AI Guardrails delivers content detection and human review results asynchronously via callback notifications. This topic explains how to set up callbacks so your server receives those results automatically.
How it works
AI Guardrails supports two callback types:
Scan result callbacks: After completing a detection request, AI Guardrails POSTs the detection results to your webhook address.
Review result callbacks: After a human review modifies detection results (either through the console or the feedback API), AI Guardrails POSTs the review results to your webhook address. For more information, see Human review.
The end-to-end flow:
Your server exposes a public webhook address.
You pass the webhook address (and a seed) when calling an async API operation or when configuring the console.
When AI Guardrails finishes processing, it POSTs results to your webhook address.
Your server returns HTTP 200 to acknowledge receipt, then processes the payload.
Key concepts
| Term | Description |
|---|---|
| Webhook address | The public HTTPS or HTTP endpoint on your server that receives callback payloads. Configure it in the AI Guardrails consoleAI Guardrails console. |
| Seed | A secret string used to verify that incoming requests originated from AI Guardrails, not a third party. |
| Callback attempts | AI Guardrails retries failed deliveries up to three times. A response of HTTP 200 marks a delivery as successful; any other status code is treated as failure. |
| Callback data | The form-encoded payload that AI Guardrails POSTs to your webhook address. |
Webhook address requirements
Your webhook address must meet all of the following requirements:
Accessible from the Internet over HTTP or HTTPS
Supports the POST method
Supports UTF-8 encoding
Accepts data in
application/x-www-form-urlencodedformatHandles the
checksumandcontentform parameters
Callback payload fields
Each callback POST body contains two form parameters:
AI Guardrails console| Parameter | Type | Description |
|---|---|---|
checksum | String | A tamper-detection signature. Generated by applying SHA256 to the concatenated string <User UID> + <seed> + <content>. Your Alibaba Cloud account ID serves as the User UID — find it by hovering over your profile picture in the upper-right corner of the Alibaba Cloud Management Console. |
content | String | A JSON object serialized as a string. Parse this string into a JSON object before reading its fields. See Content field structure. |
Verifying the checksum
On receipt of a callback, recompute the signature using the same algorithm — SHA256(<User UID> + <seed> + <content>) — and compare it against the checksum field. If the values differ, discard the request.
The following Python example shows how to verify the checksum:
import hashlib
def verify_checksum(user_uid: str, seed: str, content: str, received_checksum: str) -> bool:
"""Verify that a callback originated from AI Guardrails."""
raw = user_uid + seed + content
computed = hashlib.sha256(raw.encode("utf-8")).hexdigest()
return computed == received_checksumSet up scan result callbacks
All asynchronous AI Guardrails API operations support scan result callbacks, including asynchronous image scan and asynchronous video scan.
Without callbacks, the only way to retrieve async detection results is periodic polling.
Procedure
Set up a webhook address that meets all the requirements listed in Webhook address requirements, and choose a seed value.
When calling an async AI Guardrails API operation, include the
callbackparameter (your webhook address) and theseedparameter in the request body. Refer to the individual API operation documentation for parameter details.
Set up human review callbacks
Human review API operations do not return results inline. Instead, results are delivered via callbacks.
If you use the Alibaba Cloud human review service (machine-assisted moderation), configure notifications in the console:
Log on to the AI Guardrails consoleAI Guardrails console.
In the left navigation pane, choose Machine Moderation V1.0 > Settings.
On the Settings page, click the Notification tab, then click Create New Notification.
In the Create New Notification dialog box, fill in the following fields and click OK: After you click OK, the system generates a seed automatically. Save this seed — it is used to verify that incoming callbacks originate from Alibaba Cloud.
Field Description Title A descriptive name for this notification configuration. Callback URL Your webhook address. Encryption algorithm Select SHA256 (HMAC-SHA256) or SM3. See Encryption algorithms for details. Notification type Select Manual Review Results by AlibabaCloud. Audit Result Choose which review outcomes trigger a callback. Select all to receive callbacks for every outcome, or select specific outcomes based on your use case. On the Scenario Management tab, find your target business scenario, click Associate Notification in the Actions column, and associate the Callback Notification Plan you just created.
If you already have a callback notification service configured for machine-assisted moderation, reuse the existing configuration or create a new one as needed.
Encryption algorithms
| Algorithm | Details |
|---|---|
| SHA256 | Uses HMAC-SHA256. |
| SM3 | Uses the SM3 encryption algorithm. Returns a hexadecimal string of lowercase letters and numbers. For example, encrypting abc with SM3 returns 66c7f0f462eeedd9d1f2d46bdc10e4e24167c4875cf2f7a2297da02b8f4ba8e0. |
Content field structure
After parsing the content string into a JSON object, it contains the following top-level fields:
| Field | Type | Required | Description |
|---|---|---|---|
scanResult | JSONObject | No | The scan result. Structure varies by content type — see scanResult structure. |
auditResult | JSONObject | No | Your human review result. Present only when a human review operation occurs. Not included if only scan results are pushed. |
humanAuditResult | JSONObject | No | The Alibaba Cloud human review result. Present only if you purchased the Alibaba Cloud human review service. |
scanResult structure
The scanResult structure depends on the type of content that was scanned:
Images: Same structure as the
resultsparameter returned by synchronous image scans.Videos: Same structure as the
resultsparameter returned by asynchronous video scans.
auditResult structure
| Field | Type | Required | Description |
|---|---|---|---|
suggestion | String | Yes | Review outcome. Valid values: block (marked as a violation), pass (marked as normal). |
labels | JSONArray | No | Labels applied during human review. Valid values: porn, terrorism, ad, live. |
humanAuditResult structure
| Field | Type | Required | Description |
|---|---|---|---|
suggestion | String | Yes | Alibaba Cloud review outcome. Valid values: block (violation), pass (normal). |
taskId | String | Yes | Detection task ID. Use this to associate the review result with the original content. |
dataId | String | Yes | ID of the detected content. |
labels | JSONArray | No | Label results from the Alibaba Cloud human review. Not returned by default — contact your business representative to enable this field, as it incurs additional charges. |
Example
The following shows a fully populated content object after parsing:
{
"scanResult": {
"code": 200,
"msg": "OK",
"taskId": "fdd25f95-4892-4d6b-aca9-7939bc6e9baa-1486198766695",
"url": "http://1.jpg",
"results": [
{
"rate": 100,
"scene": "porn",
"suggestion": "block",
"label": "porn"
}
]
},
"auditResult": {
"suggestion": "block",
"labels": [
"porn",
"ad",
"terrorism"
]
},
"humanAuditResult": {
"suggestion": "pass",
"dataId": "yyyy",
"labels": [
"porn",
"vulgar"
],
"taskId": "xxxxxx"
}
}