Skip to content

Commit c470734

Browse files
[PER-14506] Add Human-in-the-Loop approvals documentation (#628)
* [PER-14506] Add Human-in-the-Loop approvals documentation New dedicated HITL documentation page covering: - How approval flow works (gateway pauses → notifies → resumes/rejects) - Approval queue UI (pending cards, batch actions, keyboard shortcuts) - Rejection with reasons (presets + custom) - Approval history with status filter - Configuring approval policies (per-tool, per-server, per-trust-level) - Trusted agent bypass for automation - Email and Slack notification setup - Timeout and fail-closed behavior - Agent-side experience (what the user sees during wait/rejection) Screenshots included for all major features. Also: - Updated advanced-features.mdx to link to the new dedicated page - Updated platform.mdx sidebar description to include Approvals - Updated feature maturity table to reflect HITL is now available Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * [PER-14506] Docs review fixes: quick start, clarity, accuracy - Add Quick Start tip box at top for fast onboarding - Soften "interception point" language to be less surveillance-like - Add trust-level cross-reference links to guide page - Clarify who can approve (any Platform user) - Explain what "cancelled" means in history (client disconnected) - Explain the Extend button mechanism (click to add 5 more minutes) - Add note about finding agent client IDs on the Agents page - Fix enterprise maturity table (HITL is Enterprise, not "Available") - Remove unused approval-history.png screenshot - Change example tool in agent notification from get_issue to delete_repo Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * [PER-14506] Blur sensitive data in HITL screenshots - Blur URL bar and bookmarks bar in notification-settings.png and server-policy-and-bypass.png (contained local dev URLs and personal bookmarks) - Blur email addresses in approval-history-full.png Decided By column (contained real employee email) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * [PER-14506] Fix sidebar collision, trust level clarity, enterprise note - Fix sidebar_position collision: change HITL from 8 to 7.5 (permit-integration already uses 8) - Rewrite trust level threshold description to clearly explain that "High" is least restrictive and "Low" is most restrictive - Add Enterprise Plan admonition matching the pattern in advanced-features.mdx Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * [PER-14506] Add HITL page to sidebars.js (manually configured sidebar) The docs sidebar is configured manually in sidebars.js, not auto-generated from frontmatter sidebar_position. Added the human-in-the-loop page between Architecture and Permit.io Integration. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * [PER-14506] Add per-tool HITL toggle screenshot to docs Shows the tool list with individual HITL toggles — get_issue enabled (amber), other tools disabled. This was a missing screenshot identified in the docs review: customers need to see where the per-tool toggle lives on the MCP server detail page. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * [PER-14506] Replace history screenshot with updated version (7 entries, blurred emails) New screenshot shows 7 entries (up from 4) with all status types (Approved, Rejected, Cancelled) and Decision Time column. Email addresses in Decided By column are blurred. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * [PER-14506] Fix history screenshot: preserve Decided By header, blur only data rows Re-applied blur starting below the header row (y=285) instead of covering the header (y=280). The Decided By column header is now preserved while email addresses in data rows are blurred. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * [PER-14506] Complete docs coverage: policy evaluation, history columns, limits Added missing customer-relevant documentation: - Policy evaluation order: bypass → per-tool → per-server → trust level, with explicit explanation of how tiers interact - History table columns: Time, Tool, Server, Agent, Decided By, Decision Time, Decision — each explained - Tool arguments truncation note (64KB limit) - Timer color indicators (green → amber → red) - Slack privacy: tool arguments intentionally excluded from notifications - Extend limits: up to 30 min per extension, 1 hour max total - Pending limit: 50 concurrent approvals per host - Notification scope: settings apply per-host, policies per-server - Escape keyboard shortcut for deselect Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * [PER-14506] Simplify HITL docs: remove implementation details, tighten copy Removed customer-irrelevant details: - 64KB argument truncation limit - 50 pending approvals limit - 30-minute/1-hour extend limits - 4-tier numbered policy evaluation section (replaced with one sentence) - Notification scope callout - "fail-closed" jargon - Color indicator details (green/amber/red) - History column-by-column breakdown (replaced with one sentence) Simplified: - Keyboard shortcuts: compact single-line format - Batch actions: merged into pending approvals section - Timeouts: shorter, less edge-case focused - Trust level threshold: clearer single example - Overall ~30% shorter Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * [PER-14506] Address review feedback: fix HITL docs accuracy - Browser notifications: reflect opt-in flow (not automatic) - Extend button: appears in last 60 seconds, not always visible - Trusted Agent Bypass: clarify it's a separate card - Add trust-level badge and risk-coded border to card description - Keyboard shortcut R: opens reason input, not instant reject - Add note that single-key shortcuts can be toggled off Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 5813e3c commit c470734

13 files changed

Lines changed: 138 additions & 2 deletions

docs/permit-mcp-gateway/advanced-features.mdx

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,9 @@ Agent Interrogation is under active development as an Enterprise capability. The
6969

7070
Require human approval for high-risk agent actions. When an agent requests a sensitive operation — such as deleting records, modifying production data, or accessing restricted resources — the gateway pauses execution and routes an approval request to a designated reviewer. Routine operations continue without interruption.
7171

