diff --git a/src/app/(app)/integrations/discord/link/route.ts b/src/app/(app)/integrations/discord/link/route.ts
new file mode 100644
index 000000000..a6a4e0a63
--- /dev/null
+++ b/src/app/(app)/integrations/discord/link/route.ts
@@ -0,0 +1,120 @@
+import type { NextRequest } from 'next/server';
+import { NextResponse } from 'next/server';
+import * as z from 'zod';
+import { APP_URL } from '@/lib/constants';
+import { getUserFromAuth } from '@/lib/user.server';
+import { createOAuthState, type OAuthStateContext } from '@/lib/integrations/oauth-state';
+import { getDiscordUserLinkOAuthUrl, getInstallation } from '@/lib/integrations/discord-service';
+import { isOrganizationMember } from '@/lib/organizations/organizations';
+import type { Owner } from '@/lib/integrations/core/types';
+
+const DISCORD_SNOWFLAKE_REGEX = /^\d+$/;
+
+const LinkRequestSchema = z
+  .discriminatedUnion('ownerType', [
+    z.object({
+      ownerType: z.literal('org'),
+      ownerId: z.uuid(),
+      guildId: z.string().regex(DISCORD_SNOWFLAKE_REGEX).optional(),
+      channelId: z.string().regex(DISCORD_SNOWFLAKE_REGEX).optional(),
+      messageId: z.string().regex(DISCORD_SNOWFLAKE_REGEX).optional(),
+    }),
+    z.object({
+      ownerType: z.literal('user'),
+      ownerId: z.string().min(1),
+      guildId: z.string().regex(DISCORD_SNOWFLAKE_REGEX).optional(),
+      channelId: z.string().regex(DISCORD_SNOWFLAKE_REGEX).optional(),
+      messageId: z.string().regex(DISCORD_SNOWFLAKE_REGEX).optional(),
+    }),
+  ])
+  .superRefine((value, ctx) => {
+    const presentCount = [value.guildId, value.channelId, value.messageId].filter(Boolean).length;
+    if (presentCount > 0 && presentCount < 3) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'guildId, channelId, and messageId must be provided together',
+      });
+    }
+  });
+
+function buildIntegrationPath(owner: Owner, queryParam?: string): string {
+  const basePath =
+    owner.type === 'org'
+      ? `/organizations/${owner.id}/integrations/discord`
+      : '/integrations/discord';
+
+  return queryParam ? `${basePath}?${queryParam}` : basePath;
+}
+
+function buildSignInPath(callbackPath: string): string {
+  return `/users/sign_in?callbackPath=${encodeURIComponent(callbackPath)}`;
+}
+
+export async function GET(request: NextRequest) {
+  const parsed = LinkRequestSchema.safeParse({
+    ownerType: request.nextUrl.searchParams.get('ownerType'),
+    ownerId: request.nextUrl.searchParams.get('ownerId'),
+    guildId: request.nextUrl.searchParams.get('guildId') ?? undefined,
+    channelId: request.nextUrl.searchParams.get('channelId') ?? undefined,
+    messageId: request.nextUrl.searchParams.get('messageId') ?? undefined,
+  });
+
+  if (!parsed.success) {
+    return NextResponse.redirect(new URL('/integrations/discord?error=invalid_link', APP_URL));
+  }
+
+  const owner: Owner =
+    parsed.data.ownerType === 'org'
+      ? { type: 'org', id: parsed.data.ownerId }
+      : { type: 'user', id: parsed.data.ownerId };
+
+  const callbackPath = `${request.nextUrl.pathname}${request.nextUrl.search}`;
+  const authResult = await getUserFromAuth({ adminOnly: false });
+  if (!authResult.user) {
+    return NextResponse.redirect(new URL(buildSignInPath(callbackPath), APP_URL));
+  }
+
+  if (owner.type === 'org' && !authResult.user.is_admin) {
+    const isMember = await isOrganizationMember(owner.id, authResult.user.id);
+    if (!isMember) {
+      return NextResponse.redirect(
+        new URL(buildIntegrationPath(owner, 'error=unauthorized'), APP_URL)
+      );
+    }
+  }
+
+  if (owner.type === 'user' && authResult.user.id !== owner.id) {
+    return NextResponse.redirect(
+      new URL(buildIntegrationPath(owner, 'error=unauthorized'), APP_URL)
+    );
+  }
+
+  const installation = await getInstallation(owner);
+  if (!installation) {
+    return NextResponse.redirect(
+      new URL(buildIntegrationPath(owner, 'error=installation_missing'), APP_URL)
+    );
+  }
+
+  const replayContext: OAuthStateContext | undefined =
+    parsed.data.guildId && parsed.data.channelId && parsed.data.messageId
+      ? {
+          discordReplayGuildId: parsed.data.guildId,
+          discordReplayChannelId: parsed.data.channelId,
+          discordReplayMessageId: parsed.data.messageId,
+        }
+      : undefined;
+
+  if (
+    replayContext?.discordReplayGuildId &&
+    installation.platform_installation_id !== replayContext.discordReplayGuildId
+  ) {
+    return NextResponse.redirect(
+      new URL(buildIntegrationPath(owner, 'error=invalid_link'), APP_URL)
+    );
+  }
+
+  const statePrefix = owner.type === 'org' ? `org_${owner.id}` : `user_${owner.id}`;
+  const state = createOAuthState(statePrefix, authResult.user.id, replayContext);
+  return NextResponse.redirect(getDiscordUserLinkOAuthUrl(state));
+}
diff --git a/src/app/api/integrations/discord/callback/route.ts b/src/app/api/integrations/discord/callback/route.ts
index 01b118bdc..7a5ee4ac6 100644
--- a/src/app/api/integrations/discord/callback/route.ts
