Webhooks

You can set up webhooks for common events and actions from the moderation queue. This is useful if you want to integrate the queue with your own systems. Webhooks are configured under actions in your dashboard
The webhook payload will be sent as a POST request to the URL you specify.
The webhooks require your server to respond with a 200 status code within 5 seconds, otherwise they will be retried. Webhooks are tried at most 5 times.

Webhook payload

string

required

The unique id of the event.

type

string

required

The type of the webhook. Can be QUEUE_ITEM_NEW, QUEUE_ITEM_ACTION or QUEUE_ITEM_COMPLETED.

timestamp

number

required

The timestamp of when the webhook was sent.

item

Item Object

required

The content item that triggered the webhook.

Show properties

string

required

The id of the content item.

flagged

boolean

required

Whether or not the content item has been flagged by your project configuration.

labels

array

required

An array of labels that the content item has been analyzed for - comes from your project configuration.

language

string

required

The ISO2 language code of the content item.

content

string

required

The original content of the content item.

timestamp

number

required

The timestamp of when the content item was submitted.

metadata

object

The metadata of the content item. Specified by you when sending the content for moderation.

conversationId

string

The conversation id of the content item. Specified by you when sending the content for moderation. (Formerly contextId)

authorId

string

The author id of the content item. Specified by you when sending the content for moderation.

queue

object

The queue that the content item is in.

Show properties

string

required

The id of the queue.

name

string

required

The name of the queue.

action

object

The action that was taken on the content item if the type is QUEUE_ITEM_ACTION.

Show properties

string

required

The id of the action.

name

string

required

The name of the action.

value

string

The value of the action.

Webhook payload example

{
  "id": "123",
  "type": "QUEUE_ITEM_ACTION",
  "timestamp": 1691496019049,
  "item": {
    "id": "644718a7fc78a41ec9f34a6d",
    "flagged": true,
    "labels": [
      {
        "label": "nsfw/UNSAFE",
        "score": 0.7266457980882517,
        "flagged": true,
        "manual": false
      },
      {
        "label": "nsfw/SENSITIVE",
        "score": 0.01,
        "flagged": false,
        "manual": false
      }
    ],
    "language": "en",
    "content": "Example content",
    "timestamp": 1691496019049,
    "metadata": {
      "key": "value"
    }
  },
  "queue": {
    "id": "123",
    "name": "My queue"
  },
  "action": {
    "id": "123",
    "name": "Remove content",
    "value": "spam"
  },
  "conversationId": "demo-context",
  "authorId": "author-123"
}

Webhook signing

You can verify that the webhook is coming from us by comparing the signature of the payload with the signature provided in the modapi-signature header.
The signature is a HMAC SHA256 hash of the payload using your webhook secret as the key. Find you webhook secret under API Keys in your dashboard.

import ModerationAPI from "@moderation-api/sdk";

// Option 1: Use environment variable MODAPI_SECRET_KEY
const moderationApi = new ModerationAPI();

// Option 2: Pass key explicitly
// const moderationApi = new ModerationAPI({ secretKey: 'proj_...' });

export async function POST(request: Request) {
  try {
    const body = await request.text();
    const headersList = await headers();
    const webhookSignatureHeader = headersList.get("modapi-signature");

    if (!webhookSignatureHeader) {
      return NextResponse.json(
        { error: "No signature header" },
        { status: 400 }
      );
    }

    // Option 1: Use environment variable MODAPI_WEBHOOK_SECRET
    const payload = await moderationApi.webhooks.constructEvent(
      Buffer.from(body),
      webhookSignatureHeader
    );

    // Option 2: Pass secret explicitly (overrides environment variable)
    // const payload = await moderationApi.webhooks.constructEvent(
    //   Buffer.from(body),
    //   webhookSignatureHeader,
    //   'whsec_...'
    // );

    return NextResponse.json({ received: true });
  } catch (error) {
    console.error("Error processing webhook:", error);
    return NextResponse.json(
      { error: "Error processing webhook" },
      { status: 400 }
    );
  }
}

Preventing replay attacks

To prevent replay attacks, you can use the timestamp in the payload of the webhook to ensure that the webhook is not older than 5 minutes.

Troubleshooting

Check events log

If webhooks aren’t working as expected, first check the events log in your dashboard to see detailed information about webhook delivery attempts and any failures.

Allow Moderation API

You may find that some hosting providers and security services block webhook traffic. For example Cloudflare’s Bot Fight mode will present a challenge instead of allowing the webhook.

Cloudflare
Other Providers

Common blocking scenarios

Bot Fight Mode / Super Bot Fight Mode is enabled
WAF Managed Rules active
Custom security rules

Choose your solution based on your plan

Super Bot Fight Mode (Pro+)
Bot Fight Mode (Free)

✅ Use Security Rules (Recommended)

Go to your Cloudflare dashboard
Select your domain
Navigate to Security → Security rules
Create a custom rule:
- Name: “Moderation API Webhooks”
- Field: User Agent
- Operator: starts with
- Value: ModAPI/
- Action: Skip All Super Bot Fight Mode Rules and other rules that might interfere.
Make sure to place this rule before other rules
Deploy the rule

Common providers with security blocking:

SiteDistrict
DigitalOcean App Platform
Vercel
Netlify
AWS CloudFront
Azure Front Door

General configuration steps:

Access your provider’s security/firewall settings
Look for “allow rules”, “exceptions”, or “bypass rules”
Add a User-Agent rule for ModAPI/ (preferred)
Or contact support to get IP addresses allowlisted for your account
Save and deploy the configuration

Where to find settings:

Vercel: Project settings → Security
Netlify: Site settings → Build & deploy → Post processing
DigitalOcean: App settings → Security section
AWS CloudFront: WAF & Shield → Web ACLs
Azure Front Door: Rules engine or WAF policies

Each provider uses different terminology. Look for “firewall rules”, “security exceptions”, or “allow rules” in your provider’s documentation.

Still having issues?

Troubleshooting steps:

Check your hosting provider’s security logs for blocked ModAPI/ requests
Verify your webhook endpoint returns a 200 status code within 5 seconds
Test with a simple endpoint to isolate the issue
Ensure firewall rules don’t conflict with allow rules

Get help: Contact our support team at [email protected] for assistance with configuration or to allowlist our IP addresses for your specific account.

Documentation

Learn

Resources

Webhook payload

Webhook signing

Preventing replay attacks

Troubleshooting

Check events log

Allow Moderation API

Common blocking scenarios

Choose your solution based on your plan

Still having issues?

Documentation

Learn

Resources

​Webhook payload

​Webhook signing

​Preventing replay attacks

​Troubleshooting

​Check events log

​Allow Moderation API

​Common blocking scenarios

​Choose your solution based on your plan

​Still having issues?

Webhook payload

Webhook signing

Preventing replay attacks

Troubleshooting

Check events log

Allow Moderation API

Common blocking scenarios

Choose your solution based on your plan

Still having issues?