72-
This is useful for organizations that want to allow agents to attempt sensitive actions but require a human to confirm before execution proceeds.
72+
HITL includes per-tool, per-server, and per-trust-level approval policies, a real-time approval queue with batch actions, approval history, trusted agent bypass for automation, and email/Slack notifications.
73+
74+
See the dedicated **[Human-in-the-Loop Approvals](/permit-mcp-gateway/human-in-the-loop)** guide for full documentation.
7375

7476
## Time-Limited Consent
7577

@@ -120,7 +122,7 @@ Intent-based access control is an emerging capability. [Contact us](mailto:suppo
120122
| Feature | Status | Notes |
121123
| --- | --- | --- |
122124
| **Agent Interrogation** | Enterprise, active development | Agentic-native identity, fingerprinting, drift detection, and prompt injection defense |
123-
| **Human-in-the-Loop Approvals** | Enterprise | Available for enterprise plans |
125+
| **[Human-in-the-Loop Approvals](/permit-mcp-gateway/human-in-the-loop)** | Enterprise | Per-tool, per-server, and per-trust-level approval policies with email/Slack notifications |
124126
| **Time-Limited Consent** | Enterprise | Available for enterprise plans |
125127
| **Agent Verification** | Enterprise, early access | Behavioral profiling and drift detection, powered by Agent Interrogation |
126128
| **Session Monitoring** | Enterprise, early access | Anomaly detection capabilities under active development |
Lines changed: 132 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,132 @@
1+
---
2+
title: Human-in-the-Loop Approvals
3+
sidebar_label: Human-in-the-Loop
4+
description: Require real-time human approval before high-risk agent tool calls are executed. Configure per-tool, per-server, and per-trust-level approval policies with email and Slack notifications.
5+
sidebar_position: 7.5
6+
---
7+
8+
# Human-in-the-Loop Approvals
9+
10+
Human-in-the-Loop (HITL) adds a **real-time approval gate** to your agent workflows. When an agent requests a sensitive operation — such as deleting records, modifying production data, or accessing restricted resources — the gateway pauses execution and routes an approval request to a designated admin. Routine operations continue without interruption.
11+
12+
:::note Enterprise Plan
13+
Human-in-the-Loop approvals are available on **Enterprise** plans. [Schedule a demo](https://calendly.com/permit-io/demo) to get started.
14+
:::
15+
16+
:::tip Quick start
17+
1. Go to **MCP Servers** → select a server → toggle **HITL** on a tool
18+
2. Trigger that tool from an MCP client (e.g., Cursor, Claude Desktop)
19+
3. Open **Approvals** in the Platform → approve or reject the request
20+
:::
21+
22+
## How it works
23+
24+
1. An agent calls a tool that requires approval (e.g., `delete_repo`)
25+
2. The gateway checks authorization via Permit.io (existing [trust-level](/permit-mcp-gateway/guide) check)
26+
3. If the tool is approval-gated, the gateway **pauses the request** and creates an approval request
27+
4. Admins are notified via the Platform UI, email, and/or Slack
28+
5. An admin reviews the request and **approves or rejects** it
29+
6. The gateway resumes the tool call (on approval) or returns an error (on rejection/timeout)
30+
31+
The MCP client simply waits for the response — no client changes are needed. If no decision is made within the timeout (default: 5 minutes), the request is automatically rejected.
32+
33+
## Approval queue
34+
35+
The **Approvals** page in the Platform is where admins review and act on pending requests. It has three tabs: **Pending**, **History**, and **Notifications**.
36+
37+
### Pending approvals
38+
39+
Each pending approval card shows the full context needed to make a decision:
40+
41+
- **Tool name** and **server** — what the agent wants to do and where
42+
- **Trust-level badge** — shows the tool's risk level (high, medium, or low). High-risk cards have a red left border; medium-risk cards have a yellow border for quick visual triage
43+
- **Agent and user identity** — who is making the request
44+
- **Tool arguments** — the exact parameters being passed (e.g., which issue ID, which repository)
45+
- **Approval reason** — when present, a brief explanation of why this tool requires approval
46+
- **Countdown timer** — time remaining before automatic rejection
47+
48+
![Approval queue with pending request](/img/agent-security/hitl/approval-queue-pending.png)
49+
50+
Admins can **Approve** or **Reject** each request. When rejecting, you can provide a reason — either a quick preset ("Unauthorized scope", "Suspicious arguments", "Wrong environment") or a custom message.
51+
52+
![Rejecting with a reason](/img/agent-security/hitl/approval-reject-with-reason.png)
53+
54+
The rejection reason is included in the error message returned to the agent, so the user understands why their request was denied.
55+
56+
![Agent sees rejection reason](/img/agent-security/hitl/agent-rejection-message.png)
57+
58+
When multiple approvals are pending, select multiple cards using the checkboxes and use the batch action bar to approve or reject all selected requests at once.
59+
60+
:::tip Keyboard shortcuts
61+
**J/K** navigate cards · **A** approve · **R** reject (opens reason input) · **X** select · **Esc** deselect
62+
63+
Single-key shortcuts can be toggled off in the Approvals UI. **Esc** always works regardless of this setting.
64+
:::
