diff --git a/swh/web/add_forge_now/models.py b/swh/web/add_forge_now/models.py
--- a/swh/web/add_forge_now/models.py
+++ b/swh/web/add_forge_now/models.py
@@ -4,6 +4,7 @@
 # See top-level LICENSE file for more information
 
 import enum
+from typing import List
 
 from django.db import models
 
@@ -30,6 +31,40 @@
     def choices(cls):
         return tuple((variant.name, variant.value) for variant in cls)
 
+    @classmethod
+    def allowed_next_statuses(cls, current_status: str) -> List[str]:
+        if current_status == cls.PENDING.name:
+            return [
+                cls.WAITING_FOR_FEEDBACK.name,
+                cls.REJECTED.name,
+                cls.SUSPENDED.name,
+            ]
+        elif current_status == cls.WAITING_FOR_FEEDBACK.name:
+            return [cls.FEEDBACK_TO_HANDLE.name]
+        elif current_status == cls.FEEDBACK_TO_HANDLE.name:
+            return [
+                cls.WAITING_FOR_FEEDBACK.name,
+                cls.ACCEPTED.name,
+                cls.REJECTED.name,
+                cls.SUSPENDED.name,
+            ]
+        elif current_status == cls.ACCEPTED.name:
+            return [cls.SCHEDULED.name]
+        elif current_status == cls.SCHEDULED.name:
+            return [cls.FIRST_LISTING_DONE.name]
+        elif current_status == cls.FIRST_LISTING_DONE.name:
+            return [cls.FIRST_ORIGIN_LOADED.name]
+        elif current_status == cls.FIRST_ORIGIN_LOADED.name:
+            return []
+        elif current_status == cls.REJECTED.name:
+            return []
+        elif current_status == cls.SUSPENDED.name:
+            return [cls.PENDING.name]
+        elif current_status == cls.DENIED.name:
+            return []
+        else:
+            raise ValueError(f"Invalid request status: {current_status}")
+
 
 class RequestActorRole(enum.Enum):
     MODERATOR = "moderator"
diff --git a/swh/web/api/views/add_forge_now.py b/swh/web/api/views/add_forge_now.py
--- a/swh/web/api/views/add_forge_now.py
+++ b/swh/web/api/views/add_forge_now.py
@@ -7,7 +7,9 @@
 from typing import Union
 
 from django.core.exceptions import ObjectDoesNotExist
-from django.forms import ModelForm
+from django.db import transaction
+from django.forms import CharField, ModelForm
+from django.http import HttpResponseBadRequest
 from django.http.request import HttpRequest
 from django.http.response import HttpResponse, HttpResponseForbidden
 from rest_framework import serializers
@@ -15,10 +17,14 @@
 from rest_framework.response import Response
 
 from swh.web.add_forge_now.models import Request as AddForgeRequest
+from swh.web.add_forge_now.models import RequestHistory as AddForgeNowRequestHistory
+from swh.web.add_forge_now.models import RequestStatus as AddForgeNowRequestStatus
 from swh.web.api.apidoc import api_doc, format_docstring
 from swh.web.api.apiurls import api_route
 from swh.web.common.exc import BadInputExc
 
+MODERATOR_ROLE = "swh.web.add_forge_now.moderator"
+
 
 class AddForgeNowRequestForm(ModelForm):
     class Meta:
@@ -32,12 +38,29 @@
         )
 
 
+class AddForgeNowRequestHistoryForm(ModelForm):
+    new_status = CharField(max_length=200, required=False,)
+
+    class Meta:
+        model = AddForgeNowRequestHistory
+        fields = ("text",)
+
+
 class AddForgeNowRequestSerializer(serializers.ModelSerializer):
     class Meta:
         model = AddForgeRequest
         fields = "__all__"
 
 
+class AddForgeNowRequestPublicSerializer(serializers.ModelSerializer):
+    """Serializes AddForgeRequest without private fields.
+    """
+
+    class Meta:
+        model = AddForgeRequest
+        fields = ("forge_url", "forge_type", "status", "submission_date")
+
+
 @api_route(
     r"/add-forge/request/create", "api-1-add-forge-request-create", methods=["POST"],
 )
@@ -106,3 +129,83 @@
     data = AddForgeNowRequestSerializer(add_forge_request).data
 
