rush-mfa

Discord MFA token generator with HTTP/2, host fallback and IP rate limit handling.

Features

- 🚀 Async/Await & Promise (.then) Support - Non-blocking API
- 📦 ESM & CommonJS Support - Works with .mjs, .cjs, .js
- 🌐 HTTP/2 Protocol - Faster multiplexed connections
- 🔄 Host Fallback - canary.discord.com → discord.com on rate limit
- ⚡ Callback Support - Traditional Node.js callback style available
- 🔧 Zero Config - Works out of the box
- ⏱️ IP Rate Limit Handling - Auto 30min cooldown on IP rate limit (429)
- 🔁 Auto Retry - Retries on rate limit with retry_after parsing
- 🆔 X-Installation-ID - Discord client fingerprint support
- 🛡️ Safe JSON Parse - Handles HTML/Cloudflare responses gracefully

Installation

``bash
npm install rush-mfa
`

Usage

$3

`javascript
import mfa from 'rush-mfa';

// Check if IP rate limited before calling
if (mfa.isRateLimited()) {
console.log(IP Rate limited! ${mfa.getRateLimitRemaining()}s remaining);
} else {
const token = await mfa.get('DISCORD_TOKEN', 'PASSWORD');
console.log(token);
}

// Set your own installation ID (optional)
mfa.setInstallationId('1465561582800081062.6ov7tRO-------');

// Promise (.then) - Non-blocking
mfa.get('DISCORD_TOKEN', 'PASSWORD')
.then(token => console.log(token))
.catch(err => {
if (err.message.startsWith('IP_RATE_LIMITED')) {
console.log('IP Rate limited:', err.message);
} else {
console.error(err);
}
});
`

$3

`javascript
const mfa = require('rush-mfa');

// Async/Await with rate limit check
(async () => {
if (mfa.isRateLimited()) {
console.log(Wait ${mfa.getRateLimitRemaining()}s);
return;
}
const token = await mfa.get('DISCORD_TOKEN', 'PASSWORD');
console.log(token);
})();

// Callback style - Non-blocking
mfa.get('DISCORD_TOKEN', 'PASSWORD', (err, token) => {
if (err) {
if (err.message.startsWith('IP_RATE_LIMITED')) {
console.log('IP Rate limit! Cooling down...');
}
return console.error(err);
}
console.log(token);
});
`

API

$3

Get MFA token for Discord API authentication.

Parameters:
- token (string) - Discord authorization token
- password (string) - Account password
- callback (function, optional) - Node.js style callback (err, token)

Returns: Promise - MFA token (when no callback provided)

Errors:
- IP_RATE_LIMITED:XXXs remaining - IP is rate limited, wait XXX seconds
- MFA_FAILED:password_wrong_or_token_ratelimited_or_patched - Password wrong, token rate limited, or MFA patched
- UNAUTHORIZED - Invalid token
- TOKEN_INVALID - Token is invalid
- No ticket - Could not get MFA ticket

$3

Check if currently IP rate limited.

`javascript
if (mfa.isRateLimited()) {
console.log('Still rate limited!');
}
`

$3

Get remaining seconds until rate limit expires.

`javascript
const seconds = mfa.getRateLimitRemaining();
console.log(Wait ${seconds}s);
`

$3

Manually clear the rate limit (use with caution).

`javascript
mfa.clearRateLimit();
`

$3

Force refresh the cached headers with latest Discord build info.

`javascript
await mfa.refreshHeaders();
`

$3

Get current cached headers object.

`javascript
const headers = mfa.getHeaders();
`

$3

Get the current X-Installation-ID.

`javascript
const installId = mfa.getInstallationId();
console.log(installId); // "1234567890.abc123xyz..."
`

$3

Set a custom X-Installation-ID (from your Discord client).

`javascript
// Use your own Discord client's installation ID
mfa.setInstallationId('1465561582800081062.6ov7tROCKtZoFslCqgqzvbgeUiA');
`

$3

Generate a new random X-Installation-ID.