+++ b/src/app/api/integrations/discord/callback/route.ts
@@ -1,12 +1,154 @@
 import type { NextRequest } from 'next/server';
-import { NextResponse } from 'next/server';
+import { after, NextResponse } from 'next/server';
 import { getUserFromAuth } from '@/lib/user.server';
 import { ensureOrganizationAccess } from '@/routers/organizations/utils';
 import type { Owner } from '@/lib/integrations/core/types';
 import { captureException, captureMessage } from '@sentry/nextjs';
-import { exchangeDiscordCode, upsertDiscordInstallation } from '@/lib/integrations/discord-service';
+import {
+  exchangeDiscordCode,
+  getDiscordBotUserId,
+  getDiscordChannelMessage,
+  getDiscordOAuthUserId,
+  linkDiscordRequesterToOwner,
+  postDiscordMessage,
+  upsertDiscordInstallation,
+} from '@/lib/integrations/discord-service';
 import { verifyOAuthState } from '@/lib/integrations/oauth-state';
 import { APP_URL } from '@/lib/constants';
+import { processDiscordBotMessage } from '@/lib/discord-bot';
+import { getDevUserSuffix } from '@/lib/slack-bot/dev-user-info';
+import {
+  isDiscordBotMessage,
+  replaceDiscordUserMentionsWithNames,
+  stripDiscordBotMention,
+  truncateForDiscord,
+} from '@/lib/discord-bot/discord-utils';
+import { z } from 'zod';
+
+const DISCORD_SNOWFLAKE_REGEX = /^\d+$/;
+
+const DiscordReplayContextSchema = z.object({
+  discordReplayGuildId: z.string().regex(DISCORD_SNOWFLAKE_REGEX),
+  discordReplayChannelId: z.string().regex(DISCORD_SNOWFLAKE_REGEX),
+  discordReplayMessageId: z.string().regex(DISCORD_SNOWFLAKE_REGEX),
+});
+
+type DiscordReplayContext = {
+  guildId: string;
+  channelId: string;
+  messageId: string;
+};
+
+function getDiscordReplayContext(
+  value: Record<string, string> | undefined
+): DiscordReplayContext | null {
+  if (!value) {
+    return null;
+  }
+
+  const parsed = DiscordReplayContextSchema.safeParse(value);
+  if (!parsed.success) {
+    return null;
+  }
+
+  return {
+    guildId: parsed.data.discordReplayGuildId,
+    channelId: parsed.data.discordReplayChannelId,
+    messageId: parsed.data.discordReplayMessageId,
+  };
+}
+
+async function replayLinkedDiscordMessage(
+  replayContext: DiscordReplayContext,
+  linkedDiscordUserId: string
+): Promise<void> {
+  const messageResult = await getDiscordChannelMessage(
+    replayContext.channelId,
+    replayContext.messageId
+  );
+  if (!messageResult.ok) {
+    captureMessage('Discord replay failed to fetch original message', {
+      level: 'warning',
+      tags: { endpoint: 'discord/callback', source: 'discord_replay' },
+      extra: { replayContext, error: messageResult.error },
+    });
+    return;
+  }
+
+  const message = messageResult.message;
+  if (message.author.id !== linkedDiscordUserId) {
+    captureMessage('Discord replay skipped due to author mismatch', {
+      level: 'warning',
+      tags: { endpoint: 'discord/callback', source: 'discord_replay' },
+      extra: {
+        replayContext,
+        expectedDiscordUserId: linkedDiscordUserId,
+        messageAuthorId: message.author.id,
+      },
+    });
+    return;
+  }
+
+  if (isDiscordBotMessage({ author: { bot: message.author.bot } })) {
+    return;
+  }
+
+  const botUserResult = await getDiscordBotUserId();
+  if (!botUserResult.ok) {
+    captureMessage('Discord replay failed to resolve bot user', {
+      level: 'warning',
+      tags: { endpoint: 'discord/callback', source: 'discord_replay' },
+      extra: { replayContext, error: botUserResult.error },
+    });
+    return;
+  }
+
+  const botUserId = botUserResult.userId;
+  const mentionsBot = message.mentions.some(mention => mention.id === botUserId);
+  if (!mentionsBot) {
+    captureMessage('Discord replay skipped because message no longer mentions bot', {
+      level: 'info',
+      tags: { endpoint: 'discord/callback', source: 'discord_replay' },
+      extra: { replayContext, botUserId },
+    });
+    return;
+  }
+
+  const cleanedText = stripDiscordBotMention(message.content, botUserId);
+  if (!cleanedText) {
+    return;
+  }
+
+  const resolvedText = await replaceDiscordUserMentionsWithNames(
+    cleanedText,
+    replayContext.guildId
+  );
+  const result = await processDiscordBotMessage(resolvedText, replayContext.guildId, {
+    channelId: replayContext.channelId,
+    guildId: replayContext.guildId,
+    userId: linkedDiscordUserId,
+    messageId: replayContext.messageId,
+  });
+
+  const responseText = truncateForDiscord(result.response + getDevUserSuffix());
+  const postResult = await postDiscordMessage(replayContext.channelId, responseText, {
+    messageReference: { message_id: replayContext.messageId },
+    linkButton: result.linkDiscordAccountUrl
+      ? {
+          label: 'Link My Discord Account',
+          url: result.linkDiscordAccountUrl,
+        }
+      : undefined,
+  });
+
+  if (!postResult.ok) {
+    captureMessage('Discord replay failed to post response', {
+      level: 'warning',
+      tags: { endpoint: 'discord/callback', source: 'discord_replay' },
+      extra: { replayContext, error: postResult.error },
+    });
+  }
+}
 
