Skip to main content

Message inspection



A canister can inspect an ingress message and either accept or decline the message through the canister's HTTPS interface. If the message is accepted, the canister will execute it.

A canister that does not have a Wasm module installed will reject any ingress messages. If the canister does not implement canister_inspect_message, all ingress messages will be accepted.

The canister_inspect_message functionality should not be used for definitive access control. This is because it is executed by a single replica, without full consensus, and its result could be spoofed by a malicious boundary node. However, since it does not go through full consensus, a malicious user cannot drain cycles from your canister because you don’t pay the cost for the message going through consensus.

Using the canister_inspect_message endpoint, the canister can invoke ic0.accept_message : () → () to accept the message.

You can learn more in the IC interface specification.

This guide will describe how to use inspect_message within a Rust canister.


The canister_inspect_message entrypoint can be defined and exported by a Rust canister using #[inspect_message].

The function within this attribute cannot have a return value, and a canister can only have one canister_inspect_message entrypoint.

fn inspect_message_function() {
if /* some condition */ {
} else {
/* trap or simply not call accept_message to deny*/