How bot tokens are stored

Encryption at rest

Bot tokens are encrypted with industry-standard authenticated encryption before they’re written to storage. That choice does two useful things for a credential: tampered ciphertext fails to decrypt instead of returning garbage, and identical tokens look different at rest so an attacker who somehow saw the storage couldn’t tell which two accounts share a value.

Who can read your token back

Nobody, by design. There’s no admin screen in TicketCord that shows you a token, and our staff can’t look one up either. If you ever need a new token, reset it in the Discord Developer Portal and paste the new value in - there’s no recovery path that involves anyone reading the old one.

At runtime, the bot needs the token to sign into Discord. That decryption happens server-side, only for the lifetime of the bot’s connection, and the plaintext is never logged or sent over the network in cleartext.

What else gets the same protection

Anything that’s technically a credential - your bot tokens, Discord application secrets, webhook signing secrets, and per-user OAuth tokens we use to fetch your server list. Ordinary configuration, ticket transcripts, and knowledge-base content sit behind our infrastructure controls but aren’t encrypted under the credential key.

Rotating your bot token

Reset the token in the Discord Developer Portal, then paste the new value in TicketCord - Discord ends the old session automatically and we pick up the new token on the next connection. Step-by-step in Create your first bot.