 const buildDiscordRedirectPath = (state: string | null, queryParam: string): string => {
   // Try to extract the owner from a signed state for best-effort redirects on error paths.
@@ -89,6 +231,8 @@ export async function GET(request: NextRequest) {
       return NextResponse.redirect(new URL('/integrations?error=unauthorized', APP_URL));
     }
 
+    const replayContext = getDiscordReplayContext(verified.context);
+
     // 5. Parse owner from verified state payload
     let owner: Owner;
     const ownerStr = verified.owner;
@@ -121,14 +265,53 @@ export async function GET(request: NextRequest) {
     // 7. Exchange code for access token
     const oauthData = await exchangeDiscordCode(code);
 
-    // 8. Store installation in database
-    await upsertDiscordInstallation(owner, oauthData);
+    // 8. Resolve the Discord requester identity and persist authorization mapping
+    const discordUserId = await getDiscordOAuthUserId(oauthData.access_token);
+    const authorizedRequester = {
+      kiloUserId: user.id,
+      discordUserId,
+    };
+
+    const isInstallFlow = Boolean(oauthData.guild?.id);
+    if (isInstallFlow) {
+      await upsertDiscordInstallation(owner, oauthData, authorizedRequester);
+    } else {
+      const linked = await linkDiscordRequesterToOwner(owner, authorizedRequester);
+      if (!linked) {
+        captureMessage('Discord user link callback without an existing installation', {
+          level: 'warning',
+          tags: { endpoint: 'discord/callback', source: 'discord_oauth' },
+          extra: { owner, userId: user.id },
+        });
+
+        return NextResponse.redirect(
+          new URL(buildDiscordRedirectPath(state, 'error=installation_missing'), APP_URL)
+        );
+      }
+
+      if (replayContext && replayContext.guildId === linked.platform_installation_id) {
+        after(async () => {
+          await replayLinkedDiscordMessage(replayContext, discordUserId);
+        });
+      } else if (replayContext) {
+        captureMessage('Discord replay context guild mismatch; replay skipped', {
+          level: 'warning',
+          tags: { endpoint: 'discord/callback', source: 'discord_replay' },
+          extra: {
+            replayContext,
+            linkedInstallationGuildId: linked.platform_installation_id,
+            owner,
+          },
+        });
+      }
+    }
 
     // 9. Redirect to success page
-    const successPath =
-      owner.type === 'org'
+    const successPath = isInstallFlow
+      ? owner.type === 'org'
         ? `/organizations/${owner.id}/integrations/discord?success=installed`
-        : `/integrations/discord?success=installed`;
+        : '/integrations/discord?success=installed'
+      : '/integrations/discord/link/success';
 
     return NextResponse.redirect(new URL(successPath, APP_URL));
   } catch (error) {
diff --git a/src/app/discord/webhook/route.ts b/src/app/discord/webhook/route.ts
index 7b80b678f..6521d09ee 100644
--- a/src/app/discord/webhook/route.ts
+++ b/src/app/discord/webhook/route.ts
@@ -171,6 +171,12 @@ async function processGatewayMessage(event: ForwardedGatewayEvent) {
   const responseText = truncateForDiscord(responseWithDevInfo);
   const postResult = await postDiscordMessage(channelId, responseText, {
     messageReference: { message_id: messageId },
+    linkButton: result.linkDiscordAccountUrl
+      ? {
+          label: 'Link My Discord Account',
+          url: result.linkDiscordAccountUrl,
+        }
+      : undefined,
   });
 
   console.log(
diff --git a/src/app/integrations/discord/link/success/page.tsx b/src/app/integrations/discord/link/success/page.tsx
new file mode 100644
index 000000000..270c42799
--- /dev/null
+++ b/src/app/integrations/discord/link/success/page.tsx
@@ -0,0 +1,22 @@
+import { KiloCardLayout } from '@/components/KiloCardLayout';
+import { CheckCircle2 } from 'lucide-react';
+import { getUserFromAuthOrRedirect } from '@/lib/user.server';
+
+export default async function DiscordLinkSuccessPage() {
+  await getUserFromAuthOrRedirect('/users/sign_in?callbackPath=/integrations/discord/link/success');
+
+  return (
+    <KiloCardLayout
+      className="max-w-xl"
+      contentClassName="flex flex-col items-center gap-6 py-12 text-center"
+    >
+      <CheckCircle2 className="h-20 w-20 text-green-600" />
+      <div className="space-y-2">
+        <h1 className="text-3xl font-semibold tracking-tight">Discord account linked</h1>
+        <p className="text-muted-foreground text-lg">
+          Your account is now linked to Kilo. You can close this tab and return to Discord.
+        </p>
+      </div>
+    </KiloCardLayout>
+  );
+}
diff --git a/src/components/integrations/DiscordIntegrationDetails.tsx b/src/components/integrations/DiscordIntegrationDetails.tsx
index 0eb6d7230..adb1b72bd 100644
--- a/src/components/integrations/DiscordIntegrationDetails.tsx
+++ b/src/components/integrations/DiscordIntegrationDetails.tsx
@@ -274,7 +274,17 @@ export function DiscordIntegrationDetails({
               </div>
 
               {/* Actions */}
+              <Alert>
+                <AlertDescription>
+                  Each team member who wants to use Kilo in Discord must link their own Discord
+                  account.
+                </AlertDescription>
+              </Alert>
+
               <div className="flex flex-wrap gap-3">
+                <Button variant="outline" onClick={handleInstall} disabled={!oauthUrlData?.url}>
+                  Link My Discord Account
+                </Button>
                 <Button
                   variant="outline"
                   onClick={handleTestConnection}
diff --git a/src/lib/discord-bot.ts b/src/lib/discord-bot.ts
index b16efaf7b..8d06f5a07 100644
--- a/src/lib/discord-bot.ts
+++ b/src/lib/discord-bot.ts
@@ -25,9 +25,10 @@ import {
   getDiscordConversationContext,
   type DiscordEventContext,
 } from '@/lib/discord-bot/discord-channel-context';
-import { getDiscordBotAuthTokenForOwner } from '@/lib/discord/auth';
+import { getDiscordAuthTokenForRequester } from '@/lib/discord/auth';
 import { buildDiscordMessageLink } from '@/lib/discord-bot/discord-utils';
 import type { PlatformIntegration } from '@kilocode/db';
+import { APP_URL } from '@/lib/constants';
 
 // Version string for API requests
 const DISCORD_BOT_VERSION = '5.0.0';
@@ -42,9 +43,25 @@ export type DiscordBotMessageResult = {
   toolCallsMade: string[];
   cloudAgentSessionId?: string;
   error?: string;
+  linkDiscordAccountUrl?: string;
   installation: PlatformIntegration | null;
 };
 
+function buildDiscordAccountLinkUrl(owner: Owner, eventContext?: DiscordEventContext): string {
+  const params = new URLSearchParams({
+    ownerType: owner.type,
+    ownerId: owner.id,
+  });
+
+  if (eventContext) {
+    params.set('guildId', eventContext.guildId);
+    params.set('channelId', eventContext.channelId);
+    params.set('messageId', eventContext.messageId);
+  }
+
+  return `${APP_URL}/integrations/discord/link?${params.toString()}`;
+}
+
 const KILO_BOT_SYSTEM_PROMPT = `You are Kilo Bot, a helpful AI assistant integrated into Discord.
 