     return Response(data=data, status=201)
+
+
+@api_route(
+    r"/add-forge/request/(?P<id>[0-9]+)/update/",
+    "api-1-add-forge-request-update",
+    methods=["POST"],
+)
+@api_doc("/add-forge/request/update", tags=["hidden"])
+@format_docstring()
+@transaction.atomic
+def api_add_forge_request_update(
+    request: Union[HttpRequest, Request], id: int
+) -> HttpResponse:
+    """
+    .. http:post:: /api/1/add-forge/request/update/
+
+        Update a request to add a forge to the list of those crawled regularly
+        by Software Heritage.
+
+        .. warning::
+            That endpoint is not publicly available and requires authentication
+            in order to be able to request it.
+
+        {common_headers}
+
+        :<json string text: comment about new request status
+        :<json string new_status: the new request status
+
+        :statuscode 200: request successfully updated
+        :statuscode 400: missing or invalid field values
+        :statuscode 403: user is not a moderator
+    """
+    if not request.user.is_authenticated:
+        return HttpResponseForbidden(
+            "You must be authenticated to update a new add-forge request"
+        )
+
+    if not request.user.has_perm(MODERATOR_ROLE):
+        return HttpResponseForbidden("You are not a moderator")
+
+    try:
+        add_forge_request = AddForgeRequest.objects.get(id=id)
+    except ObjectDoesNotExist:
+        return HttpResponseBadRequest("Invalid request id")
+
+    request_history = AddForgeNowRequestHistory()
+    request_history.request = add_forge_request
+
+    if isinstance(request, Request):
+        # request submitted with request body in JSON (goes through DRF)
+        form = AddForgeNowRequestHistoryForm(request.data, instance=request_history)
+    else:
+        # request submitted with request body in form encoded format
+        # (directly handled by Django)
+        form = AddForgeNowRequestHistoryForm(request.POST, instance=request_history)
+
+    if form.errors:
+        raise BadInputExc(json.dumps(form.errors))
+
+    new_status = form["new_status"].value()
+    if (
+        new_status is not None
+        and new_status
+        not in AddForgeNowRequestStatus.allowed_next_statuses(add_forge_request.status)
+    ):
+        raise BadInputExc(
+            f"New request status {new_status} cannot be reached "
+            f"from current status {add_forge_request.status}"
+        )
+
+    request_history.actor = request.user.username
+    request_history.actor_role = "moderator"
+    form.save()
+
+    if request_history.new_status is not None:
+        add_forge_request.status = request_history.new_status
+        add_forge_request.save()
+
+    data = AddForgeNowRequestSerializer(add_forge_request).data
+    return Response(data=data, status=200)
diff --git a/swh/web/tests/add_forge_now/test_models.py b/swh/web/tests/add_forge_now/test_models.py
new file mode 100644
--- /dev/null
+++ b/swh/web/tests/add_forge_now/test_models.py
@@ -0,0 +1,35 @@
+# Copyright (C) 2022  The Software Heritage developers
+# See the AUTHORS file at the top-level directory of this distribution
+# License: GNU Affero General Public License version 3, or any later version
+# See top-level LICENSE file for more information
+
+import pytest
+
+from swh.web.add_forge_now.models import RequestStatus
+
+
+@pytest.mark.parametrize(
+    "current_status, allowed_next_statuses",
+    [
+        ("PENDING", ["WAITING_FOR_FEEDBACK", "REJECTED", "SUSPENDED"]),
+        ("WAITING_FOR_FEEDBACK", ["FEEDBACK_TO_HANDLE"]),
+        (
+            "FEEDBACK_TO_HANDLE",
+            ["WAITING_FOR_FEEDBACK", "ACCEPTED", "REJECTED", "SUSPENDED"],
+        ),
+        ("ACCEPTED", ["SCHEDULED"]),
+        ("SCHEDULED", ["FIRST_LISTING_DONE"]),
+        ("FIRST_LISTING_DONE", ["FIRST_ORIGIN_LOADED"]),
+        ("FIRST_ORIGIN_LOADED", []),
+        ("REJECTED", []),
+        ("SUSPENDED", ["PENDING"]),
+        ("DENIED", []),
+    ],
+)
+def test_allowed_next_statuses(current_status, allowed_next_statuses):
+    assert RequestStatus.allowed_next_statuses(current_status) == allowed_next_statuses
+
+
+def test_allowed_next_statuses_invalid_status():
+    with pytest.raises(ValueError):
+        RequestStatus.allowed_next_statuses("FOO")
diff --git a/swh/web/tests/api/views/test_add_forge_now.py b/swh/web/tests/api/views/test_add_forge_now.py
--- a/swh/web/tests/api/views/test_add_forge_now.py
+++ b/swh/web/tests/api/views/test_add_forge_now.py
@@ -10,8 +10,13 @@
 import pytest
 
 from swh.web.add_forge_now.models import Request
+from swh.web.api.views.add_forge_now import MODERATOR_ROLE
 from swh.web.common.utils import reverse
-from swh.web.tests.utils import check_api_post_response, check_http_post_response
+from swh.web.tests.utils import (
+    check_api_post_response,
+    check_http_post_response,
+    create_django_permission,
+)
 
 
 def test_add_forge_request_create_anonymous_user(api_client):
@@ -35,6 +40,14 @@
     "forge_contact_comment": "user marked as owner in forge members",
 }
 
+ADD_OTHER_FORGE_DATA = {
+    "forge_type": "gitea",
+    "forge_url": "https://gitea.example.org",
+    "forge_contact_email": "admin@gitea.example.org",
+    "forge_contact_name": "gitea.example.org admin",
+    "forge_contact_comment": "user marked as owner in forge members",
+}
+
 
