A secure Roblox-to-Discord verification system built with Next.js, MongoDB, and OAuth 2.0, deployed on Vercel.
- Secure OAuth 2.0 Authentication: Uses Roblox’s official OAuth implementation.
- MongoDB Storage: Stores verification sessions and user verifications.
- Discord Bot Integration: Provides API endpoint for Discord bots to initiate the verification process.
- Single-Use Tokens: Tokens expire after 15 minutes and can be used only once.
- Vercel Deployment: Optimized for serverless deployment.
- Create an account at mongodb.com/cloud/atlas.
- Create a new cluster (free tier is sufficient).
- Create a database user with read/write permissions.
- Obtain your MongoDB connection string (e.g.,
mongodb+srv://username:password@cluster.mongodb.net/). - Add the connection string to your environment variables.
- Visit the Roblox Creator Dashboard.
- Create a new OAuth 2.0 application.
- Set the redirect URI to:
https://your-vercel-app.vercel.app/api/auth/callback - Copy the Client ID and Client Secret.
- Add them to your environment variables.
-
Push the code to a GitHub repository.
-
Import the repository into Vercel.
-
Configure the following environment variables in Vercel:
Variable Description MONGODB_URIYour MongoDB connection string MONGODB_DB_NAMEName of your MongoDB database ROBLOX_CLIENT_IDRoblox OAuth Client ID ROBLOX_CLIENT_SECRETRoblox OAuth Client Secret NEXT_PUBLIC_VERCEL_URLYour app’s Vercel domain (e.g., your-app.vercel.app) -
Deploy the project.
Once deployed, navigate to:
https://your-app.vercel.app/api/init-db
This will create the required indexes in your database.
Initiates a verification session for a Discord user.
Request Body:
{
"discordId": "123456789012345678"
}Response:
{
"token": "abc123...",
"url": "https://your-app.vercel.app/login?token=abc123..."
}Example Usage in Discord Bot:
const response = await fetch('https://your-app.vercel.app/api/discord/callback', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ discordId: interaction.user.id })
});
const { url } = await response.json();
await interaction.user.send(`Click here to verify: ${url}`);Initializes database indexes. Call this once after deployment.
- The Discord bot calls
/api/discord/callbackwith the user’s Discord ID. - The server generates a single-use verification token and returns a verification URL.
- The bot sends the URL to the user via direct message.
- The user visits the verification URL (
/login?token=...). - The server validates the token and redirects the user to Roblox's OAuth consent page.
- The user authenticates with Roblox.
- Roblox redirects the user back to
/api/auth/callback. - The server stores the Discord → Roblox mapping in MongoDB.
- The user is redirected to
/verify-successwith a confirmation.
{
token: string; // Unique single-use token
discordId: string; // Discord user ID
createdAt: Date; // Session creation timestamp
expiresAt: Date; // Expiration timestamp (15 minutes)
used: boolean; // Whether the token has been used
usedAt?: Date; // Timestamp of usage (if used)
state?: string; // OAuth state parameter
nonce?: string; // OAuth nonce parameter
}{
discordId: string; // Discord user ID
robloxId: string; // Roblox user ID
robloxUsername: string; // Roblox username
createdAt: Date; // Time of verification
}- Single-Use Tokens: Tokens are valid for 15 minutes and only once.
- OAuth State & Nonce: Protects against CSRF and replay attacks.
- HTTP-Only Cookies: Secure session management.
- TTL Indexes: Automatic cleanup of expired sessions in MongoDB.
- Server-Side Validation: Discord ID is verified server-to-server to prevent spoofing.
| Layer | Technology |
|---|---|
| Frontend | Next.js 15 with App Router |
| Database | MongoDB with native driver |
| OAuth | openid-client for Roblox OAuth 2.0 |
| Deployment | Vercel |
| UI | Tailwind CSS with shadcn/ui |
Raspy Foundation
Licensed under CC-BY-SA-4.0 See creativecommons.org/licenses/by-sa/4.0