When you send a message through a Discord webhook, the API returns a JSON object that includes a “token” property. Many developers assume this token can be reused to edit or delete that specific message later. This assumption leads to 403 Forbidden errors because Discord does not accept the returned token for message modification endpoints. The webhook token that allows message editing is the same token you use to create the webhook, not the one returned in the message response. This article explains why this mismatch occurs and how to correctly edit messages using the webhook’s original token.
Key Takeaways: Discord Webhook Token vs Message Token
- Webhook creation token (stored in URL): The only token that can edit or delete messages sent by that webhook.
- Response token (in message JSON): A temporary reference token that cannot be used for any API call.
- Discord API endpoint format: Use
PATCH /webhooks/{webhook.id}/{webhook.token}/messages/{message.id}— never the response token.
Why Discord Returns a Token in the Webhook Message Response
When you send a message via a webhook, Discord returns a JSON object that contains a property named “token.” This property is not a security token for authentication. It is a unique identifier for the message itself, used internally by Discord to track which webhook sent it. The API documentation refers to this as the “message token” to distinguish it from the webhook token.
The webhook token that grants edit and delete permissions is the one provided when you created the webhook. This token is part of the webhook URL, which looks like https://discord.com/api/webhooks/123456789/abcDEFghijKLMnoPQRstUV. The second segment after the webhook ID is the webhook token. Discord stores this token server-side and uses it to authenticate any request made to edit or delete messages from that webhook.
The message-level token returned in each response is not stored by Discord for authentication purposes. It is a reference ID that helps Discord correlate the message to its originating webhook. Attempting to use this token in an API call results in a 403 Forbidden error because Discord’s authentication system does not recognize it as a valid credential for the PATCH /webhooks/{webhook.id}/{webhook.token}/messages/{message.id} endpoint.
How Discord Authenticates Webhook Message Edits
Discord requires two pieces of information to authenticate a message edit request: the webhook ID and the webhook token. The webhook ID identifies which webhook owns the message. The webhook token proves that your application has permission to modify messages from that webhook. Both must come from the webhook creation process, not from the message response. The endpoint format is fixed: PATCH /webhooks/{webhook.id}/{webhook.token}/messages/{message.id}. If you substitute the message token for the webhook token, Discord rejects the request.
Steps to Correctly Edit a Webhook Message Using the Original Token
To edit a message sent by a webhook, you must store the webhook token from the creation URL and the message ID from the response. Follow these steps exactly.
- Extract the webhook token from the webhook URL
When you create a webhook in Discord, the URL contains the webhook ID and webhook token. For example, inhttps://discord.com/api/webhooks/123456789/abcDEFghijKLMnoPQRstUV, the token isabcDEFghijKLMnoPQRstUV. Save this token in your application’s configuration or database. - Capture the message ID from the webhook response
After sending a message via the webhook, parse the response JSON. Theidproperty is the message ID. Thetokenproperty in the response is not used. Store only the message ID. - Build the correct API endpoint
Construct the URL:https://discord.com/api/webhooks/{webhook.id}/{webhook.token}/messages/{message.id}. Replace{webhook.id}with the numeric ID from the webhook URL,{webhook.token}with the token you saved in step 1, and{message.id}with the ID from step 2. - Send a PATCH request with the updated content
Use an HTTP PATCH request to the endpoint from step 3. Include a JSON body with the fields you want to update. For example, to change the message content, send{"content": "Updated message text"}. Do not include any authentication headers — Discord authenticates the request using the token in the URL.
If the Edit Still Fails After Using the Correct Token
403 Forbidden Error When PATCHing the Webhook Message
A 403 error after you have used the correct webhook token usually means the webhook token is incorrect or expired. Verify that the token in your URL matches the one from the webhook creation. Webhook tokens do not expire unless the webhook is deleted and recreated. If you regenerated the webhook URL in Discord’s Server Settings > Integrations > Webhooks, the token changes. Update your stored token accordingly.
400 Bad Request When Sending the PATCH Body
A 400 error indicates the request body is malformed or contains invalid fields. Ensure your JSON is valid and matches the Discord API specification. For example, the content field must be a string, and you cannot update username or avatar_url after the message is sent. Only content, embeds, components, and attachments can be modified.
404 Not Found When Using the Message ID
A 404 error means the message ID is incorrect or the message has been deleted. Verify that the message ID was captured from the correct response. If the message was deleted by a user or a bot, Discord returns 404. You cannot edit a deleted message.
| Item | Webhook Token (from creation URL) | Message Token (from response JSON) |
|---|---|---|
| Purpose | Authenticates API requests to edit or delete messages | Internal reference ID for the message |
| Can edit messages | Yes | No |
| Can delete messages | Yes | No |
| Where to find it | Webhook URL, second path segment | Response JSON, token property |
| Example value | abcDEFghijKLMnoPQRstUV |
MTIzNDU2Nzg5MDEyMzQ1Njc4OTA |
Discord’s webhook system uses two distinct token types for different purposes. The webhook token from the creation URL is the only credential that allows message editing and deletion. The message token returned in responses is a read-only identifier that cannot authenticate any API call. Always store the webhook token from the URL, not from the message response. For advanced use, consider using Discord’s interaction webhook system where you can edit messages using PATCH /webhooks/{application.id}/{interaction.token}/messages/@original — this endpoint also requires the interaction token, not a message response token.