DEV Community

David | Kordhub
David | Kordhub

Posted on

How I protect Discord webhook URLs from being exposed in frontend code

The Problem

If you've ever used Discord webhooks in a frontend app, you've probably done something like this:

const webhookUrl = "https://discord.com/api/webhooks/123456/abc..."
fetch(webhookUrl, { method: "POST", body: JSON.stringify(message) })
Enter fullscreen mode Exit fullscreen mode

The problem: that URL is now visible to anyone who opens DevTools.
They can use it to spam your Discord server, send fake alerts,
or simply abuse it until Discord revokes it.

The Solution: Never expose the real URL

The pattern that actually works:

  1. Register your webhook URL once through a secure backend
  2. Get back a safe ID (like whk_abc123)
  3. Use only that ID in your frontend — the real URL never leaves the server

How it works in practice

Register once (server-side or one-time setup):

POST /v1/webhooks
{ "discord_webhook_url": "https://discord.com/api/webhooks/..." }

Response: { "webhook_id": "whk_abc123" }
Enter fullscreen mode Exit fullscreen mode

Send messages using only the ID:

POST /v1/send
{
  "webhook_id": "whk_abc123",
  "content": "New sale: $49.99",
  "title": "Payment received",
  "mode": "auto"
}
Enter fullscreen mode Exit fullscreen mode

The server decrypts the real URL, formats the message into a
clean Discord embed, strips any @everyone/@here spam, and delivers it.
Your frontend never sees the real webhook URL again.

Bonus: automatic spam filtering

Even if someone on your team accidentally sends @everyone in
an automated message, the API strips it before it reaches Discord.

Try it free

I built this as a standalone API available on RapidAPI with a
free tier (200 messages/month, no card required):

https://rapidapi.com/kordhubdev/api/kordhub-discord-webhook-shield-formatter

Would love feedback — especially from anyone who's dealt with
webhook abuse before.

Top comments (0)