There are two routes for User tracking / User data Collection:
/api/track is the same as
/api/science, both do work and accept the
same input. The reasoning for
/api/science to appear is that adblocking
software was denying requests for
/api/track because of the obivous name.
They seem to be the main way Discord collects user information. At the time of writing, the client sends user data through those routes, including when the user explicitly denied such "collection". The reasoning behind this behavior is that the Privacy & Safety settings only cite use of the given data, NOT collection of the data to start with.
Discord argues that they need to collect the data in the case the User allows the usage of the data later on. Which in the author's opinion is complete bullshit. Have a good day.
You can only delete all tracking data via deleting or disabling your account.
Called by the official clients to give user data to Discord. The routes can be called at, theoretically, any point in time, but the usual behavior is when you change channels, servers, enter/exit settings, acknowledge messages, etc.
It contains two headers that are specific to tracking:
X-Fingerprint header specifies a device fingerprint, it is an "opaque"
string given by the
POST /api/v6/auth/fingerprint route (request does not
contain body). It is assumed fingerprint generation happens on first client
start, or first client login.
X-Super-Properties header encodes a base64 representation of a Super
Super Properties object
|browser||string||browser string, e.g |
|browser_user_agent||string||full browser user agent string|
|browser_version||string||complete browser version|
|os_version||string||operating system version, if available|
|release_channel||string||the client's release channel, |
|client_build_number||integer||the client's build number|
Following fields are targeted towards mobile clients.
|device||string||device information (model and manufacturer)|
|os_sdk_version||string||Android API level|
The body encodes a JSON object:
|token||string||analytics token. unknown if this ties up to your auth token|
|events||list of Event||events made by the user|
Note: The only REQUIRED field is
type. Extensions to the Event object
are explained here.
Look at a list of valid event types and respective bodies here.