✅ Concepts

Approval Workflows

Name: Agent Secret Store
Price: 20 USD

Human-in-the-loop gates for sensitive and critical credentials. Agents request access; humans approve or deny in real time.

Access tiers

Every secret is assigned an access tier that controls the approval requirement when an agent requests a scoped token to read it.

Standard

Auto-approved

Tokens are issued instantly. No human approval required. Suitable for non-sensitive operational credentials like internal API keys.

Examples

› Internal service URLs
› Development API keys
› Feature flags
› Non-secret configuration

Sensitive

1 approval required

One designated approver must approve within the request TTL. On approval, the token is issued automatically.

Examples

› Production API keys
› OAuth client secrets
› Database credentials
› LLM provider keys

Critical

2 approvals + delay

Two approvers must independently approve, with a configurable delay (default 5 minutes) before the token is issued. Provides a window to cancel.

Examples

› Payment processor keys
› Infrastructure credentials
› Master database passwords
› Signing keys

Approval flow

Agent requests scoped token— scope + TTL + description

↓

Vault checks secret tier— standard → auto-issue | sensitive/critical → queue

↓

Approvers notified— Webhook + dashboard notification + email (configurable)

↓

Approvers review + approve/deny— Dashboard UI or API endpoint

↓

Critical: enforced delay— 5-minute window to cancel (configurable per-path)

↓

Token issued to agent— Or denied — request logged in audit trail either way

MoltbotDen Trust Tier integration

If your agents are registered on MoltbotDen, their trust tier can automatically influence approval requirements. Higher-trust agents may bypass approvals that lower-trust agents require.

MoltbotDen Trust Tier	Standard secrets	Sensitive secrets	Critical secrets
Verified (T5)	Auto-approved	Auto-approved	1 approval
Established (T4)	Auto-approved	Auto-approved	2 approvals + delay
Active (T3)	Auto-approved	1 approval	2 approvals + delay
New (T2)	Auto-approved	1 approval	2 approvals + delay
Unregistered	Auto-approved	1 approval	2 approvals + delay

MoltbotDen integration is optional. Enable it in dashboard → Settings → Integrations.

Configuring approval policies

Policies are configured per namespace. You can set a default tier and override it for specific path patterns using glob matching.

Shell

# dashboard: Settings → Approval Policies
# Or via REST API:

curl -X PUT https://api.agentsecretstore.com/v1/namespaces/production/policy \
  -H "Authorization: Bearer $ASS_AGENT_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "default_tier": "standard",
    "path_overrides": [
      {
        "pattern": "production/stripe/*",
        "tier": "critical",
        "required_approvals": 2,
        "approval_delay_seconds": 300
      },
      {
        "pattern": "production/openai/*",
        "tier": "sensitive",
        "required_approvals": 1
      }
    ]
  }'

Handling approvals in code

approval_flow.py

import asyncio
from agentsecretstore import AgentVault

async def main():
    vault = AgentVault()

    # Request a token for a sensitive secret
    token_request = await vault.request_token(
        scope="secrets:read:production/stripe/*",
        ttl_seconds=300,
        description="Payment processing run #4821",
    )

    if token_request.status == "approved":
        # Auto-approved (standard tier) or already approved
        secret = await vault.get_secret(
            "production/stripe/api-key",
            token=token_request.value
        )
        print(secret.value)

    elif token_request.status == "pending":
        print(f"Approval required. Request ID: {token_request.approval_request_id}")
        print("Notified approvers via webhook. Waiting...")

        # Poll or use webhook to detect approval
        result = await vault.wait_for_approval(
            token_request.approval_request_id,
            timeout_seconds=600,
        )

        if result.approved:
            token = await vault.get_approved_token(token_request.approval_request_id)
            secret = await vault.get_secret("production/stripe/api-key", token=token)

asyncio.run(main())

Non-blocking pattern

For production agents, don't block on approval. Instead, queue the task and resume when you receive the approval webhook. The wait_for_approval() method is provided for development/testing convenience.

Webhook notifications

Register a webhook to receive real-time notifications when approvals are requested, approved, or denied. Payloads are signed with HMAC-SHA256.

Shell

curl -X POST https://api.agentsecretstore.com/v1/webhooks \
  -H "Authorization: Bearer $ASS_AGENT_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://your-app.com/webhooks/approvals",
    "events": ["approval.requested", "approval.approved", "approval.denied"],
    "secret": "whsec_your_signing_secret"
  }'

Webhook payload

JSON

{
  "event": "approval.requested",
  "approval_request_id": "apr_01HQKM3N...",
  "requested_by": "agent-orchestrator",
  "scope": "secrets:read:production/stripe/*",
  "secret_paths": ["production/stripe/api-key"],
  "tier": "critical",
  "description": "Payment processing run #4821",
  "expires_at": "2025-01-15T11:00:00Z",
  "approve_url": "https://agentsecretstore.com/approvals/apr_01HQKM3N...",
  "timestamp": "2025-01-15T10:30:00Z"
}

Approve or deny via API

Shell

# Approve a pending request (human approver action)
curl -X POST https://api.agentsecretstore.com/v1/approvals/apr_01HQKM3N.../approve \
  -H "Authorization: Bearer $ASS_AGENT_KEY" \
  -H "Content-Type: application/json" \
  -d '{"comment": "Approved for scheduled payment batch"}'

# Deny a request
curl -X POST https://api.agentsecretstore.com/v1/approvals/apr_01HQKM3N.../deny \
  -H "Authorization: Bearer $ASS_AGENT_KEY" \
  -H "Content-Type: application/json" \
  -d '{"reason": "Unexpected access pattern — investigating"}'