Greasy Fork

DO NOT USE! THIS SCRIPT SENDS YOUR DUOLINGO AUTHORIZATION TOKEN TO THE SCRIPT OWNERS.

This script steals your account and sends your Duolingo authorization token to the script owners. You should use an open-source script that doesn't misuse your data instead. This script sends your JWT token to a private, 3rd-party API owned by the creators of this script (api.duolingopro.net). This is unnecessary, and there's no reason they would do something like this unless they were stealing people's JWT tokens.

If you REALLY, REALLY want to use this script, then make sure you use a VPN to hide your IP address from these scammers, and make sure you use an alternate account without a premium subscription and with no personal information attached to it. I suggest you find another script instead.

First, the JWT token is not harvested or silently exfiltrated. In 3.1 mode, the token is only transmitted when a user explicitly interacts with a feature that requires server-side processing. Nothing is sent passively, automatically, or without the user initiating an action. This is required to provide full functionality for features that cannot be implemented purely client-side.Second, Legacy Mode exists specifically to address this concern. When Legacy Mode is enabled, your token is never sent to our servers under any circumstances. Users who prefer a fully local, browser-only workflow can use this mode with zero server interaction. This option has always been available and clearly documented.Third, the claim that tokens are being collected to steal accounts or resell subscriptions is pure speculation with no evidence. Tokens are used transiently to fulfill the user’s request and are not used for account access, resale, or any form of abuse. Suggesting criminal intent without proof is irresponsible.Finally, while it is true that some Duolingo API endpoints can be accessed directly from the browser, not all functionality works reliably or at scale without a backend component. The server interaction in 3.1 mode exists for technical reasons, not deception, and users are given a clear choice.

Your reply still does not address the core issue.

Whether the JWT is sent automatically or only after a user clicks a feature is irrelevant. A Duolingo authorization token is still being extracted from the browser and transmitted to a private, third-party API you control. User interaction does not make token exfiltration safe.

Legacy Mode does not solve this problem. It only limits functionality to a lesson solver, meaning users must give up fast XP farming and other features in order to avoid server-side token sharing. That is not a real privacy choice, it is a forced tradeoff. The safer option removes features, while the full feature set requires sending the token to your backend.

Claims like “tokens are used transiently” or “not stored” are not verifiable. Your backend is closed-source and cannot be audited. Users are being asked to trust your word, and security does not operate on trust, it operates on verifiability. This is why private APIs handling authentication tokens are treated as a red flag.

The claim that a backend is required also fails when compared to existing scripts. Duofarmer and DuoRain already provide equal or better functionality entirely client-side, without sending JWTs to any external server. This demonstrates that the server is not technically necessary.

The JWT risk itself is also being downplayed. A Duolingo JWT generally grants broad account access. That is not speculation, it is how the token works. Sending it to a third-party service, especially one users cannot audit, is a real and valid concern regardless of intent.

This is not an accusation of criminal intent. It is a design issue. Sending sensitive authentication tokens to a private API, when safer fully client-side alternatives already exist, is poor practice, and that guy is justified in warning others about it.

I'll address these technical concerns you've raised Lunax OnTop.

First, let's address the trust issue. We've built a thriving Discord community with thousands of users who have been using Duolingo PRO safely for nearly three years. This community exists precisely to establish transparency and trust around our practices. Our track record speaks for itself: no incidents of account theft, no evidence of token misuse, and a growing user base that continues to trust and recommend Duolingo PRO.

Regarding your comparison to DuoFarmer and DuoRain, those scripts cannot compete with Duolingo PRO's performance. Our users can earn 30,000 XP in just 5 seconds. For users with higher limits, that number reaches up to 4,000,000 XP in 5 seconds. We use fundamentally different techniques than those scripts, and our technique is actually safer for earning XP at these speeds and high amounts.

You're correct that our backend cannot be audited, but there's a practical reason for this. The techniques that enable our 30,000-4,000,000 XP in just 5 seconds are proprietary and significantly more advanced than what other scripts use. Open-sourcing this code would expose the existence of these methods to Duolingo, resulting in immediate patching and elimination of our service. The real choice isn't between open-source and closed-source, it's between maintaining a functional, fast, and safe service or having no service at all.

Legacy Mode exists for users who prioritize local-only operation over performance. Yes, it's a tradeoff, but it's one that is completely open-source and clearly documented. Users who want maximum speed and features use 3.1 mode with server interaction. Users who want purely local operation use Legacy Mode. Both options are presented in the UI and our ToS.

Our architectural approach isn't changing. Our backend is essential for us to continue delivering the performance and features that make Duolingo PRO the fastest XP farming solution available. We understand this requires trust, which is why we've invested years in building a community, maintaining transparency about what data is transmitted, and delivering consistent, reliable service to thousands of users. Everyone who wants to use Duolingo PRO is welcome to make their own informed decision based on our track record.

We all know you use the story endpoint all script uses but you send multiple requests simultaneously to give illusion of instant xp you are not fooling anyone and I even saw my lesson history after farming xp from your script and they were multiple story lessons and I have personally tried evey story endpoint to see if one of them hasnt the happyhourbous vulnerability patched but they are limited to 499 xp that leads

Sending over 61 requests in about 4 seconds would already slam into Duolingo’s rate limits for 30,000 XP

proxies exist retard

Proxies cannot prevent Duolingo from banning an account that sends 8,017 requests in 4 seconds. Even if the traffic is spread across different IPs, the account-level behavior is extremely detectable by Duolingo’s backend and will lead to a ban.

Also, it is kind of telling that you completely ignored the second half of what I wrote, because you know you cannot actually refute any of those points.

and i think you ignored my previous comment because you can't refute it

if Duolingo really wanted to patch these techniques, they would just filter through the server logs to find out how you're doing it, then they'd immediately be able to patch it.
if Duolingo even cared about patching XP farming at all, they would have at least patched the lesser-known methods by now.

Nobody working for duolingo knows that your script even exists

hey yea I now know that you have found some kinda vulnerability on "PRACTICE" type lessons and now I know that you guys are trying to hide it imma find an open source it and thanks for the hints along the way

Sending over 61 requests in about 4 seconds would already slam into Duolingo’s rate limits for 30,000 XP

proxies exist retard

Proxies cannot prevent Duolingo from banning an account that sends 8,017 requests in 4 seconds. Even if the traffic is spread across different IPs, the account-level behavior is extremely detectable by Duolingo’s backend and will lead to a ban.

Also, it is kind of telling that you completely ignored the second half of what I wrote, because you know you cannot actually refute any of those points.

and i think you ignored my previous comment because you can't refute it

if Duolingo really wanted to patch these techniques, they would just filter through the server logs to find out how you're doing it, then they'd immediately be able to patch it.
if Duolingo even cared about patching XP farming at all, they would have at least patched the lesser-known methods by now.

Nobody working for duolingo knows that your script even exists

hey yea I now know that you have found some kinda vulnerability on "PRACTICE" type lessons and now I know that you guys are trying to hide it imma find an open source it and thanks for the hints along the way

No problem, although it seems like you might have misunderstood the hints a bit. Either way, good luck with your search!

oh yea thank you very much and I only took the hint that you don't spam stuff and that means there is a parameter that is vulnerable and grants millions of xp