Authentication
Every request from your bot to Floodilka (REST and Gateway) must carry an Authorization header with the bot token.
Token format
Section titled “Token format”The token has the shape:
<application_id>.<secret>application_id— the non-sensitive application ID (the same one you use in invite URLs)secret— the secret half, shown exactly once when the token is reset
Together they grant full access to the bot account. Neither half works alone.
REST requests
Section titled “REST requests”The prefix is required — it’s Bot:
GET /api/v1/users/@me HTTP/1.1Host: floodilka.comAuthorization: Bot 1496956937664585746.ZjBkYjE5ODI3NjQ4MGY4MTc1NzFjMjY1In code:
await fetch('https://floodilka.com/api/v1/users/@me', { headers: {Authorization: `Bot ${process.env.FLOODILKA_BOT_TOKEN}`},});Gateway IDENTIFY
Section titled “Gateway IDENTIFY”IDENTIFY carries the same token, but without the Bot prefix:
{ "op": 2, "d": { "token": "1496956937664585746.ZjBkYjE5ODI3NjQ4MGY4MTc1NzFjMjY1", "properties": {"os": "linux", "browser": "mybot", "device": "mybot"} }}Unlike REST, the Gateway wants the bare token. If IDENTIFY includes a Bot prefix the server closes with 4004 AUTHENTICATION_FAILED.
Storing the token
Section titled “Storing the token”Never:
- Commit the token to git
- Embed it in client apps (browser extension, mobile app)
- Paste it into screenshots
- Send it in support chats
Correct:
- A
.envfile added to.gitignore - Your hosting provider’s secret manager (Railway Variables, Fly.io secrets, Docker secrets)
- Environment variable on a VPS via
systemd EnvironmentFile
Rotation
Section titled “Rotation”If the token leaks, reset it immediately in Settings → Applications & Bots → Bot tab → Reset Token. The old token stops working the moment the new one is issued; any running process with the old token starts getting 401 Unauthorized (REST) or 4004 AUTHENTICATION_FAILED (Gateway).
Authentication errors
Section titled “Authentication errors”| Status | When | What to do |
|---|---|---|
401 Unauthorized | Token missing, truncated, or rotated | Check .env, re-reset if needed |
403 Forbidden | Token is valid but the action isn’t allowed (missing permission, bot not in guild) | Check the invite URL; see Permissions |
Gateway
Section titled “Gateway”| Close code | When | What to do |
|---|---|---|
4004 AUTHENTICATION_FAILED | Token is invalid | Do not reconnect. Reset and update the token |
4003 NOT_AUTHENTICATED | Client sent a payload before IDENTIFY | Reconnect and follow the correct order HELLO → IDENTIFY |
More: Close codes.
What’s next
Section titled “What’s next”- Quickstart — a curl example with the token
- Bots overview — bot account lifecycle
- Gateway connection lifecycle — IDENTIFY in detail