How do approval webhooks work?

Configure a webhook URL per organization in the Settings page. oakallow sends two types of events:

• approval.created fires when your agent creates an approval request. The payload includes the tool name, parameters, reason, approval ID, and expiration time.

• approval.decided fires when a human approves or denies the request. The payload includes the decision, who decided, and any notes.

Payloads are signed with HMAC-SHA256 using your organization's webhook secret. Verify the X-Oakallow-Signature header to confirm the request is from oakallow.

Webhooks are fire-and-forget from oakallow's side. If your endpoint is unreachable, the approval still exists and can be polled via GET /v1/approvals/:id as a fallback.

Related questions in Permissions & Approvals

• →How does permission resolution work?
• →What are the three permission levels?
• →How do approval workflows work?
• →Can I automatically approve tool executions?

Browse other topics