Oh My Discord tutorial · 01 · external apps

So you landed here because someone was worried about your server.

If you're reading this, the server that linked you here probably has External Apps turned on for everyone. It's a genuinely useful feature but in the wrong hands it's also one of the easier ways to get a server nuked.

This page is a two-minute fix. No drama.

You don't have to disable External Apps server-wide. You just want to make sure trusted people are the only ones who can use them. That's the difference between a useful tool and an open door.

01 / whatWhat External Apps actually does

External Apps lets members run third-party app (Bot) commands inside any server, even servers where that app isn't installed. Slick for productivity. Risky for moderation, because the commands run with the invoking user's identity and reach.

the upside

Use any app, anywhere

A member can summon their favorite utility, search, or tool inside your server without anyone installing it first.

the risk

Bad actors get more reach

A compromised or malicious external app can be invoked by any member who has the permission, including mass-action and spam tooling.

02 / fixHow to lock it down

The goal: remove the Use External Apps permission from your @everyone role. Then grant it back, deliberately, to roles you trust. Four steps.

Open your server settings

Click your server name at the top-left, then Server Settings. You'll need the Manage Roles permission to do this, if you don't have it, ask the owner.

Go to Roles → @everyone

This is the role every member has by default. Whatever permissions are checked here apply to literally everyone, including brand-new joins and (potentially) compromised accounts.

Find Use External Apps and turn it off

Scroll the permission list. The toggle you want sits in the same area as Send Messages and Embed Links. Flip it off for @everyone.

role · @everyone · permissions

Send Messages post in text channels

Embed Links show link previews inline

              Use External Apps
              invoke apps not installed in this server
            

Attach Files upload images and documents

Add Reactions react with emoji

Save changes, then grant it back to trusted roles

Hit Save. Then, for any role you genuinely trust (Maybe your Staff or trusted People) role re-enable the same permission on that role only. Now only those people can use external apps, and your @everyone floor is back to safe.

03 / bonusPer-channel override (optional)

If you want to keep External Apps on globally but block it in one sensitive channel say #announcements or #general. Open that channel's settings, go to Permissions, pick @everyone, and switch Use External Apps to the red "denied" state. Channel-level denies override role-level allows.

04 / faqQuick questions

Will this break apps that are actually installed in my server? +

No. Installed (server-integrated) apps run through their own scopes. The "Use External Apps" permission only governs apps that are not installed in your server but are being invoked from someone's user-level install.

Why was this turned on by default? +

So that user-installed apps "just work" the moment someone joins a new server. Convenient default but convenience and safety usually trade off, and this is one of those places.

What does a "server nuke" actually look like here? +

With that amount of Permissions, it would be only heavy Spam from a Bot that you cant Ban.

Can I still let one specific person use external apps? +

Yes, make a role (e.g. trusted-tools), turn the permission on for just that role, and assign it to the people you trust. Roles can grant permissions back on top of an @everyone deny.