Bot Verification and Data Whitelisting Ro May 15, 2020 19:06 Updated Follow If you're reading this page, you're probably on the path to Big Bot Growth™. Congratulations on your success! We're always thrilled to see a new creation flourishing in the world of Discord. You're probably also reading this page because you've been asked to complete some additional steps on behalf of your bot, including a verification process and whitelisting for Privileged Intents. We are constantly striving to keep Discord a safe place for our users, and we want to first and foremost thank you for your important role in that process. We want to make sure that what you need to do is well understood, doesn't have any surprises or gotchas, and is as quick as possible. If you want to know more about the future of bots coming this year, you should definitely read our blog post: The Future of Bots on Discord. What this article covers: Verification How do I start the process? How long does it take to get verified? What if I'm already in 100 servers? I heard there was a badge. Privileged Intent Whitelisting What if I'm already in 100 servers? How do I get whitelisted? How long does it take to get whitelisted? What is considered an acceptable use case? Stripe Data FAQ Verification Verification is a big step in the world of Discord bots. It’s the secure foundation we need to unlock new features and visibility for developers. Verification means that we can release features that give developers more control over Discord. It means we can encourage users to adopt bots within Discord, instead of scouring the internet. It also means that bots can safely grow orders of magnitude larger than they are today. Protecting user privacy and security, as well as maintaining trust, is our utmost responsibility. We want to ensure that we continue to uphold that as our bot ecosystem grows. Therefore, we are making verification a requirement for bots in 100 or more servers. Until your bot is verified, you will not be able to grow past 100 servers. If your bot is already in more than 100 servers, it will not be able to join any more. We recognize that this is a big change, so we’re instituting a 6 month deprecation period ending on October 7, 2020 to get everyone verified that meets the criteria. Until that date, no restrictions will be enforced. After being verified, you and your other team members will receive a Verified Developer badge on your Discord profiles, as recognition of your success as developers on Discord. Your bot will also received a Verified check mark, to show you're the only you! How do I start the process? Head on over to your bot's settings page in the Developer Portal. At the top of that page will be a banner with instructions on how to get started. This process is currently available for bots in 75 or more servers, to allow developers to preemptively apply. How long does it take to get verified? Once you submit a verification request, a human will look at your submission and get back to you. From now until the deadline of October 7, 2020, while no limits are being enforced, we will strive for a five business day turnaround time for all verification requests. During this time period, we will evaluate our process to ensure that we can commit to faster turnaround times after the deprecation period has ended. Please be mindful of the influx of verification requests that we will receive during the initial roll-out. What if I'm already in 100 servers? If your bot is already in 100 servers, you have until October 7, 2020 to go through our verification process. After that date, if you have not been verified, your bot will not be able to join any new servers. I heard there was a badge. That's not a question, but yes! After being verified, you and your other team members will receive a Verified Developer badge on your Discord profiles, as recognition of your success as developers on Discord. Your bot will also received a Verified bot badge. If you do not receive your badge, or one of your team members did not receive it, please reach out to support to let us know. Privileged Intent Whitelisting As part of the verification process, we’re including an opt-in process to get whitelisted for Privileged Gateway Intents. We believe that whitelisting access to certain information at scale, as well as requiring verification to reach that scale, will be a big positive step towards combating bad actors and continuing to uphold the privacy and safety of Discord users. Again, this only applies to bots in 100 or more servers. You may start the process as early as 75 servers, and you have until October 7, 2020 to complete it before limitations are enforced. You must apply for whitelisting if you turn on any of the Privileged Intents for your bots in the Dev Portal like so and your bot is in 100 or more servers: What if I'm already in 100 servers? If you're already in 100 servers and want to enable Privileged Intents for your bot, you may do so from now until October 7, 2020 and get whitelisted after turning them on. After our deprecation period ends, if your bot is in over 100 servers, you cannot turn on Privileged Intents until you get whitelisted first. We don't want you to have broken bots, so please get whitelisted first. How do I get whitelisted? At the top of your bot settings page, you should see a button to begin the process if your bot is in 75 or more servers. If you don't see that and believe you should, please reach out to us via support. When you click that button, you'll be redirected to a questionnaire. We'll ask you a few questions including: Which Intents you're applying for Your use case for those Intents Some data security and privacy questions The ability to edit your verification request, if you have already submitted one, with new information regarding your new needs How long does it take to get whitelisted? Once you submit an application, a human will look at your submission and get back to you. From now until the deadline of October 7, 2020, while no limits are being enforced, we will strive for a five business day turnaround time for all verification requests. During this