# Approvals

> Set up approval gates so your AI agent asks permission before taking risky actions. Approve, reject, edit, or discuss — all from the dashboard.

Your agent is powerful, but some actions need a human decision. Approvals let you set up gates so the agent asks permission before doing anything risky — deleting files, running commands, calling external APIs, deploying code.

You approve, reject, edit the request, or ask for changes — all from the dashboard.

---

## How It Works

```mermaid
flowchart LR
    A["Agent wants to\ndelete a file"] -->|"requests approval"| B["Dashboard\nApproval Panel"]
    B -->|"you approve"| C["Agent proceeds"]
    B -->|"you reject"| D["Agent stops"]
    B -->|"you edit"| E["Agent uses\nupdated params"]

    style A fill:#1e293b,stroke:#6b7280,color:#fff
    style B fill:#f59e0b,stroke:#d97706,color:#fff
    style C fill:#10b981,stroke:#059669,color:#fff
    style D fill:#ef4444,stroke:#dc2626,color:#fff
    style E fill:#3b82f6,stroke:#2563eb,color:#fff
```

1. Your agent calls a tool that requires approval
2. The agent pauses and sends a request to the dashboard
3. You see the request with full details — what tool, what parameters, why
4. You choose: **Approve**, **Reject**, **Edit Parameters**, or **Request Changes**
5. The agent continues (or stops) based on your decision

---

## Setting Up Approval Rules

1. **Open Approval Settings**

   Go to the [Admin Dashboard](https://app.aerostack.dev) → **Workspaces** → select your workspace → **Approvals** tab.

2. **Create an Approval Config**

   Click **Add Approval Rule** and configure:

   - **Tool Pattern** — which tools need approval. Use `*` for all tools, or specific patterns like `github__delete_*` for all GitHub delete operations
   - **Risk Level** — classify as low, medium, high, or critical
   - **Auto-Approve** — optionally auto-approve for specific roles or low-risk patterns

3. **Save**

   The rule takes effect immediately. The next time your agent calls a matching tool, it will pause and request approval.

You can create multiple rules. For example: auto-approve all read operations, require approval for writes, and require approval + review for deletes.

---

## Approving a Request

When a request comes in, you see:

- **Tool name** — which tool the agent wants to call
- **Parameters** — the exact arguments the agent is passing
- **Context** — what the agent was doing when it made the request
- **Risk level** — low, medium, high, or critical

You have four options:

### Approve

The agent proceeds with the original parameters. The tool executes and the agent continues its work.

### Reject

The agent is told the request was denied. It can adjust its approach or ask you what to do instead.

### Edit Parameters

Change the parameters before approving. For example, if the agent wants to delete a directory, you can narrow it to a specific file. The agent uses your edited parameters.

### Request Changes

Send a message back to the agent explaining what you want changed. The agent reads your feedback, adjusts its approach, and submits a new request. This can go back and forth as many times as needed.

---

## Multi-Round Conversations

Approvals are not just yes/no. You can have a conversation about the request:

> **Agent:** "I want to run `rm -rf ./old-data/` to clean up disk space."
>
> **You:** "Don't delete everything. Only remove files older than 30 days."
>
> **Agent:** "Got it. Updated command: `find ./old-data/ -mtime +30 -delete`. Requesting approval."
>
> **You:** Approve

Each round of discussion is tracked as part of the approval record, so you have a full audit trail of why decisions were made.

---

## Example Approval Configurations

### Conservative — Approve Everything

```
Pattern: *
Risk Level: medium
Auto-Approve: none
```

Every tool call requires your approval. Good for initial setup when you want to understand what your agent does.

### Balanced — Read Freely, Write with Approval

```
Pattern: *__get_*, *__list_*, *__search_*
Auto-Approve: all

Pattern: *
Risk Level: medium
Auto-Approve: none
```

Read operations (get, list, search) run without interruption. Anything that writes, creates, updates, or deletes requires approval.

### Team Setup — Auto-Approve for Experienced Members

```
Pattern: *
Risk Level: low
Auto-Approve: admin role

Pattern: *__delete_*
Risk Level: critical
Auto-Approve: none
```

Admins can auto-approve low-risk operations. Delete operations always require explicit approval regardless of role.

---

## Timeout

If you do not respond to an approval request within **24 hours**, it expires. The agent is notified that the request timed out and can either retry or move on.

There is no pressure to respond immediately. The agent waits patiently. You can review approval requests at your own pace.

---

## Approval History

All approval decisions are logged. Go to **Workspaces** → **Approvals** to see:

- Every request, with status (approved, rejected, expired, changes requested)
- Who approved or rejected it
- The full conversation thread for multi-round approvals
- Timestamps and risk levels

This is your audit trail for compliance and review.

---

## Next Steps

- [Connect OpenClaw](/agent-chat/connect-openclaw) — approvals work automatically once your agent is connected
- [Activity Monitor](/agent-chat/activity-monitor) — see all agent actions, not just approved ones
- [Team Access](/agent-chat/team-access) — each team member manages their own approvals