 ## Core behavior
@@ -258,8 +275,23 @@ export async function processDiscordBotMessage(
   }
   console.log('[DiscordBot] Using model:', selectedModel);
 
-  const authResult = await getDiscordBotAuthTokenForOwner(owner);
+  const authResult = await getDiscordAuthTokenForRequester(owner, {
+    metadata: installation.metadata,
+    discordUserId: discordEventContext?.userId,
+  });
   if ('error' in authResult) {
+    if (authResult.errorCode === 'unlinked_requester') {
+      return {
+        response:
+          'Link your Discord account to Kilo before using this integration. Click the button below to connect now.',
+        modelUsed: '',
+        toolCallsMade: [],
+        error: authResult.error,
+        linkDiscordAccountUrl: buildDiscordAccountLinkUrl(owner, discordEventContext),
+        installation,
+      };
+    }
+
     return {
       response: `Error: ${authResult.error}`,
       modelUsed: '',
diff --git a/src/lib/discord/auth.test.ts b/src/lib/discord/auth.test.ts
new file mode 100644
index 000000000..259ccb3cc
--- /dev/null
+++ b/src/lib/discord/auth.test.ts
@@ -0,0 +1,136 @@
+import { beforeEach, describe, expect, test } from '@jest/globals';
+import { getDiscordAuthTokenForRequester } from '@/lib/discord/auth';
+import { addUserToOrganization, createOrganization } from '@/lib/organizations/organizations';
+import { db } from '@/lib/drizzle';
+import { insertTestUser } from '@/tests/helpers/user.helper';
+import { kilocode_users, organization_memberships, organizations } from '@kilocode/db/schema';
+
+describe('getDiscordAuthTokenForRequester', () => {
+  beforeEach(async () => {
+    // eslint-disable-next-line drizzle/enforce-delete-with-where
+    await db.delete(organization_memberships);
+    // eslint-disable-next-line drizzle/enforce-delete-with-where
+    await db.delete(organizations);
+    // eslint-disable-next-line drizzle/enforce-delete-with-where
+    await db.delete(kilocode_users);
+  });
+
+  test('returns member auth token for org-owned integration when Discord user is linked', async () => {
+    const owner = await insertTestUser();
+    const member = await insertTestUser();
+    const organization = await createOrganization('Discord Auth Test Org', owner.id);
+    await addUserToOrganization(organization.id, member.id, 'member');
+
+    const result = await getDiscordAuthTokenForRequester(
+      { type: 'org', id: organization.id },
+      {
+        metadata: {
+          authorized_discord_users: {
+            'discord-member': member.id,
+          },
+        },
+        discordUserId: 'discord-member',
+      }
+    );
+
+    expect('error' in result).toBe(false);
+    if ('error' in result) {
+      return;
+    }
+
+    expect(result.userId).toBe(member.id);
+    expect(result.authToken.length).toBeGreaterThan(20);
+  });
+
+  test('rejects org request when linked Discord user is not an organization member', async () => {
+    const owner = await insertTestUser();
+    const outsider = await insertTestUser();
+    const organization = await createOrganization('Discord Auth Test Org', owner.id);
+
+    const result = await getDiscordAuthTokenForRequester(
+      { type: 'org', id: organization.id },
+      {
+        metadata: {
+          authorized_discord_users: {
+            'discord-outsider': outsider.id,
+          },
+        },
+        discordUserId: 'discord-outsider',
+      }
+    );
+
+    expect(result).toEqual({
+      error: 'This Discord user is not a member of the organization that owns this integration.',
+      errorCode: 'not_org_member',
+    });
+  });
+
+  test('rejects org request when Discord user has no link', async () => {
+    const owner = await insertTestUser();
+    const organization = await createOrganization('Discord Auth Test Org', owner.id);
+
+    const result = await getDiscordAuthTokenForRequester(
+      { type: 'org', id: organization.id },
+      {
+        metadata: {
+          authorized_discord_users: {
+            'discord-owner': owner.id,
+          },
+        },
+        discordUserId: 'discord-unknown',
+      }
+    );
+
+    expect(result).toEqual({
+      error:
+        'This Discord user is not linked to a Kilo member for this integration. Open Kilo integration settings and click "Link My Discord Account" using this Discord user.',
+      errorCode: 'unlinked_requester',
+    });
+  });
+
+  test('allows user-owned integration when requester maps to the owner', async () => {
+    const user = await insertTestUser();
+
+    const result = await getDiscordAuthTokenForRequester(
+      { type: 'user', id: user.id },
+      {
+        metadata: {
+          authorized_discord_users: {
+            'discord-owner': user.id,
+          },
+        },
+        discordUserId: 'discord-owner',
+      }
+    );
+
+    expect('error' in result).toBe(false);
+    if ('error' in result) {
+      return;
+    }
+
+    expect(result.userId).toBe(user.id);
+    expect(result.authToken.length).toBeGreaterThan(20);
+  });
+
+  test('rejects user-owned integration when requester maps to another user', async () => {
+    const owner = await insertTestUser();
+    const otherUser = await insertTestUser();
+
+    const result = await getDiscordAuthTokenForRequester(
+      { type: 'user', id: owner.id },
+      {
+        metadata: {
+          authorized_discord_users: {
+            'discord-other': otherUser.id,
+          },
+        },
+        discordUserId: 'discord-other',
+      }
+    );
+
+    expect(result).toEqual({
+      error: 'Only the owner of this user-level integration can use it.',
+      errorCode: 'not_user_owner',
+    });
+  });
+});
diff --git a/src/lib/discord/auth.ts b/src/lib/discord/auth.ts
index 2fca68fa2..c1f406798 100644
--- a/src/lib/discord/auth.ts
+++ b/src/lib/discord/auth.ts
@@ -1,36 +1,72 @@
 import 'server-only';
-import { ensureBotUserForOrg } from '@/lib/bot-users/bot-user-service';
 import { generateApiToken } from '@/lib/tokens';
 import { findUserById } from '@/lib/user';
 import type { Owner } from '@/lib/integrations/core/types';
+import { isOrganizationMember } from '@/lib/organizations/organizations';
+import { getAuthorizedKiloUserIdForDiscordUser } from '@/lib/discord/authorized-users';
+
+export type DiscordAuthErrorCode =
+  | 'missing_requester'
+  | 'unlinked_requester'
+  | 'not_org_member'
+  | 'not_user_owner'
+  | 'linked_user_missing';
+
+type DiscordAuthResult =
+  | { authToken: string; userId: string }
+  | { error: string; errorCode: DiscordAuthErrorCode };
 
