Approval Workflows

When a policy requires approval, Airlock creates a pending request and notifies designated approvers.

How Approvals Work

AI Agent calls tool
       │
       ▼
Policy evaluates to REQUIRE_APPROVAL
       │
       ▼
Pending request created
       │
       ▼
Approvers notified (email + WebSocket)
       │
       ▼
Approver reviews and decides
       │
       ├── APPROVED → Execute operation
       │
       └── REJECTED → Return error to agent

Configuring Approvers

Approval Rules

Set up who can approve requests for specific operations:

Go to your server's detail page
In the Policy Configuration section, find the tool that requires approval
Click Add Approver next to the tool
Select approvers:
- Individual users from your organization
- Groups for team-based approval

Multiple approvers can be assigned - any one of them can approve the request.

Default Approvers

If no specific rule matches, the server owner can approve.

User Groups

Create groups to manage approvers at scale:

Navigate to Settings in the main navigation
Click the Groups tab
Click Create Group
Add members to the group
The group will be available when assigning approvers to tools

The Approval Process

For Approvers

When a request needs approval:

Email Notification: Receive an email with request details
Click to Review: Link takes you to the request page
Review Details: See the operation, parameters, and requester
Decide: Click Approve or Reject

For AI Agents

The agent receives the result through the MCP connection:

Approved: The operation executes and returns results
Rejected: An error is returned with the rejection reason

Request Details

Each pending request shows:

Operation: The tool being called
Parameters: Input arguments
Requester: Which user's credentials triggered the request
Timestamp: When the request was created
Status: Pending, Approved, or Rejected

Notifications

Email Notifications

Approvers receive emails containing:

Server and operation name
Request parameters (sanitized)
Direct link to approve/reject

Real-Time Updates

Using WebSocket connections, AI agents receive instant notification when:

A request is approved (operation executes)
A request is rejected (error returned)

No polling required.

Best Practices

Quick Response

Set up multiple approvers to ensure someone is always available to respond promptly.

Clear Context

When configuring policies, consider what information approvers need to make decisions.

Audit Trail

All approval decisions are logged:

Who approved/rejected
When the decision was made
The request details

Escalation

For time-sensitive operations, consider:

Multiple approvers for redundancy
Clear documentation of approval criteria
Backup approval processes

Common Patterns

Manager Approval

Create a "managers" group and assign it as the approver for sensitive operations like expense-related tools.

Security Team Approval

Create a "security-team" group for operations that modify or delete data. Assign this group as approvers for all delete_* operations.

Multiple Approvers for Redundancy

Assign both individual users and groups to the same tool. Any one of the approvers can approve the request, ensuring coverage when team members are unavailable.

Approval Workflows ​

How Approvals Work ​

Configuring Approvers ​

Approval Rules ​

Default Approvers ​

User Groups ​

The Approval Process ​

For Approvers ​

For AI Agents ​

Request Details ​

Notifications ​

Email Notifications ​

Real-Time Updates ​

Best Practices ​

Quick Response ​

Clear Context ​

Audit Trail ​

Escalation ​

Common Patterns ​

Manager Approval ​

Security Team Approval ​

Multiple Approvers for Redundancy ​