Learn to Code via Tutorials on Repl.it!

← Back to all posts
securing discord bot token on repl.it

I went through random tutorials on repl.it recently, actually I'm more interested into discord.py so I went through random posts and profiles and ofcourse the projects(Yeah me stalky).

So yeah I figured I learn new stuff from random projects, but, looking at few discord.py bot source codes on repl.it, I found numerous projects where the token was simply left in the main.py file, and putting token somewhere it's publicly accessible, is not good for your bot and it also endangers all those servers your bot's in and has some permissions.

The token is the key to complete access to a Discord Bot. You must not leave it in any file that can be accessed publicly. Not just the Discord Bot token, any sort of authorization token or any API keys you use in your projects. DO NOT store them in files that can be seen and read by everyone.

So now the question may arise,

Where to store the token?

Simple answer? Use .env files.
You can simply put the token in an .env file. And no, the .env file is simply hidden from the public, only people who will be able to access it and read its content are you and the people you give editor access to.

For example, The token for my bot is abcdefg.
Now I may use

which would be totally stupid since I'm revealing the token and almost like writing there "Come missuse my bot to raid servers where it has permissions to Administrate/manage/kick/ban".

We certainly don't want that to happen, do we?

So I create a new file, named .env, and inside it, I enter

Now in the main.py file, I'll import the os library,

Using the os library, we'll now grab whatever content the TOKEN variable stores in the .env file, and we'll store it in another variable called token in the main.py file.

And Voila!!

Now the token is stored in a file which is completely hidden from public, and only you and your other fellow editors can access this file.

So here comes the moment where I'm supposed to beg for upvotes?

Actually, No, Only upvote this, if I was able to help you in any manner possible, else don't.
I literally want to see how many people I helped with this post, I dunno if this sounds rude to you, but even it stays at 0 upvotes, I'd like it enough. I just want to see if I was able to stop some bots from getting missused, their permissions in servers getting abused or some servers getting raided, mass mentioned, mass banned/kicked. I'd be happier if I was able to prevent that from happeneing for people.

Thank you!


great! ive always stored my token in a .env file though, liking your tutorials!
Have you created any discord bots?


@CoolJames1610 Yeah, I created an Alt Detector, though there's one existing already, but its web dashboard is a bit too complex, so I made a simpler to use. I have few half finished projects like, RPG bot.

Your projects look pretty cool too!!


@HarshVardhan19 Thanks, could I see how you made a dashboard. I want to make one too


@CoolJames1610 I meant, I built a simpler Alt Detector, unlike the AltDentifier bot, with the web dashboard, which for me, is a bit complex to setup for servers.


@HarshVardhan19 oh ok thanks


This is helpful but I gotta research what bot token is lol


does this work with other file types like .ini?


@InventBoss it doesn't. Replit is also removing .env files and creating a complete different way to define environment variables. So this post will probs get outdated soon lol


Thanks helps alot!