 /**
- * Generate an auth token for the given owner (user or organization).
- * For Discord, we don't have a direct email mapping from Discord users to Kilo users,
- * so org-owned integrations always use a bot user for auth.
+ * Generate an auth token for a Discord requester tied to a Kilo user.
+ * We only authorize requesters that are explicitly linked through Discord OAuth.
  */
-export async function getDiscordBotAuthTokenForOwner(
-  owner: Owner
-): Promise<{ authToken: string; userId: string } | { error: string }> {
-  let authToken: string | undefined;
-  let userId: string | undefined;
+export async function getDiscordAuthTokenForRequester(
+  owner: Owner,
+  params: { metadata: unknown; discordUserId?: string | null }
+): Promise<DiscordAuthResult> {
+  if (!params.discordUserId) {
+    return {
+      error: 'Could not verify the Discord requester for this message.',
+      errorCode: 'missing_requester',
+    };
+  }
+
+  const linkedKiloUserId = getAuthorizedKiloUserIdForDiscordUser(
+    params.metadata,
+    params.discordUserId
+  );
+  if (!linkedKiloUserId) {
+    return {
+      error:
+        'This Discord user is not linked to a Kilo member for this integration. Open Kilo integration settings and click "Link My Discord Account" using this Discord user.',
+      errorCode: 'unlinked_requester',
+    };
+  }
 
   if (owner.type === 'org') {
-    // For organizations, use a dedicated bot user
-    const user = await ensureBotUserForOrg(owner.id, 'discord-bot');
-    authToken = generateApiToken(user, { botId: 'discord-bot', internalApiUse: true });
-    userId = user.id;
-  } else {
-    const user = await findUserById(owner.id);
-    if (user) {
-      authToken = generateApiToken(user, { internalApiUse: true });
-      userId = user.id;
+    const isMember = await isOrganizationMember(owner.id, linkedKiloUserId);
+    if (!isMember) {
+      return {
+        error: 'This Discord user is not a member of the organization that owns this integration.',
+        errorCode: 'not_org_member',
+      };
     }
+  } else if (linkedKiloUserId !== owner.id) {
+    return {
+      error: 'Only the owner of this user-level integration can use it.',
+      errorCode: 'not_user_owner',
+    };
   }
 
-  if (!authToken || !userId) {
-    return { error: `Discord bot user not found for ID: ${owner.id} and type: ${owner.type}` };
+  const user = await findUserById(linkedKiloUserId);
+  if (!user) {
+    return {
+      error: `Linked Kilo user not found for Discord user ${params.discordUserId}. Re-authorize the integration from Kilo.`,
+      errorCode: 'linked_user_missing',
+    };
   }
 
-  return { authToken, userId };
+  const authToken = generateApiToken(user, { internalApiUse: true });
+
+  return { authToken, userId: user.id };
 }
diff --git a/src/lib/discord/authorized-users.test.ts b/src/lib/discord/authorized-users.test.ts
new file mode 100644
index 000000000..0944fc7db
--- /dev/null
+++ b/src/lib/discord/authorized-users.test.ts
@@ -0,0 +1,44 @@
+import { describe, expect, test } from '@jest/globals';
+import {
+  getAuthorizedDiscordUsers,
+  getAuthorizedKiloUserIdForDiscordUser,
+  linkAuthorizedDiscordUser,
+} from '@/lib/discord/authorized-users';
+
+describe('authorized Discord users metadata', () => {
+  test('returns empty map for invalid metadata', () => {
+    expect(getAuthorizedDiscordUsers(null)).toEqual({});
+    expect(getAuthorizedDiscordUsers('invalid')).toEqual({});
+    expect(getAuthorizedDiscordUsers({ authorized_discord_users: 'invalid' })).toEqual({});
+  });
+
+  test('links a Discord user while preserving existing links', () => {
+    const metadata = {
+      authorized_discord_users: {
+        'discord-user-1': 'kilo-user-1',
+      },
+      model_slug: 'model-1',
+    };
+
+    const updatedMetadata = linkAuthorizedDiscordUser(metadata, {
+      discordUserId: 'discord-user-2',
+      kiloUserId: 'kilo-user-2',
+    });
+
+    expect(getAuthorizedDiscordUsers(updatedMetadata)).toEqual({
+      'discord-user-1': 'kilo-user-1',
+      'discord-user-2': 'kilo-user-2',
+    });
+  });
+
+  test('returns linked Kilo user id for a Discord user', () => {
+    const metadata = {
+      authorized_discord_users: {
+        'discord-user-1': 'kilo-user-1',
+      },
+    };
+
+    expect(getAuthorizedKiloUserIdForDiscordUser(metadata, 'discord-user-1')).toBe('kilo-user-1');
+    expect(getAuthorizedKiloUserIdForDiscordUser(metadata, 'discord-user-2')).toBeNull();
+  });
+});
diff --git a/src/lib/discord/authorized-users.ts b/src/lib/discord/authorized-users.ts
new file mode 100644
index 000000000..c80ae124d
--- /dev/null
+++ b/src/lib/discord/authorized-users.ts
@@ -0,0 +1,50 @@
+const AUTHORIZED_DISCORD_USERS_KEY = 'authorized_discord_users';
+
+type MetadataRecord = Record<string, unknown>;
+
+function isMetadataRecord(value: unknown): value is MetadataRecord {
+  return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+
+export function getAuthorizedDiscordUsers(metadata: unknown): Record<string, string> {
+  if (!isMetadataRecord(metadata)) {
+    return {};
+  }
+
+  const value = metadata[AUTHORIZED_DISCORD_USERS_KEY];
+  if (!isMetadataRecord(value)) {
+    return {};
+  }
+
+  const authorizedUsers: Record<string, string> = {};
+  for (const [discordUserId, kiloUserId] of Object.entries(value)) {
+    if (typeof kiloUserId === 'string' && kiloUserId.length > 0) {
+      authorizedUsers[discordUserId] = kiloUserId;
+    }
+  }
+
+  return authorizedUsers;
+}
+
+export function linkAuthorizedDiscordUser(
+  metadata: unknown,
+  params: { discordUserId: string; kiloUserId: string }
+): Record<string, unknown> {
+  const nextMetadata = isMetadataRecord(metadata) ? { ...metadata } : {};
+  const existingAuthorizedUsers = getAuthorizedDiscordUsers(metadata);
+
+  nextMetadata[AUTHORIZED_DISCORD_USERS_KEY] = {
+    ...existingAuthorizedUsers,
+    [params.discordUserId]: params.kiloUserId,
+  };
+
+  return nextMetadata;
+}
+
+export function getAuthorizedKiloUserIdForDiscordUser(
+  metadata: unknown,
+  discordUserId: string
+): string | null {
+  const authorizedUsers = getAuthorizedDiscordUsers(metadata);
+  return authorizedUsers[discordUserId] || null;
+}
diff --git a/src/lib/integrations/discord-service.ts b/src/lib/integrations/discord-service.ts
index d0909d2a5..a58320b6d 100644
--- a/src/lib/integrations/discord-service.ts
+++ b/src/lib/integrations/discord-service.ts
@@ -13,16 +13,18 @@ import { getDefaultAllowedModel } from '@/lib/slack-bot/model-allow-list';
 import { createProviderAwareModelAllowPredicate } from '@/lib/model-allow.server';
 import { minimax_m25_free_model } from '@/lib/providers/minimax';
 import { CLAUDE_OPUS_CURRENT_MODEL_ID } from '@/lib/providers/anthropic';
+import { linkAuthorizedDiscordUser } from '@/lib/discord/authorized-users';
 