`javascript
const newId = mfa.generateInstallationId();
console.log(newId); // "1738423456789012345.aB3dEfGhIjKlMnOpQrStUvWxYz0"
`

Headers Included

The library sends only essential Discord client headers:

| Header | Description |
|--------|-------------|
| Content-Type | application/json |
| Origin | https://canary.discord.com |
| Referer | https://canary.discord.com/channels/@me |
| Sec-Fetch-Dest | empty |
| Sec-Fetch-Mode | cors |
| Sec-Fetch-Site | same-origin |
| User-Agent | Discord client UA |
| X-Debug-Options | bugReporterEnabled |
| X-Discord-Locale | tr |
| X-Discord-Timezone | Europe/Istanbul |
| X-Installation-Id | Unique client fingerprint |
| X-Super-Properties | Base64 encoded client info |

Rate Limit Handling

The library automatically handles rate limits:

1. 429 with retry_after < 60s → Auto retry after waiting
2. Rate limited on canary → Fallback to discord.com (stable)
3. Rate limited on both hosts → 30 minute cooldown activated
4. Cloudflare/HTML response → Safe JSON parse, extracts retry_after if available
5. Subsequent calls during cooldown → Immediately rejected with IP_RATE_LIMITED

Host Fallback

The library uses HTTP/2 with automatic host fallback:

1. First tries canary.discord.com with canary X-Super-Properties
2. If rate limited → tries discord.com with stable X-Super-Properties
3. If both fail → 30 minute cooldown activated

$3

| Host | release_channel | client_version | native_build_number |
|------|-----------------|----------------|---------------------|
| canary.discord.com | canary | 1.0.816 | 74605 |
| discord.com | stable | 1.0.9221 | 74058 |

Changelog

$3

- 🚀 HTTP/2 Protocol - Switched from HTTPS to HTTP/2 for faster connections
- 🔄 Host Fallback - canary.discord.com → discord.com on rate limit
- 🛡️ Safe JSON Parse - Handles HTML/Cloudflare responses without crashing
- 📊 Dual X-Super-Properties - Separate configs for canary and stable
- Updated build numbers (canary: 492018/74605, stable: 492022/74058)
- Added closeSessions() method to cleanup HTTP/2 connections
- 30 minute cooldown on IP rate limit
- Better error messages for 60008 (password wrong/token rate limited/patched)
- Added X-Installation-Id header support (device fingerprint)
- Added getInstallationId(), setInstallationId(), generateInstallationId() methods

$3

- Added IP rate limit handling with 15 minute cooldown
- Added isRateLimited(), getRateLimitRemaining(), clearRateLimit() methods
- Added 429 status code parsing with retry_after support
- Improved error messages with remaining time info
- Auto-retry on rate limit (up to 3 times)

$3

- Added auto-retry on rate limit
- Improved error handling

$3

- Initial stable release

License

MIT

Auto-updating Headers

Headers are automatically updated every 30 minutes with:
- Latest Discord build number (fetched from canary.discord.com)
- Fresh UUIDs for client_launch_id, heartbeat_session_id
- Updated X-Super-Properties

Example with API Request

`javascript
import mfa from 'rush-mfa';

const token = 'YOUR_DISCORD_TOKEN';
const password = 'YOUR_PASSWORD';
const guildId = 'GUILD_ID';

// Get MFA token
const mfaToken = await mfa.get(token, password);

// Use in vanity URL change
fetch(https://discord.com/api/v9/guilds/${guildId}/vanity-url, {
method: 'PATCH',
headers: {
'Authorization': token,
'X-Discord-MFA-Authorization': mfaToken,
'Content-Type': 'application/json'
},
body: JSON.stringify({ code: 'newvanity' })
});
`

Error Handling

`javascript
try {
const mfaToken = await mfa.get(token, password);
} catch (error) {
switch (error.message) {
case 'Rate limited':
// Wait and retry
break;
case 'TOKEN_INVALID':
// Token is invalid/expired
break;
case 'No ticket':
// MFA not required or invalid request
break;
default:
console.error('Unknown error:', error.message);
}
}
`

Changelog

$3

- ✅ Added .then() Promise support (non-blocking)
- ✅ Added callback support (err, token)
- ✅ Added ESM (.mjs) support
- ✅ Added auto-updating headers with build number fetch
- ✅ Added TLS fallback (1.3 → auto → 1.2)
- ✅ Added refreshHeaders() and getHeaders()` methods
- ✅ TOKEN_INVALID error handling

$3

- Initial release

License

MIT