Welcome to REST API documentation for Stream Moderation!

It explains the Automod API concepts.

The AutoMod Public API is a versatile moderation API that can be used to moderate different types of messages across multiple channels. It can be used as a standalone product or be integrated with existing chat solutions.

To get started with the AutoMod Public API, you need to follow these steps:

1. Sign up for an API key by contacting our sales team.

2. Authentication can happen by either server-side or client-side token.

3. Read the documentation to understand how the API works and what endpoints are available.

4. Integrate the API with your application using the RESTful API.

Always feel free to get in touch if you have questions.

Every request should contain the api_key query parameter and the appropriate authorization header.

Stream API supports gzip and deflate compression, make sure that your client negotiates compression. Enabling compression can significantly reduce latency and used bandwidth and it's highly recommended.

Unless specified differently, all request body data must be JSON encoded and all responses are also JSON encoded.

Every API request to Stream must include the API Key of the app performing the request and an authentication token generated using the API Key secret. The token must be a JWT token including a signature generated with the HS256 algorithm.

If you are not familiar with JWT we highly recommend reading more about it here. Libraries to generate JWT are available for most programming languages. The full list is available here.

The authentication token must include the correct claims (also called payload). A valid token for a type of request or for a user_id might not be valid for another one. Your application should generate the appropriate token; when using client-side auth, each user should have its own unique token.

All API requests to Stream must include a query parameter called api_key with the API Key in use. Once the token is generated correctly it is used to authenticate a request. This is done by setting two HTTP headers on the request:

When dealing with authentication tokens, you should keep in mind that tokens are like passwords. Never share tokens with untrusted parties.

Requests from a back-end application to Stream Chat API should use Server-Side Authentication to authenticate requests.

For server-side authentication, the application should send a token that is signed with the API Secret of the Stream app. This token must not include any claim beside the claims defined by JWT specifications (ie. "iat", "exp", ...).

You should never share a server-side token with any untrusted party or use it directly on the mobile or web browser. If your API secret or server-side token gets compromised you should create a new API Key from the dashboard and delete the one that got compromised.

Some endpoints can only be used with server-side auth; ie. changing the configuration of your application or performing other actions such as changing users' roles.

Here is the server-side token for a fictional application with API Secret "top-secret": eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.-hJRcjmUOcS0P-Pllpe8gnOtMINmm7Ktebd3eKUroAc

Requests from a front-end application to the Stream Chat API should use Client-Side Authentication to authenticate requests.

When using client-side auth, you generate a different token for each of your users and include their string ID in the user_id claim.

A common approach is to have your users authenticate with your app server-side and to provision a user token so that API calls to Stream can be done on their behalf directly on your mobile/web app.

For security reasons, some API endpoints and some specific actions can be performed only server-side.

User tokens will effectively authenticate the user based on the user_id claim. After that all API calls will be checked for permissions.

Here is the user token for user "jack" on a fictional application with API Secret "top-secret": eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiamFjayJ9.pO3Fa8TJnPXsl62-XHK94S8hFk6dUz_2Q9au6H5xBSQ

Automod currently supports evaluating the content against our in-house built Platform Circumvention, Spam Commercial and Semantic Filter engines.

Protects against users who attempt to make transactions outside your platform.

Protects against commercial spam, like users or bots promoting goods, services, or scams via chat.

Detects a message's intended meaning, rather than relying only on exact word matches.

We're looking for feedback to help guide our roadmap for Advanced Moderation. If you would like to talk with us about how you use advanced moderation and what you would like to see from it, we would love to hear from you.