> ## Documentation Index
> Fetch the complete documentation index at: https://docs.botifymanager.xyz/llms.txt
> Use this file to discover all available pages before exploring further.

# authentication

> How Botify handles login, licensing, encryption, and command authentication.

Botify supports two authentication methods and includes multiple layers of security for account data, cookies, and remote commands.

***

## Authentication Methods

### Discord OAuth2 (Recommended)

Botify uses a full browser-based OAuth2 flow:

1. Browser opens `discord.com/oauth2/authorize` with Botify's client ID
2. You authorize scopes: `identify` + `guilds.members.read`
3. Botify verifies you have the **"Client"** role in the official Botify Discord server
4. Your Discord User ID is stored locally and synced to MongoDB

<Warning>
  You **must** be a member of the Botify Discord server and have the **"Client"** role. Without it, login is rejected regardless of payment status.
</Warning>

***

### License Key System

Keys follow the format: `BOTIFY-XXXXX-XXXXX-XXXXX-XXXXX`

| Plan         | Features Unlocked                                        |
| ------------ | -------------------------------------------------------- |
| `standard`   | All core features — 24/7 Alting, Normal Launch, all tabs |
| `enterprise` | Everything in Standard + Enterprise Cluster mode         |

* Keys are stored in the `botify_licenses` MongoDB collection
* Keys are **HWID-bound** on first activation — tied to your hardware fingerprint
* Activating on a different PC requires a manual HWID reset via Botify support

***

## Local Data Security

### DPAPI Encryption

When **Encrypt Account Data** is enabled in **Settings → Security**:

* `account_store.json` is encrypted using Windows **Data Protection API (DPAPI)**
* Encryption is tied to your Windows user account — only the same user on the same machine can decrypt
* Switching Windows users or reinstalling Windows requires re-adding accounts

<Note>
  DPAPI encryption is **optional** and disabled by default. Enable it if you share your PC with other users.
</Note>

### Cookie Storage Security

`.ROBLOSECURITY` cookies are stored in MongoDB with a **unique index** on `(owner_id, pc_name, username)`:

* Prevents any Botify node from reading another user's cookies
* Cookies are scoped per-user and per-PC — multi-PC setups remain isolated

***

## Command Authentication

Every Botify node generates a **32-byte random token** (`command_token`) on first run. All remote commands must include this token:

```json theme={null}
{
  "target_pc": "MainPC",
  "command": "screenshot",
  "auth_token": "<32-byte-hex-token>",
  "owner_id": "123456789012345678"
}
```

Commands that don't match `auth_token` are **silently rejected** — no error is returned to prevent enumeration attacks.

***

## Administrator Elevation

Botify auto-elevates to Administrator on startup. This is required for:

| Feature              | Why Admin is Needed                                      |
| -------------------- | -------------------------------------------------------- |
| Multi-Roblox         | Manipulating the Roblox singleton mutex                  |
| Working Set Trimmer  | Calling `SetProcessWorkingSetSizeEx` / `EmptyWorkingSet` |
| CPU Affinity Pinning | Setting process affinity via Win32 API                   |
| Process Priority     | Setting priority via `NtSetInformationProcess`           |
| Crash Handler Killer | Terminating `RobloxCrashHandler.exe`                     |

<Warning>
  If you decline the UAC prompt, Multi-Roblox and all Process Optimizer features will be unavailable. Botify will still launch but with reduced functionality.
</Warning>

***

## Enterprise Access

Enterprise Cluster mode is unlocked by **either**:

* An `enterprise` plan license key in `botify_licenses`, **OR**
* Specific Discord User IDs or roles configured as staff in the Botify system

Staff users receive automatic access to all features regardless of their license tier.
