KeypostKeypost

Approval Policies

Add human-in-the-loop approval for sensitive or high-risk operations.

How it works

  1. Agent calls a tool that requires approval
  2. Keypost creates an approval request and notifies approvers
  3. Agent receives "pending approval" response
  4. Approver reviews and approves/denies in the dashboard
  5. Agent retries the call - if approved, it goes through

Basic approval

Require approval for specific tools:

{
  "type": "approval",
  "config": {
    "tools": ["delete_user", "transfer_funds", "modify_permissions"],
    "approvers": ["admin@company.com", "security@company.com"],
    "timeout": "24h"
  }
}

Conditional approval

Only require approval when certain conditions are met:

{
  "type": "approval",
  "config": {
    "tool": "transfer_funds",
    "required_when": {
      "amount": "> 10000"
    },
    "approvers": ["finance@company.com"],
    "timeout": "4h"
  }
}

Transfers under $10,000 go through automatically. Larger transfers need approval.

Timeout behavior

What happens when approval times out:

{
  "type": "approval",
  "config": {
    "tools": ["deploy_to_production"],
    "approvers": ["oncall@company.com"],
    "timeout": "1h",
    "timeout_action": "deny"
  }
}

Options: deny (default) or allow

Approval inbox

Approvers receive an email with a link to review the request. They can also view pending approvals in the dashboard under Approvals.

Each request shows:

  • Tool name and parameters
  • Requester IP
  • Time remaining
  • Approve/Deny buttons

Audit policy

Enhanced logging for compliance requirements:

{
  "type": "audit",
  "config": {
    "level": "full",
    "retention": "7y",
    "compliance": ["hipaa", "soc2"],
    "require_reason": true
  }
}

Levels: minimal (metadata only), standard (+ violations),full (all parameters and responses, scrubbed)

Example: Production changes

{
  "name": "Production approval",
  "type": "approval",
  "config": {
    "tools": ["deploy_*", "migrate_*", "rollback_*"],
    "approvers": ["platform@company.com", "oncall@company.com"],
    "timeout": "2h",
    "timeout_action": "deny"
  }
}

Example: Financial transactions

{
  "name": "Large transaction approval",
  "type": "approval",
  "config": {
    "tool": "process_payment",
    "required_when": {
      "amount": "> 5000"
    },
    "approvers": ["finance@company.com"],
    "timeout": "24h"
  }
}