Skip to main content

Tracking

There are two routes for User tracking / User data Collection: /api/track and /api/science.

/api/track is the same as /api/science, both do work and accept the same input. The reasoning for /api/science to appear is that adblocking software was denying requests for /api/track because of the obvious name.

They seem to be the main way Discord collects user information. At the time of writing, the client sends user data through those routes, including when the user explicitly denied such "collection". The reasoning behind this behavior is that the Privacy & Safety settings only cite use of the given data, NOT collection of the data to start with.

privacy & safety settings

Discord argues that they need to collect the data in the case the User allows the usage of the data later on. Which in the author's opinion is complete bullshit. Have a good day.

You can only delete all tracking data via deleting or disabling your account.

POST /api/science

Called by the official clients to give user data to Discord. The routes can be called at, theoretically, any point in time, but the usual behavior is when you change channels, servers, enter/exit settings, acknowledge messages, etc.

It contains two headers that are specific to tracking: X-Fingerprint and X-Super-Properties.

The X-Fingerprint header specifies a device fingerprint, it is an "opaque" string given by the POST /api/v6/auth/fingerprint route (request does not contain body). It is assumed fingerprint generation happens on first client start, or first client login.

The X-Super-Properties header encodes a base64 representation of a Super Properties object.

Super Properties object

fieldtypedescription
osstringoperating system
browserstringbrowser string, e.g Chrome
browser_user_agentstringfull browser user agent string
browser_versionstringcomplete browser version
os_versionstringoperating system version, if available
release_channelstringthe client's release channel, stable, ptb, canary
client_build_numberintegerthe client's build number
client_event_sourceNullable[?]???
referrerstring???
referring_domainstring???
referring_domain_currentstring???

Following fields are targeted towards mobile clients.

fieldtypedescription
devicestringdevice information (model and manufacturer)
device_idstringdevice identifier
os_sdk_versionstringAndroid API level

Request body

The body encodes a JSON object:

fieldtypedescription
tokenstringanalytics token. unknown if this ties up to your auth token
eventslist of Eventevents made by the user

Event object

Note: The only REQUIRED field is type. Extensions to the Event object are explained here.

Look at a list of valid event types and respective bodies here.

fieldtypedescription
typestringevent type