 @pytest.mark.django_db(transaction=True, reset_sequences=True)
 def test_add_forge_request_create_success(api_client, regular_user):
@@ -104,14 +117,104 @@
 def test_add_forge_request_create_duplicate(api_client, regular_user):
     api_client.force_login(regular_user)
     url = reverse("api-1-add-forge-request-create")
-
     check_api_post_response(
         api_client, url, data=ADD_FORGE_DATA, status_code=201,
     )
-
     check_api_post_response(
         api_client, url, data=ADD_FORGE_DATA, status_code=409,
     )
 
     requests = Request.objects.all()
     assert len(requests) == 1
+
+
+@pytest.fixture
+def moderator_user(regular_user2):
+    regular_user2.user_permissions.add(create_django_permission(MODERATOR_ROLE))
+    return regular_user2
+
+
+@pytest.mark.django_db(transaction=True, reset_sequences=True)
+def test_add_forge_request_update_anonymous_user(api_client):
+    url = reverse("api-1-add-forge-request-update", url_args={"id": 1})
+    check_api_post_response(api_client, url, status_code=403)
+
+
+@pytest.mark.django_db(transaction=True, reset_sequences=True)
+def test_add_forge_request_update_regular_user(api_client, regular_user):
+    api_client.force_login(regular_user)
+    url = reverse("api-1-add-forge-request-update", url_args={"id": 1})
+    check_api_post_response(api_client, url, status_code=403)
+
+
+@pytest.mark.django_db(transaction=True, reset_sequences=True)
+def test_add_forge_request_update_non_existent(api_client, moderator_user):
+    api_client.force_login(moderator_user)
+    url = reverse("api-1-add-forge-request-update", url_args={"id": 1})
+    check_api_post_response(api_client, url, status_code=400)
+
+
+def _create_add_forge_request(api_client, regular_user, data=ADD_FORGE_DATA):
+    api_client.force_login(regular_user)
+    url = reverse("api-1-add-forge-request-create")
+    check_api_post_response(
+        api_client, url, data=data, status_code=201,
+    )
+
+
+@pytest.mark.django_db(transaction=True, reset_sequences=True)
+def test_add_forge_request_update_empty(api_client, regular_user, moderator_user):
+    _create_add_forge_request(api_client, regular_user)
+
+    api_client.force_login(moderator_user)
+    url = reverse("api-1-add-forge-request-update", url_args={"id": 1})
+    check_api_post_response(api_client, url, status_code=400)
+
+
+@pytest.mark.django_db(transaction=True, reset_sequences=True)
+def test_add_forge_request_update_missing_field(
+    api_client, regular_user, moderator_user
+):
+    _create_add_forge_request(api_client, regular_user)
+
+    api_client.force_login(moderator_user)
+    url = reverse("api-1-add-forge-request-update", url_args={"id": 1})
+    check_api_post_response(api_client, url, data={}, status_code=400)
+    check_api_post_response(
+        api_client, url, data={"new_status": "REJECTED"}, status_code=400
+    )
+
+
+@pytest.mark.django_db(transaction=True, reset_sequences=True)
+def test_add_forge_request_update(api_client, regular_user, moderator_user):
+    _create_add_forge_request(api_client, regular_user)
+
+    api_client.force_login(moderator_user)
+    url = reverse("api-1-add-forge-request-update", url_args={"id": 1})
+
+    check_api_post_response(
+        api_client, url, data={"text": "updating request"}, status_code=200
+    )
+
+    check_api_post_response(
+        api_client,
+        url,
+        data={"new_status": "REJECTED", "text": "request rejected"},
+        status_code=200,
+    )
+
+
+@pytest.mark.django_db(transaction=True, reset_sequences=True)
+def test_add_forge_request_update_invalid_new_status(
+    api_client, regular_user, moderator_user
+):
+    _create_add_forge_request(api_client, regular_user)
+
+    api_client.force_login(moderator_user)
+    url = reverse("api-1-add-forge-request-update", url_args={"id": 1})
+    check_api_post_response(
+        api_client,
+        url,
+        data={"new_status": "ACCEPTED", "text": "request accepted"},
+        status_code=400,
+    )
diff --git a/swh/web/tests/utils.py b/swh/web/tests/utils.py
--- a/swh/web/tests/utils.py
+++ b/swh/web/tests/utils.py
@@ -227,7 +227,9 @@
     perm_splitted = perm_name.split(".")
     app_label = ".".join(perm_splitted[:-1])
     perm_name = perm_splitted[-1]
-    content_type = ContentType.objects.create(app_label=app_label, model="dummy")
+    content_type = ContentType.objects.create(
+        id=1000, app_label=app_label, model="dummy"
+    )
     return Permission.objects.create(
-        codename=perm_name, name=perm_name, content_type=content_type,
+        codename=perm_name, name=perm_name, content_type=content_type, id=1000
     )