65+
66+
### Approval history
67+
68+
The **History** tab shows all resolved approvals — who made each decision, how long it took, and the outcome (approved, rejected, timed out, or cancelled). Use the status filter to narrow down by outcome.
69+
70+
![Approval history](/img/agent-security/hitl/approval-history-full.png)
71+
72+
## Configuring approval policies
73+
74+
### Per-tool approval
75+
76+
On any MCP server's detail page, each tool has a **HITL toggle**. Enable it to require approval for that specific tool — use this for individual high-risk operations.
77+
78+
![Per-tool HITL toggle on the tool list](/img/agent-security/hitl/per-tool-hitl-toggle.png)
79+
80+
### Server approval policy
81+
82+
The **Server Approval Policy** card on the server detail page provides broader controls:
83+
84+
- **Require approval for all tools** — every tool on this server requires approval
85+
- **Trust level threshold** — require approval for tools at a specific [trust level](/permit-mcp-gateway/guide) or higher. For example, set to "High" to gate only the most critical tools, or "Low" to gate everything.
86+
87+
Per-tool toggles, server policies, and trust level thresholds all stack — if any of them requires approval, the tool call is gated.
88+
89+
### Trusted agent bypass
90+
91+
A separate card on the same server detail page lets you configure bypass rules for trusted automation. For agents that should not require manual approval (e.g., CI bots, scheduled pipelines), add the agent's client ID to the **Trusted Agent Bypass** list. Bypassed agents skip the approval check entirely — this takes priority over all other policies.
92+
93+
![Server approval policy and trusted agent bypass](/img/agent-security/hitl/server-policy-and-bypass.png)
94+
95+
You can find an agent's client ID on the **Agents** page in the Platform.
96+
97+
## Notifications
98+
99+
Configure where approval notifications are sent so admins know immediately when a request is waiting. Go to **Approvals > Notifications** to set up:
100+
101+
![Notification settings](/img/agent-security/hitl/notification-settings.png)
102+
103+
### Email notifications
104+
105+
Add email addresses to receive a notification whenever a new approval request is created. The email includes the tool name, server, agent identity, and a link to review in the Platform.
106+
107+
![Email notification](/img/agent-security/hitl/email-notification.png)
108+
109+
### Slack notifications
110+
111+
Paste a [Slack Incoming Webhook](https://api.slack.com/messaging/webhooks) URL to receive notifications in a Slack channel. The message includes the approval context and a button to open the Platform for review. For security, tool arguments are not included in Slack messages.
112+
113+
![Slack notification](/img/agent-security/hitl/slack-notification.png)
114+
115+
### Browser notifications
116+
117+
When the Platform is open in a browser tab, you can enable desktop notifications to be alerted when new approval requests arrive — even if the tab is in the background. Click **Enable desktop notifications** in the Approvals UI and allow the browser permission prompt. Once enabled, new approvals trigger a desktop notification whenever the Platform tab is not in focus.
118+
119+
## Timeouts
120+
121+
- **Default timeout:** 5 minutes — if no admin responds, the request is automatically rejected
122+
- **Extend:** When an approval is about to expire (last 60 seconds), an **Extend +5 min** button appears on the card — click it to add more review time
123+
- Timeouts always result in rejection, never automatic approval
124+
- If the agent disconnects while waiting, the request is automatically cancelled
125+
126+
## What the agent user sees
127+
128+
When a tool call is paused for approval, the agent receives a notification:
129+
130+
> Tool 'delete_repo' requires admin approval before execution. Waiting for approval (timeout: 5 minutes)...
131+
132+
Most MCP clients (Cursor, Claude Desktop, Claude Code) display this message so the user knows the wait is intentional. If the request is rejected, the error message includes the reason provided by the admin.

docs/permit-mcp-gateway/platform.mdx

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ The platform UI is organized around two navigation areas:
2727

2828
- **Dashboard** — host overview with the gateway MCP URL and client configuration snippets
2929
- **MCP Servers** — import and manage upstream MCP servers
30+
- **Approvals** — review and act on pending [human-in-the-loop](/permit-mcp-gateway/human-in-the-loop) approval requests, view history, and configure notifications
3031
- **Agents** — view and manage MCP clients that have connected through the gateway
3132
- **Humans** — manage user access to MCP servers and view connected agents
3233
- **Settings** — configure authentication methods, domain restrictions, and SSO

sidebars.js

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -213,6 +213,7 @@ const sidebars = {
213213
"permit-mcp-gateway/consent-service",
214214
"permit-mcp-gateway/audit-logs",
215215
"permit-mcp-gateway/architecture",
216+
"permit-mcp-gateway/human-in-the-loop",
216217
"permit-mcp-gateway/permit-integration",
217218
"permit-mcp-gateway/advanced-features",
218219
"permit-mcp-gateway/enterprise-deployment",
45.8 KB
Loading
170 KB
Loading
161 KB
Loading
178 KB
Loading
159 KB
Loading
382 KB
Loading

0 commit comments

Comments
 (0)