Tracking
There are two routes for User tracking / User data Collection: /api/track
and
/api/science
.
/api/track
is the same as /api/science
, both do work and accept the
same input. The reasoning for /api/science
to appear is that adblocking
software was denying requests for /api/track
because of the obvious name.
They seem to be the main way Discord collects user information. At the time of writing, the client sends user data through those routes, including when the user explicitly denied such "collection". The reasoning behind this behavior is that the Privacy & Safety settings only cite use of the given data, NOT collection of the data to start with.
Discord argues that they need to collect the data in the case the User allows the usage of the data later on. Which in the author's opinion is complete bullshit. Have a good day.
You can only delete all tracking data via deleting or disabling your account.
POST /api/science
Called by the official clients to give user data to Discord. The routes can be called at, theoretically, any point in time, but the usual behavior is when you change channels, servers, enter/exit settings, acknowledge messages, etc.
It contains two headers that are specific to tracking: X-Fingerprint
and
X-Super-Properties
.
The X-Fingerprint
header specifies a device fingerprint, it is an "opaque"
string given by the POST /api/v6/auth/fingerprint
route (request does not
contain body). It is assumed fingerprint generation happens on first client
start, or first client login.
The X-Super-Properties
header encodes a base64 representation of a Super
Properties object.
Super Properties object
field | type | description |
---|---|---|
os | string | operating system |
browser | string | browser string, e.g Chrome |
browser_user_agent | string | full browser user agent string |
browser_version | string | complete browser version |
os_version | string | operating system version, if available |
release_channel | string | the client's release channel, stable , ptb , canary |
client_build_number | integer | the client's build number |
client_event_source | Nullable[?] | ??? |
referrer | string | ??? |
referring_domain | string | ??? |
referring_domain_current | string | ??? |
Following fields are targeted towards mobile clients.
field | type | description |
---|---|---|
device | string | device information (model and manufacturer) |
device_id | string | device identifier |
os_sdk_version | string | Android API level |
Request body
The body encodes a JSON object:
field | type | description |
---|---|---|
token | string | analytics token. unknown if this ties up to your auth token |
events | list of Event | events made by the user |
Event object
Note: The only REQUIRED field is type
. Extensions to the Event object
are explained here.
Look at a list of valid event types and respective bodies here.
field | type | description |
---|---|---|
type | string | event type |