As admin, enable "Mobile services": Plugins ► Web Services ► Mobile Create a Token for a couple of users: Click on Site administration ► Plugins ► Web services ► Manage tokens Now, log in into Moodle Web with the two users and using the messaging option send some messages between them Next, you can do a CURL REST call simulating a WS client with one of the users. You need to replace the wstoken, and the URL of your moodle instance. Replace userid with the user id, and messageid with the id of one message you sent, you need to replace also the read value. You can easily find the messageid and read values if you position your mouse over the message and then over the X (the URL for deleting will be displayed at the bottom with the messageid and viewing read or unread) curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'messageid=14&userid=106&read=0&wsfunction=core_message_delete_message&wstoken=ffbe3a3002f235bf9d01fd9369e10b66' | python -m "json.tool" Confirm that the output is a json object with status True and no warnings Now, do the same but deleting a message you received from the user, you should see the same output. Now, create a token for and Admin user, and try to delete any message, you should be able to do it. Now, using a normal user token try to delete to message that wasn’t sent or received by you Try to combine different parameters values, like invalid user ids, invalid message ids, etc.. you should see proper errors for all the cases