Approval Workflows

Approval gates add a human-in-the-loop step to endpoint execution. When enabled, callers receive a 202 Accepted response with an approval link instead of immediate execution. The command only runs after an approver signs off.

Note

Approval workflows are available on the Team tier only.

How it works

1. A caller hits the endpoint (via API, webhook, or pipeline step)
2. Instead of executing, the API returns 202 Accepted with an approval_id and approve_url
3. The approver clicks the approval link or uses the dashboard to approve/deny
4. On approval, the original request is executed as normal
5. If no action is taken within approval_timeout_mins, the request expires

Caller → POST /v1/user/deploy → 202 Accepted (approval_id, approve_url)
                                        ↓
                                 Approver clicks link
                                        ↓
                                 Execution triggers → Response

Configuration

Enable approval on any endpoint via wrapd.yaml or the dashboard endpoint editor:

endpoints:
  - name: deploy-production
    command: ./deploy.sh --env production
    approval_required: true
    approval_timeout_mins: 60

Field	Type	Default	Description
approval_required	boolean	false	Require approval before execution
approval_timeout_mins	integer	30	Minutes before a pending approval expires

You can also set these fields via the API when creating or updating an endpoint:

curl -X PATCH https://api.wrapd.sh/endpoints/deploy-production \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"approval_required": true, "approval_timeout_mins": 60}'

Caller experience

When a caller hits an approval-gated endpoint, they receive a 202 Accepted response:

{
  "status": "pending_approval",
  "approval_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "approve_url": "https://hub.wrapd.sh/approve/f8e7d6c5-b4a3-2190-fedc-ba0987654321",
  "message": "Execution requires approval. Share the approve_url with an approver.",
  "expires_in_mins": 60
}

The caller can poll for approval status or wait for a callback, depending on integration needs.

One-click approval links

Each pending approval generates a unique, single-use token URL:

https://hub.wrapd.sh/approve/{token}

These links:

• Do not require authentication — anyone with the link can approve
• Are single-use — once approved or denied, the token is invalidated
• Expire after the configured approval_timeout_mins
• Show execution context — the approver sees the endpoint name, command, caller info, and timestamp before confirming

This makes it easy to share approval links via Slack, email, or any messaging tool without requiring the approver to log into the dashboard.

Caution

Treat approval links like passwords. Anyone with the link can authorize execution. Share them only through secure channels.

Dashboard approvals page

The dashboard provides a dedicated approvals view at /dashboard/approvals:

Pending approvals — displayed as cards showing:

• Endpoint name and command
• Who triggered the request and when
• Time remaining before expiry
• Approve and Deny buttons

Approval history — a table of past decisions showing:

• Endpoint name
• Decision (approved, denied, expired)
• Who approved/denied
• Timestamp of the original request and the decision

Use cases

Production deployments — require a team lead to sign off before deploying:

  - name: deploy-production
    command: ./deploy.sh --env production
    approval_required: true
    approval_timeout_mins: 30

Database migrations — add a gate before running destructive operations:

  - name: run-migration
    command: ./migrate.sh
    approval_required: true
    approval_timeout_mins: 120

Pipeline gates — use approval-gated endpoints as steps in a pipeline. The pipeline pauses at the approval step and resumes when approved:

  - name: staging-to-prod
    command: ./promote.sh
    approval_required: true
    approval_timeout_mins: 60

Combining with other features

• Alert rules — set up an alert to notify a Slack channel or webhook when a new approval is pending
• Scheduled endpoints — scheduled runs on approval-gated endpoints will create pending approvals rather than executing automatically
• Webhooks — inbound webhooks on approval-gated endpoints queue for approval instead of firing immediately