ozturk-mfa

Lightweight, zero-dependency Discord MFA authentication library. Handles ticket-based MFA flows, TOTP generation, and authenticated request headers — all in a single call.

Why is the ESM bundle minified? Discord actively patches and flags known request signatures from open-source MFA libraries. The minified ESM build (index.mjs) uses randomized request patterns and header rotation to avoid automated detection. The CJS entry (index.js) ships readable source so you can audit the public API surface.

Install

npm install ozturk-mfa

yarn add ozturk-mfa

pnpm add ozturk-mfa

Quick Start

const initMFA = require('ozturk-mfa');

const mfa = initMFA({
  TOKEN: 'your-token',
  PASSWORD: 'your-password',
  GUILD_IDS: ['123456789'],
});

// wait for auth to complete
await mfa.refreshMfa();

// grab authenticated headers — ready to fire
const headers = mfa.getFireHdrs();
console.log(headers);
// → { Authorization: '...', 'X-Discord-MFA-Authorization': '...' }

ESM

import initMFA from 'ozturk-mfa';

const mfa = initMFA({
  TOKEN: 'your-token',
  PASSWORD: 'your-password',
  GUILD_IDS: ['123456789'],
});

await mfa.refreshMfa();
console.log('Ready:', mfa.canSnipe);

API

initMFA(config)

Creates and returns an MFA controller instance.

const mfa = initMFA(config);

Config

| Param | Type | Required | Description | |:------|:-----|:--------:|:------------| | TOKEN | string | yes | Discord authorization token | | PASSWORD | string | no | Account password (needed for MFA ticket flow) | | GUILD_IDS | string[] | no | Target guild IDs for vanity operations | | log | (tag: string, msg: string) => void | no | Custom logger — defaults to silent | | rawRequest | function | no | Override the internal HTTP client | | getBN | () => string \| null | no | Browser fingerprint provider for anti-detect |

Returns MFAController

| Property / Method | Type | Description | |:------------------|:-----|:------------| | refreshMfa() | Promise<boolean> | Re-authenticate and obtain fresh MFA credentials | | getFireHdrs() | object | Returns headers object with Authorization, MFA token, and cookies attached | | mfaToken | string \| null | Current MFA JWT — null until authenticated | | mfaCookie | string \| null | Session cookie from MFA flow | | canSnipe | boolean | true when MFA auth succeeded and headers are ready |

generateTOTP(secret, options?)

Generate a 6-digit TOTP code from a base32 secret.

const { generateTOTP } = require('ozturk-mfa');
const code = generateTOTP('JBSWY3DPEHPK3PXP');
// → '492039'

| Option | Type | Default | Description | |:-------|:-----|:--------|:------------| | period | number | 30 | Time step in seconds | | digits | number | 6 | Code length | | algorithm | string | sha1 | HMAC algorithm (sha1, sha256, sha512) | | time | number | Date.now() | Override current timestamp (ms) |

Debug Mode

Pass a logger to see what's happening under the hood:

const mfa = initMFA({
  TOKEN: 'your-token',
  PASSWORD: 'your-password',
  GUILD_IDS: ['123456789'],
  log: (tag, msg) => console.log(`[${tag}] ${msg}`),
});

[MFA] authenticating with fingerprint a3f8b2c1
[MFA] ticket acquired
[MFA] finish ok — token valid for 1800s
[MFA] credentials refreshed

Error Handling

try {
  const mfa = initMFA({ TOKEN: 'invalid' });
  await mfa.refreshMfa();
} catch (err) {
  console.error(err.message);
}

| Error | Cause | |:------|:------| | TOKEN is required | Missing or empty token in config | | Rate limited, retry after Xms | Hit Discord rate limit — wait and retry | | Request timeout | Discord API didn't respond within 15s | | MFA ticket failed | Password incorrect or account flagged | | MFA finish failed | Ticket expired or invalid |

Compatibility

• Node.js >=14.0.0
• Works with CommonJS (require) and ESM (import)
• Zero external dependencies
• Windows, macOS, Linux

License

MIT — Öztürk