Trust & Security
We design for least privilege and transparent installs. Here's exactly how we handle permissions, tokens, and runtime security.
Permissions (plain English)
We request only what your features need—no admin by default.
Every permission is explicitly scoped. Before you install, you'll see each permission bit and a plain-English explanation of why we need it.
How Discord permissions work
Discord uses an integer-based permission system (OAuth2). Each permission is a bit in that integer. We calculate the minimum set for your bot's features and show you exactly what we're asking for.
Tokens & secrets
Your bot token is encrypted, never logged, and only used to run your bot.
We follow best practices for secure storage: encrypted using strong encryption, keys are rotated regularly, and access is restricted to the runtime environment.
You stay in control
You can revoke or rotate your token anytime from the Discord Developer Portal. If you suspect compromise, regenerate your token and redeploy—takes 30 seconds.
Each bot runs separately
Your bot gets its own isolated environment
With resource limits, auto-restart on failure, and basic health checks. If one bot crashes, it doesn't affect others.
Live progress you can read
Watch deploy updates in real-time. See exactly when your bot connects, loads commands, and starts listening. If something breaks, you'll know why.
No spam patterns
Mass-DM blocked by design
We prevent bulk direct messages and enforce rate limits that align with Discord's API guidelines. This protects your server's reputation and keeps your bot compliant.
Built-in rate limiting
We design our runtimes and templates to parse Discord rate-limit headers, back off on 429s, and avoid invalid-request spikes. Custom bot behavior can still create compliance issues if you add abusive logic.
Privileged intents & verification
Some features require privileged intents
Features like reading message content for moderation can require privileged intents in the Discord Developer Portal. Discord's current guidance lets privileged-intent review start at 75 or more servers, and app verification is required to scale past 100 servers.
We'll tell you when you need it
If your bot requires a privileged intent, we'll show a clear prompt with a link to enable it. No surprises.
Shared demo bots are not a production promise
If we offer a temporary demo runtime, treat it as evaluation-only. Production bots should use a customer-owned Discord application or another clearly scoped reviewed app path.
Abuse & reporting
How to report misuse
If you see a bot built with VibeCord violating Discord's Terms of Service or Community Guidelines, email us at abuse@vibecord.dev with the bot's ID and evidence. We review abuse reports and escalate confirmed violations.
What we do
Confirmed violations result in immediate suspension, token revocation, and cooperation with Discord Trust & Safety if needed.
VibeCord is independent and not affiliated with Discord Inc. We follow Discord's brand guidelines and API terms of service.
View Discord's brand guidelinesFrequently Asked Security Questions
Does Vibecord have admin access to my Discord server?
No. We request only the specific permissions your bot features need—never admin by default. You can see exactly what permissions are requested before installation.
Where is my bot token stored?
Your bot token is encrypted using AES-256 encryption at rest. Access is restricted to the runtime environment only—no human access to plaintext tokens.
Can Vibecord read my server's messages?
Only if you enable features that require it (like moderation). By default, bots don't request Message Content Intent. If needed, we'll prompt you to enable it in Discord Developer Portal.
What happens if my bot crashes?
Each bot runs in an isolated container with automatic restart on failure. If your bot crashes, it restarts automatically without affecting other bots.
Can I rotate my bot token?
Yes. Regenerate your token in Discord Developer Portal and redeploy—takes about 30 seconds. We recommend token rotation if you suspect any compromise.
Is my data shared with third parties?
No. We don't sell or share your data. Your bot configurations and tokens are used solely to run your bot.
How do you prevent spam and abuse?
Mass-DM is blocked by design. Our templates and runtimes are built to respect Discord rate-limit headers and back off correctly, but abusive custom logic can still violate Discord policy. Bots that violate Discord's Terms of Service are suspended immediately.
What if I see a malicious bot built with Vibecord?
Report it to abuse@vibecord.dev with the bot's ID and evidence. We review abuse reports and cooperate with Discord Trust & Safety when a violation is confirmed.
Do you support SOC 2 or GDPR compliance?
We follow best practices for data security and privacy. For enterprise compliance requirements, contact us to discuss your specific needs.
Can I self-host my bot instead?
Currently we offer managed hosting only, which includes security updates, monitoring, and auto-restart. Self-hosting options may be available in future enterprise plans.
What happens when my bot grows past 75 or 100 servers?
Plan for Discord review before you hit scale. Discord's current help articles allow privileged-intent applications at 75 or more servers and require app verification to scale past 100 servers.
Can I sell paid bot features only through my own website?
Not always. If your bot offers paid capabilities directly to Discord users in regions where Discord Premium Apps requirements apply, Discord requires those supported offerings to also be purchasable through Discord at price parity.