Why Your Bot Token Is Sensitive
Your Discord bot token is the password to your bot account. Anyone with your token can control your bot, send messages as it, join servers, and access user data. A leaked token is a serious security incident.
Never Hardcode Tokens
The most common mistake is putting the token directly in your code file:
// Never do this
client.login('YOUR_TOKEN_HERE');If you commit this to a public GitHub repository, bots scan GitHub constantly and will steal your token within minutes.
Use Environment Variables
Store your token as an environment variable. In Node.js:
client.login(process.env.DISCORD_TOKEN);In your CraftNodes Pterodactyl panel, add DISCORD_TOKEN as a variable in the Startup tab. The value is stored securely and injected at runtime.
Use .env Files Locally
For local development, use a .env file with the dotenv package. Add .env to your .gitignore so it is never committed.
If Your Token Is Leaked
Go to the Discord Developer Portal immediately, navigate to your application, and regenerate the token. Update the new token in your CraftNodes environment variables and restart your server.