If you're interested in investing your time into MCAuth's development then at least RTFM. Once you have make sure your pull requests are heavily described and give it the "why" you made the pull request.
As you dig deep into the source-code there's going to be a lot of methodology unexplained in the documentation above. Most of it will be covered below, but if something needs clarification then leave an issue.
The bot has something called the Sync struct, since we can't rely on the Discord API so heavily (because rate-limits) the bot will stay in sync with every guild member's roles with what's given in the websocket. This is all stored in memory so when MCAuth goes offline all the roles are cleared.
This is done in /internal/bot/sync.go
For some situations we might need to figure out what a UUID is associated to what player name or vice-versa so we can use the Mojang API to resolve them.
The webserver has a token attribute in the config.yml. Requests are checked up in internal/webserver/routes/authenticator.go
go nuts.