time period, we will evaluate our process to ensure that we can commit to faster turnaround times after the deprecation period has ended. Please be mindful of the influx of verification requests that we will receive during the initial roll-out. What is considered an acceptable use case? We're glad you asked! (And, we know this was the big question on your mind). As with most things, it is up to the details of the implementation. Rather than list out every possible idea, or have you extrapolate on examples, here are some principles that guide the way we think. If you have questions about your particular use case, be as descriptive as possible in your application, and please feel free to reach out to our support team, or talk to us in our Discord Server! We're happy to talk you through the process. Meet User Expectations In general, a good principle of privacy is to ask yourself "Would someone be surprised by this?" If the answer isn't solidly "no", it might be worth evaluating. Practice Principles of Least Privilege The principles of least privilege state that you should only be asking for privileges that you fundamentally need. The Discord API is pretty vast, and there may be a better way to go about what you're trying to do. We'd love to have that conversation with you and help you think it through! Be Sensitive to What Info You Have Info from Discord comes in many shapes and sizes, and you have a large responsibility to be sensitive to what info you're getting and storing, especially with data from Privileged Intents. If you're using data that is fully anonymous and aggregated, ensure that access to that data is limited to only those who should be able to see it, be that in the context of your development team or privileges in a server.If you're using information about individuals, make sure you really take user expectations to heart, and provide users with a way to request deletion of that data. Be Sensitive to Who Has Access Discord Servers are often private places. Even in public servers, though they're welcome for everyone to join, people have a sense that what they're doing is in that community, and not mirrored or copied somewhere else. Be mindful of who on your team has access to information, as well as under what privileges you show users access to it. For example, data about a specific server--even anonymous and aggregated--should probably be limited in access to just people in that server with proper permissions. We know this was a lot. If you have any questions about the process or requirements, please feel free to get in touch with us over at dis.gd/contact, or come see us in our Discord Server! We want to help and ensure all of this is as painless as possible. Thank you for your hard work in helping keep Discord a safe place for everyone, and we can't wait to see your creation flourish! Stripe Data FAQ What's the relationship beween Stripe and Discord? Stripe acts as our identity verification provider, and is legally and contractually obligated to only use the data in a way that we’ve approved, which is to provide the service of identity verification. The data still comes from Discord and still belongs to Discord, and so we have the right and ability to remove that data. Essentially, they’re providing a service to us like Google or Cloudflare does. Who can access the information I submit? A small number of employees (as in, fewer than ten) who are involved in security and legal will be able to access the information. The information is not stored on Discord itself and is not generally accessible to employees outside of this group. We understand that this is highly sensitive, and access to the information is not something that we take lightly. It is expressly for the use case of bad, bad actors. We’re not talking about general Trust and Safety concerns, like spambots or a bot deleting channels in a server. Instead, we’re looking to prevent data breaches, wide-scale privacy violations, and illegal activity.(edited) Why are you doing this, again? Discord is a platform where hundreds of millions of people talk to each other on a daily basis about everything going on in their lives. Keeping that information secure is one of our top priorities. We spend a lot of time hardening the security of our internal databases and procedures, but we also want to make sure that access to data through the API is also handled responsibly and thoughtfully. This includes proactive measures, like this verification process, proper authentication and limits on our APIs, and stipulations in our Developer Terms of Service, like the mandate that End-User data is encrypted at rest. As such, verification accomplishes two goals: it serves as a barrier to growth to bad actors in the first place, and it is also a method to act on them if they are to get through that barrier. How can I delete the information I’ve submitted? Removing information upon demand defeats the purpose of verifying identity. At the same time, we have no interest in keeping this data longer than we need to, and we want to balance those two principles. As such, our retention policy is that we'll remove the identification information a year after the bot that it is connected with has been deleted. This is in line with industry-standard retention guidelines for anti-abuse and anti-fraud situations. Keeping information after bot deletion for some amount of time is absolutely necessary — as we know in the security world, some misdeeds don't come to light immediately, and we want to make sure that we can take the steps to keep users safe. Legal Nerd Hat In case you're curious about the legal front, use of data for this purpose is outlined both in the GDPR (see Recital 47), as well as the CCPA (Cal Civ Code § 1798.105(d)(2)). Was this article helpful? Have more questions? Submit a request Other ways to find help. Need More Support? Submit a request to our team through here! Twitter Have a quick question? Hit us up on Twitter! Related articles Intro to Webhooks Blog: How to use Discord for your classroom Spellcheck in Discord How to Use Discord for Your Classroom Why is Discord asking for my birthday?