Skip to content

Possible alternative to ModeratorAccessTokens #63

New issue
New issue
Open
Feature
Open
Possible alternative to ModeratorAccessTokens#63
Feature
Labels
enhancementNew feature or requesthelp wantedExtra attention is needed
@turt2live

Description

@turt2live
turt2live
opened on Jan 2, 2026

Currently policyserv needs to track access tokens for moderation bots (or whatever is doing the redaction), but this doesn't scale if other communities want to be onboarded onto an instance. Policyserv only uses the moderation function for redactions, but may in future use it for auto-bans and kicks too.

Instead of having community admins hand over access tokens, they could specify a user ID via their normal community config. This user ID would then listen for to-device messages from policyserv. Those to-device messages would be "requests" for redactions and similar, where the receiver verifies the request and performs the action.

Because policyserv is a server-side application, it'd use https://spec.matrix.org/v1.17/server-server-api/#send-to-device-messaging (EDUs via federation transactions) to accomplish this.

Example to-device content:

{
  "type": "org.matrix.policyserv.moderation_request",
  "sender": "@doesntmatter:example.org", // Do NOT check that this user is in the room, just that the domain matches the policy server.
  "message_id": "arbitrary",
  "messages": {
    "@modbot:remote.example.org": {
      "*": {
        "request": "redaction", // to be expanded in the future
        "event_id": "$whatever",
        "room_id": "!whatever",
        "signatures": {
          "example.org": {
            // Signed with the MSC4284 key for the room_id
            "ed25519:policy_server": "signaturegoeshere"
          }
        }
      }
    }
  }
}

The receiver verifies the signature over the object under "*", and that the sender is from the same server. If the signature doesn't match the room's current policy server, the request is ignored.

Moderation bots like Mjolnir, Draupnir, and Meowlnir could support listening for this to-device message, though servers could also internally handle it for efficiency (ie: Synapse (optionally?) intercepts the to-device message for @abuse:matrix.org to just send the redaction as required, rather than forcing the underlying moderation bot to do a full round trip of /sync to /send).

It's unclear how much of this should be an MSC at the moment.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requesthelp wantedExtra attention is needed

    Type

    Feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions