Tracking | discord-unofficial-docs (original) (raw)
There are two routes for User tracking / User data Collection: /api/track and/api/science.
/api/track is the same as /api/science, both do work and accept the same input. The reasoning for /api/science to appear is that adblocking software was denying requests for /api/track because of the obvious name.
They seem to be the main way Discord collects user information. At the time of writing, the client sends user data through those routes, including when the user explicitly denied such "collection". The reasoning behind this behavior is that the Privacy & Safety settings only cite use of the given data, NOTcollection of the data to start with.
Discord argues that they need to collect the data in the case the User allows the usage of the data later on. Which in the author's opinion is complete bullshit. Have a good day.
You can only delete all tracking data via deleting or disabling your account.
POST /api/science
Called by the official clients to give user data to Discord. The routes can be called at, theoretically, any point in time, but the _usual_behavior is when you change channels, servers, enter/exit settings, acknowledge messages, etc.
It contains two headers that are specific to tracking: X-Fingerprint andX-Super-Properties.
The X-Fingerprint header specifies a device fingerprint, it is an "opaque" string given by the POST /api/v6/auth/fingerprint route (request does not contain body). It is assumed fingerprint generation happens on first client start, or first client login.
The X-Super-Properties header encodes a base64 representation of a Super Properties object.
Super Properties object
| field | type | description |
|---|---|---|
| os | string | operating system |
| browser | string | browser string, e.g Chrome |
| browser_user_agent | string | full browser user agent string |
| browser_version | string | complete browser version |
| os_version | string | operating system version, if available |
| release_channel | string | the client's release channel, stable, ptb, canary |
| client_build_number | integer | the client's build number |
| client_event_source | Nullable[?] | ??? |
| referrer | string | ??? |
| referring_domain | string | ??? |
| referring_domain_current | string | ??? |
Following fields are targeted towards mobile clients.
| field | type | description |
|---|---|---|
| device | string | device information (model and manufacturer) |
| device_id | string | device identifier |
| os_sdk_version | string | Android API level |
Request body
The body encodes a JSON object:
| field | type | description |
|---|---|---|
| token | string | analytics token. unknown if this ties up to your auth token |
| events | list of Event | events made by the user |
Event object
Note: The only REQUIRED field is type. Extensions to the Event object are explained here.
Look at a list of valid event types and respective bodieshere.
| field | type | description |
|---|---|---|
| type | string | event type |