 // Default model for Discord integrations - mirrors the Slack default
 const DISCORD_DEFAULT_MODEL = minimax_m25_free_model.is_enabled
   ? minimax_m25_free_model.public_id
   : CLAUDE_OPUS_CURRENT_MODEL_ID;
 
-// Discord OAuth2 scopes for the bot integration
-// 'bot' scope is needed for the bot to join servers
-// 'guilds' scope allows reading basic guild info
-const DISCORD_SCOPES = ['bot', 'guilds', 'applications.commands'];
+// Discord OAuth2 scopes for installing/updating the bot integration
+const DISCORD_INSTALL_SCOPES = ['bot', 'guilds', 'identify', 'applications.commands'];
+
+// Discord OAuth2 scopes for linking an individual Discord user to an existing integration
+const DISCORD_USER_LINK_SCOPES = ['identify'];
 
 // Discord bot permissions (bitfield)
 // Includes: Send Messages, Read Message History, Add Reactions, Use Slash Commands, Embed Links, Attach Files
@@ -46,6 +48,21 @@ export type DiscordOAuth2Response = {
   };
 };
 
+type DiscordOAuthUser = {
+  id: string;
+};
+
+function isDiscordOAuthUser(value: unknown): value is DiscordOAuthUser {
+  return (
+    typeof value === 'object' &&
+    value !== null &&
+    !Array.isArray(value) &&
+    'id' in value &&
+    typeof value.id === 'string' &&
+    value.id.length > 0
+  );
+}
+
 function getOwnershipConditions(owner: Owner) {
   return owner.type === 'user'
     ? [
@@ -69,7 +86,27 @@ export function getDiscordOAuthUrl(state: string): string {
   const params = new URLSearchParams({
     client_id: DISCORD_CLIENT_ID,
     permissions: DISCORD_BOT_PERMISSIONS,
-    scope: DISCORD_SCOPES.join(' '),
+    scope: DISCORD_INSTALL_SCOPES.join(' '),
+    redirect_uri: DISCORD_REDIRECT_URI,
+    response_type: 'code',
+    state,
+  });
+
+  return `https://discord.com/oauth2/authorize?${params.toString()}`;
+}
+
+/**
+ * Get Discord OAuth URL for linking an individual Discord user.
+ * This flow does not require server admin permissions.
+ */
+export function getDiscordUserLinkOAuthUrl(state: string): string {
+  if (!DISCORD_CLIENT_ID) {
+    throw new Error('DISCORD_CLIENT_ID is not configured');
+  }
+
+  const params = new URLSearchParams({
+    client_id: DISCORD_CLIENT_ID,
+    scope: DISCORD_USER_LINK_SCOPES.join(' '),
     redirect_uri: DISCORD_REDIRECT_URI,
     response_type: 'code',
     state,
@@ -114,6 +151,29 @@ export async function exchangeDiscordCode(code: string): Promise<DiscordOAuth2Re
   return data;
 }
 
+/**
+ * Fetch the Discord user ID associated with an OAuth access token.
+ */
+export async function getDiscordOAuthUserId(accessToken: string): Promise<string> {
+  const response = await fetch('https://discord.com/api/v10/users/@me', {
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+    },
+  });
+
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Discord OAuth user lookup error: ${errorText}`);
+  }
+
+  const userData: unknown = await response.json();
+  if (!isDiscordOAuthUser(userData)) {
+    throw new Error('Discord OAuth user lookup error: No user ID in response');
+  }
+
+  return userData.id;
+}
+
 /**
  * Get Discord installation for an owner
  */
@@ -168,7 +228,8 @@ export function getOwnerFromInstallation(integration: PlatformIntegration): Owne
  */
 export async function upsertDiscordInstallation(
   owner: Owner,
-  oauthResponse: DiscordOAuth2Response
+  oauthResponse: DiscordOAuth2Response,
+  authorizedRequester: { kiloUserId: string; discordUserId: string }
 ): Promise<PlatformIntegration> {
   if (!oauthResponse.guild?.id) {
     throw new Error(
@@ -188,16 +249,15 @@ export async function upsertDiscordInstallation(
 
