add the header:

    headers: {
      'content-type': 'application/x-www-form-urlencoded;charset=utf-8',
    },

@Vap0r1ze
Copy link
Author

Vap0r1ze commented Mar 2, 2021

For future reference, "Form Data" means the body must be sent as application/x-www-form-urlencoded

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment