How approvals work
Agent requests an approval-bound action
The agent calls
invoke.call() with a tool classified as approval-bound. Invoke immediately stages the action and returns pending_approval.Invoke notifies the reviewer
The staged action appears in your Invoke dashboard. The reviewer sees the tool, parameters, and the agent that requested it.
Reviewer approves or rejects
The reviewer makes a decision in the dashboard or via the API.
- Approved → Invoke proceeds to state revalidation
- Rejected → Invoke returns
blockedto the agent
State revalidated before execution
Before the approved action runs, Invoke revalidates the current state against the conditions that existed when approval was granted.If state has drifted — the customer was already refunded, the deployment status changed — Invoke returns
replan_required instead of executing. The stale approval never fires.Why state revalidation matters
Approvals can have long delays between grant and execution. In that window:- The customer may have already received a refund through another channel
- The deployment may have rolled back
- The target record may have changed
Approval outcomes
| Status | Meaning |
|---|---|
pending_approval | Action staged, waiting for reviewer decision |
executed | Approved and state validated, action ran |
blocked | Rejected by reviewer |
replan_required | Approved but state drifted before execution |
Next steps
- Tool Safety Classes — how to classify tools as approval-bound
- Traces — inspect the full approval timeline in execution traces
- Execution Records — the durable record created for every staged action