## Approval flows

Approval flows in Agen for SaaS define the human-in-the-loop review process for sensitive tool calls. When a policy triggers a **Request approval** action, the tool call is paused and routed to the configured approval flow, where designated approvers review and approve or reject the request.

### Approval flows overview

![approval-flows](/assets/approval-flow-screen.8c90ee6ab1113744e9fde75e12f196ff20fe6d88a5265d76fc084be74189754a.212f8da4.png)

The Approval flows screen displays the following header:

> **Approval flows** — Ensure that critical actions are reviewed and approved by the right people, supporting security and compliance.


A **Learn more** link is provided for additional documentation.

The screen includes:

- A **search bar** to filter flows.
- A **Channel** filter dropdown (default: "All") to filter by notification channel.
- A **Create flow** button.


Existing flows are displayed in a table with the following columns:

| Column | Description |
|  --- | --- |
| **Flow Name** | The name of the approval flow (e.g., "Approve from admins"). |
| **Description** | An optional description of the flow. |
| **Type** | The flow scope: "Global" or specific. |
| **Used channels** | Badges showing the enabled notification channels (e.g., `Email`). |
| **Last modified date** | The date and time the flow was last updated, with a relative time indicator (e.g., "18 February 2026 — 17 days ago"). |


Each row has a three-dot menu for editing or deleting the flow.

### Creating an approval flow

Click **Create flow** to start the four-step creation wizard.

#### Step 1: General settings

![approval-flow-step-1](/assets/approval-flow-step-1.2e9a831128cfb67d4cca7055354cbe24402ed3711e586a45bc4942ea7bb37028.212f8da4.png)

> Set the flow's name, description, and activation status.


| Field | Description | Required |
|  --- | --- | --- |
| **Flow name** | A descriptive name for the approval flow. | Yes |
| **Description** | An optional description of the flow's purpose. | No |


Click **Next** to proceed to Step 2.

#### Step 2: Channel configuration

![approval-flow-step-2](/assets/approval-flow-step-2.e2ba3663999c489a793d88db0d7e477acb5e83f430be7e95ecf43fa7e13049ad.212f8da4.png)

> Channels are the delivery methods for approval requests. Enabling a channel lets you target approvers reachable by that method (e.g., email addresses or phone numbers).


Two channels are available, each with a toggle to enable or disable:

| Channel | Description |
|  --- | --- |
| **Email** | Send approval requests to approvers via email. Recommended when your approvers regularly check their inbox. |
| **SMS** | Send short approval requests as text messages. Best for quick responses on mobile. |


Enable at least one channel to ensure approvers receive notifications. Click **Next** to proceed to Step 3.

#### Step 3: Approval management

![approval-flow-step-3](/assets/approval-flow-step-3.7a8a67eaa4dd21eff34639ef872c77e2f5e5f2c8b2a4142d31e2f3919777c978.212f8da4.png)

> Set approvers, conditions, and define the approval sequence


This step provides a visual flow builder with two panels:

**Visual flow diagram (right panel):**

The flow is displayed as a vertical sequence:


```
Start flow
    ↓
[Approval Step 1] (e.g., "Admin" — role-based, highlighted in red)
    ↓
[Approval Step 2] (e.g., "security@frontegg.com" — email-based, highlighted in blue)
    ↓
  (+) Add step
    ↓
End flow
```

Click any step in the diagram to edit it in the left panel. Click the **(+)** button to add a new approval step.

**Step configuration (left panel):**

When a step is selected, the left panel shows:

| Field | Description |
|  --- | --- |
| **Roles** | A dropdown to select approver roles. Users with these roles in their JWT can approve requests at this step. |
| **Emails** | A list of specific email addresses that can approve requests at this step. Click **+ Add Email** to add more. Each email has a delete button. |
| **Required minimum approvers** | A numeric field setting the minimum number of approvers needed to advance past this step. Default: `1`. |


Approval steps are sequential — Step 1 must be completed before Step 2 begins.

Click **Next** to proceed to Step 4.

#### Step 4: Advanced settings

![approval-flow-step-4](/assets/approval-flow-step-4.2c43ed05fadf4381ec2297768f1e5d9bd81de2f178ccb9abe6958c1a862a97fb.212f8da4.png)

> Fine-tune how long approvals wait, whether reminders are sent, and how requesters are notified. You can also configure a webhook for status callbacks.


Four optional settings are available, all disabled by default:

| Setting | Description |
|  --- | --- |
| **Auto-approve timeout** | Automatically approve requests that remain pending beyond the specified time. Useful for low-risk flows where silence implies consent. |
| **Send reminder** | Nudge approvers if a request stays pending. Reminders help keep the flow moving. |
| **Notify requester on decision** | Let the requester know as soon as their request is approved or rejected. |
| **CC traditional recipients** | Keep additional stakeholders in the loop by sending them copies of all approval decisions. |


Each setting has a toggle to enable it. When enabled, additional configuration options appear (e.g., timeout duration, reminder interval, recipient email addresses).

Click **Create** to finalize the approval flow, or **Back** to return to a previous step.

### How approval flows work at runtime

1. A policy with a **Request approval** action matches an incoming tool call.
2. The tool call is paused — the AI agent receives a "pending approval" status.
3. Agen for SaaS sends notifications to the approvers defined in the flow (via email, SMS, or both).
4. Approvers review the request details and approve or reject it.
5. If the required minimum number of approvers approve at each step, the flow advances to the next step.
6. Once all steps are complete, the original tool call resumes automatically.
7. If any step is rejected, the tool call is denied.
8. The entire approval process is logged in the monitoring system.


### Example: Admin and security team approval

**Scenario:** Critical operations require approval from both an admin and the security team.

1. Click **Create flow**.
2. **General settings:** Name the flow "Admin + Security review".
3. **Channel configuration:** Enable **Email**.
4. **Approval management:**
  - **Step 1:** Set Roles to "Admin". Required minimum: 1.
  - Click **(+)** to add Step 2.
  - **Step 2:** Add email `security@yourcompany.com`. Required minimum: 1.
5. **Advanced settings:** Enable "Notify requester on decision".
6. Click **Create**.


Result: When a policy triggers this flow, an admin must approve first, then the security team must approve. The requester is notified of the final decision.

### Linking approval flows to policies

Approval flows are connected to policies through the **Request approval** action:

1. Create an approval flow (as described above).
2. Create or edit a policy.
3. Set the **Policy action** to **Request approval**.
4. Select the approval flow from the dropdown (e.g., "Approve from admins").
5. Save the policy.


### Related topics

- [Policies overview](/agen-for-saas/policies/overview)
- [Creating policies](/agen-for-saas/policies/creating-policies)
- [Conditional expressions](/agen-for-saas/policies/conditional-expressions)
- [Monitoring](/agen-for-saas/monitoring/overview)