Module B8 · Ship, sell & maintain

Webhooks and privacy

Webhooks are how your server tells Discord what happened: a sale, a ban, an error. Done carelessly they leak the webhook URL, dump player data into a channel, or spam Discord until it rate-limits you. This lesson keeps logging useful and safe.

You'll learn: How to log to Discord webhooks without leaking secrets, spamming channels, or exposing player data.
Time: ~20 minutes.
You need: The HTTP/webhooks lesson and a server you can configure.
The arc: Webhooks are secrets, send server-side only, decide what NOT to log, then rate-limit and redact.

BEFORE YOU START

Log safely

Send only from the server

The webhook URL never reaches a client.

All webhook calls happen in server scripts, with the URL read from a convar. A client never sees the URL and never triggers the send directly without a server check. PerformHttpRequest is a server native, so this code can only live in a server_script.

Read the URL from a convar, then post a Discord embed. Discord expects JSON, so set the Content-Type header and encode the body with json.encode.

code

local hook = GetConvar('logs_webhook', '')

local function sendLog(title, description)
    if hook == '' then return end -- no webhook configured, do nothing
    local body = json.encode({
        embeds = {
            {
                title = title,
                description = description,
                color = 3447003, -- a blue stripe down the embed
            }
        }
    })
    PerformHttpRequest(hook, function(status)
        if status ~= 200 and status ~= 204 then
            print(('[logs] webhook returned %s'):format(status))
        end
    end, 'POST', body, { ['Content-Type'] = 'application/json' })
end

Webhooks and privacy

Log safely

Send only from the server

Decide what NOT to log

Rate-limit your sends

Separate channels by severity

Keep reading the full lesson