   if (existing) {
     // Preserve existing model_slug when re-authorizing
-    const existingMetadata = existing.metadata || {};
-    const updatedMetadata = {
-      ...existingMetadata,
-      guild_icon: oauthResponse.guild.icon,
-    };
+    const updatedMetadata = linkAuthorizedDiscordUser(existing.metadata, authorizedRequester);
+    updatedMetadata.guild_icon = oauthResponse.guild.icon;
 
     const [updated] = await db
       .update(platform_integrations)
       .set({
         platform_account_id: guildId,
+        platform_requester_account_id: authorizedRequester.discordUserId,
+        kilo_requester_user_id: authorizedRequester.kiloUserId,
         platform_account_login: guildName,
         scopes,
         integration_status: INTEGRATION_STATUS.ACTIVE,
@@ -222,19 +282,24 @@ export async function upsertDiscordInstallation(
     model_slug: defaultModel,
   };
 
+  const linkedMetadata = linkAuthorizedDiscordUser(metadata, authorizedRequester);
+
   const [created] = await db
     .insert(platform_integrations)
     .values({
       owned_by_user_id: owner.type === 'user' ? owner.id : null,
       owned_by_organization_id: owner.type === 'org' ? owner.id : null,
+      created_by_user_id: authorizedRequester.kiloUserId,
       platform: PLATFORM.DISCORD,
       integration_type: 'oauth',
       platform_installation_id: guildId,
+      platform_requester_account_id: authorizedRequester.discordUserId,
+      kilo_requester_user_id: authorizedRequester.kiloUserId,
       platform_account_id: guildId,
       platform_account_login: guildName,
       scopes,
       integration_status: INTEGRATION_STATUS.ACTIVE,
-      metadata,
+      metadata: linkedMetadata,
       installed_at: new Date().toISOString(),
     })
     .returning();
@@ -242,6 +307,34 @@ export async function upsertDiscordInstallation(
   return created;
 }
 
+/**
+ * Link a Discord requester to an existing installation owner.
+ */
+export async function linkDiscordRequesterToOwner(
+  owner: Owner,
+  authorizedRequester: { kiloUserId: string; discordUserId: string }
+): Promise<PlatformIntegration | null> {
+  const existing = await getInstallation(owner);
+  if (!existing) {
+    return null;
+  }
+
+  const updatedMetadata = linkAuthorizedDiscordUser(existing.metadata, authorizedRequester);
+
+  const [updated] = await db
+    .update(platform_integrations)
+    .set({
+      platform_requester_account_id: authorizedRequester.discordUserId,
+      kilo_requester_user_id: authorizedRequester.kiloUserId,
+      metadata: updatedMetadata,
+      updated_at: new Date().toISOString(),
+    })
+    .where(eq(platform_integrations.id, existing.id))
+    .returning();
+
+  return updated || null;
+}
+
 /**
  * Uninstall Discord integration for an owner
  */
@@ -393,13 +486,127 @@ export async function updateModel(
   return { success: true };
 }
 
+export type DiscordChannelMessage = {
+  id: string;
+  content: string;
+  channelId: string;
+  author: {
+    id: string;
+    username: string;
+    bot?: boolean;
+  };
+  mentions: Array<{ id: string }>;
+};
+
+/**
+ * Fetch a Discord channel message using the bot token.
+ */
+export async function getDiscordChannelMessage(
+  channelId: string,
+  messageId: string
+): Promise<{ ok: true; message: DiscordChannelMessage } | { ok: false; error: string }> {
+  if (!DISCORD_BOT_TOKEN) {
+    return { ok: false, error: 'DISCORD_BOT_TOKEN is not configured' };
+  }
+
+  try {
+    const response = await fetch(
+      `https://discord.com/api/v10/channels/${channelId}/messages/${messageId}`,
+      {
+        headers: { Authorization: `Bot ${DISCORD_BOT_TOKEN}` },
+      }
+    );
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      return { ok: false, error: `Discord API ${response.status}: ${errorText}` };
+    }
+
+    const rawMessage = (await response.json()) as {
+      id?: string;
+      content?: string;
+      channel_id?: string;
+      author?: { id?: string; username?: string; bot?: boolean };
+      mentions?: Array<{ id?: string }>;
+    };
+
+    if (
+      typeof rawMessage.id !== 'string' ||
+      typeof rawMessage.content !== 'string' ||
+      typeof rawMessage.channel_id !== 'string' ||
+      typeof rawMessage.author?.id !== 'string' ||
+      typeof rawMessage.author?.username !== 'string'
+    ) {
+      return { ok: false, error: 'Discord API returned malformed message payload' };
+    }
+
+    const mentions = (rawMessage.mentions || [])
+      .map(mention => mention.id)
+      .filter((id): id is string => typeof id === 'string')
+      .map(id => ({ id }));
+
+    return {
+      ok: true,
+      message: {
+        id: rawMessage.id,
+        content: rawMessage.content,
+        channelId: rawMessage.channel_id,
+        author: {
+          id: rawMessage.author.id,
+          username: rawMessage.author.username,
+          bot: rawMessage.author.bot,
+        },
+        mentions,
+      },
+    };
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+    return { ok: false, error: errorMessage };
+  }
+}
+
+/**
+ * Fetch the bot user ID for mention checks.
+ */
+export async function getDiscordBotUserId(): Promise<
+  { ok: true; userId: string } | { ok: false; error: string }
+> {
+  if (!DISCORD_BOT_TOKEN) {
+    return { ok: false, error: 'DISCORD_BOT_TOKEN is not configured' };
+  }
+
+  try {
+    const response = await fetch('https://discord.com/api/v10/users/@me', {
+      headers: { Authorization: `Bot ${DISCORD_BOT_TOKEN}` },
+    });
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      return { ok: false, error: `Discord API ${response.status}: ${errorText}` };
+    }
+
+    const user = (await response.json()) as { id?: string };
+    if (typeof user.id !== 'string' || user.id.length === 0) {
+      return { ok: false, error: 'Discord API returned malformed bot user payload' };
+    }
+
+    return { ok: true, userId: user.id };
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+    return { ok: false, error: errorMessage };
+  }
+}
+
 /**
  * Post a message to a Discord channel using the Bot Token.
  */
 export async function postDiscordMessage(
   channelId: string,
   content: string,
-  options?: { messageReference?: { message_id: string } }
+  options?: {
+    messageReference?: { message_id: string };
+    linkButton?: { label: string; url: string };
+  }
 ): Promise<{ ok: boolean; messageId?: string; error?: string }> {
   if (!DISCORD_BOT_TOKEN) {
     return { ok: false, error: 'DISCORD_BOT_TOKEN is not configured' };
@@ -410,6 +617,21 @@ export async function postDiscordMessage(
     if (options?.messageReference) {
       body.message_reference = options.messageReference;
     }
+    if (options?.linkButton) {
+      body.components = [
+        {
+          type: 1,
+          components: [
+            {
+              type: 2,
+              style: 5,
+              label: options.linkButton.label,
+              url: options.linkButton.url,
+            },
+          ],
+        },
+      ];
+    }
 
