Discord.py: How does this log into a user account without an API token?

When you use run, you pass in what you want, which will be passed to login.

http://discordpy.readthedocs.io/en/latest/api.html#discord.Client.login

Though I would recommend using your token.

1. Open Discord
2. Press Ctrl+Shift+i
3. Click "Application" tab
4. Expand Storage > Local Storage > https://discordapp.com
5. Find "token" under "key"
6. Copy the text in quotes on the same row

@Phxntxm What I mean is how can I do a user login without an OAuth access token? Isn't this a violation of the ToS?

Did you read the link I provided? You pass the user login to the method run/login

@Phxntxm What happens on the protocol level? Also, I realized that this was badly worded. I meant why am I able to login without an OAuth access token.

See here and here. It does not log in without the access token. It just retrieves the access token (using the email/password you gave it), similarly to how you can login with user/pass using the official client.

So what this does is it violates OAuth2 entirely and logs in directly? OK, I'll stick to the copy-paste from localStorage. Thanks for the answers!

No, it does not violate OAuth2. No authentication can happen without an OAuth2 token, /auth/login is simply an endpoint for retrieving that token. It's also a very bad idea to store your password in plaintext inside a python file.

OAuth2 was created in order to indirectly expose an account to a third-party website without revealing your credentials to the third-party. Discord's official OAuth2 authorization endpoint is /api/oauth2/authorize. Using /api/auth/login violates OAuth2 because a) it does not use the OAuth2 API to generate a bearer token, and b) it reveals credentials to the third-party outside of a resource-owner credentials grant. This activity is not supported by Discord, is strongly recommended against, and is bannable if the user has 2FA enabled. The recommended alternative is to use the localStorage token.

There is no OAuth2 flow in the lib (at least, not yet since it's useless). The method of authentication done here for user accounts is the same as it is for the official client. Basically an Authorization header without any sort of prefix (Bot, Bearer).

It does not violate OAuth2 cause it does not use it. Instead directly access yo your account with full permissions.