     const response = await fetch(`https://discord.com/api/v10/channels/${channelId}/messages`, {
       method: 'POST',
diff --git a/src/lib/integrations/oauth-state.ts b/src/lib/integrations/oauth-state.ts
index 1d30f2c39..f980b168e 100644
--- a/src/lib/integrations/oauth-state.ts
+++ b/src/lib/integrations/oauth-state.ts
@@ -12,11 +12,12 @@ import { NEXTAUTH_SECRET } from '@/lib/config.server';
  *
  * This module produces a state value of the form:
  *
- *   base64url({ owner, uid, iat, nonce }) . HMAC-SHA256(payload, secret)
+ *   base64url({ owner, uid, iat, nonce, context? }) . HMAC-SHA256(payload, secret)
  *
  * where `owner` is the original owner string, `uid` is the ID of the
  * authenticated user who started the flow, `iat` is the issued-at timestamp
- * (seconds since epoch), and `nonce` is random bytes to ensure uniqueness.
+ * (seconds since epoch), `nonce` is random bytes to ensure uniqueness, and
+ * optional `context` carries signed flow metadata.
  *
  * On the callback we:
  *
@@ -40,18 +41,50 @@ function sign(data: string): string {
   return crypto.createHmac(HMAC_ALGORITHM, NEXTAUTH_SECRET).update(data).digest('base64url');
 }
 
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+
+function getValidOAuthStateContext(value: unknown): OAuthStateContext | null | undefined {
+  if (value === undefined) {
+    return undefined;
+  }
+  if (!isRecord(value)) {
+    return null;
+  }
+
+  const context: OAuthStateContext = {};
+  for (const [key, entry] of Object.entries(value)) {
+    if (typeof entry !== 'string') {
+      return null;
+    }
+    context[key] = entry;
+  }
+
+  return context;
+}
+
+export type OAuthStateContext = Record<string, string>;
+
 /**
  * Build a signed OAuth state parameter.
  *
  * @param owner  – owner string, e.g. `user_abc123` or `org_xyz789`
  * @param userId – the ID of the currently-authenticated user initiating the flow
+ * @param context – optional signed metadata carried through the callback
  */
-export function createOAuthState(owner: string, userId: string): string {
+export function createOAuthState(
+  owner: string,
+  userId: string,
+  context?: OAuthStateContext
+): string {
   const iat = Math.floor(Date.now() / 1000);
   const nonce = crypto.randomBytes(NONCE_BYTES).toString('base64url');
-  const payload = Buffer.from(JSON.stringify({ owner, uid: userId, iat, nonce })).toString(
-    'base64url'
-  );
+
+  const data = context
+    ? { owner, uid: userId, iat, nonce, context }
+    : { owner, uid: userId, iat, nonce };
+  const payload = Buffer.from(JSON.stringify(data)).toString('base64url');
   const signature = sign(payload);
   return `${payload}.${signature}`;
 }
@@ -61,6 +94,8 @@ export type VerifiedOAuthState = {
   owner: string;
   /** The user ID that initiated the OAuth flow */
   userId: string;
+  /** Optional signed metadata from flow initiation */
+  context?: OAuthStateContext;
 };
 
 /**
@@ -93,6 +128,7 @@ export function verifyOAuthState(state: string | null): VerifiedOAuthState | nul
       uid?: string;
       iat?: number;
       nonce?: string;
+      context?: unknown;
     };
     if (typeof data.owner !== 'string' || typeof data.uid !== 'string') return null;
 
@@ -104,7 +140,10 @@ export function verifyOAuthState(state: string | null): VerifiedOAuthState | nul
     // Require nonce to be present (guards against old-format tokens)
     if (typeof data.nonce !== 'string' || data.nonce.length === 0) return null;
 
-    return { owner: data.owner, userId: data.uid };
+    const context = getValidOAuthStateContext(data.context);
+    if (context === null) return null;
+
+    return { owner: data.owner, userId: data.uid, context };
   } catch {
     return null;
   }
diff --git a/src/routers/discord-router.ts b/src/routers/discord-router.ts
index 2259a3e0d..bcabe78df 100644
--- a/src/routers/discord-router.ts
+++ b/src/routers/discord-router.ts
@@ -48,10 +48,21 @@ export const discordRouter = createTRPCRouter({
     if (input?.organizationId) {
       await ensureOrganizationAccess(ctx, input.organizationId);
     }
+
+    const owner = resolveOwner(ctx, input?.organizationId);
+    const installation = await discordService.getInstallation(owner);
+
     const statePrefix = input?.organizationId
       ? `org_${input.organizationId}`
       : `user_${ctx.user.id}`;
     const state = createOAuthState(statePrefix, ctx.user.id);
+
+    if (installation?.integration_status === 'active') {
+      return {
+        url: discordService.getDiscordUserLinkOAuthUrl(state),
+      };
+    }
+
     return {
       url: discordService.getDiscordOAuthUrl(state),
     };