Approve via magic link
If you’ve been added as an approval delegate for an AgentValet account, you’ll occasionally get an email like this:
Subject: Approval required:
{agent}→{platform}/{action}From: AgentValet <noreply@agentvalet.ai>
Inside is a one-paragraph summary of what an agent is trying to do and a link. This page explains what that link is and what you’re agreeing to when you click it.
What the link does
The link takes you to a page that shows you:
- Which agent made the request
- Which platform it wants to call (Slack, Stripe, Gmail, etc.)
- The specific scope being requested (e.g.,
chat:write) - Which organisation the agent belongs to
You have two buttons: Approve and Deny.
If you click Approve, AgentValet runs the action — uses the org’s stored credential to make the call to the platform, captures the response, and writes the decision to the audit log under your email.
If you click Deny, nothing is sent to the platform. The denial is recorded.
Either way, you don’t need to be logged in. The link itself is the authorisation — it’s a signed token only the proxy can issue and only one person can use.
How long the link lasts
24 hours. After that the link returns a generic “not found” error and the queued action expires.
There’s also a 10-minute window on the queued action itself, set by the org. If you don’t act within that, the action is marked expired before the link’s 24-hour window matters.
Single-use enforcement
Each link works once. After you click approve or deny, the same link from the same email won’t work a second time — even if you forward it, even if your mail client previews it twice. AgentValet hashes the token in the link and records the hash on the approval row; a second visit with the same hash returns “already actioned” with the timestamp of who used it.
This matters because email is easy to leak. A magic link with single-use enforcement isn’t a credential you can re-use.
Approving with a passkey
If you’ve registered a passkey on the AgentValet device you’re on (Touch ID, Face ID, Windows Hello, or a hardware key), the approval page offers a passkey option in addition to the buttons. Tap it, complete the biometric, and the approval goes through.
The passkey is a separate layer of confirmation. Even if a magic link leaked to someone with your inbox, they couldn’t approve with your passkey.
When the link doesn’t work
You’ll see one of these:
- “Already actioned” — someone (possibly you in another tab) has already approved or denied this. The timestamp on the page shows when.
- “Not found” — the link expired (more than 24 hours since the email was sent) or the queued action expired (more than 10 minutes since the agent requested approval).
- “Server error” — something went wrong. Hold off on retrying immediately; try once a minute or two later.
If you keep getting errors and you weren’t expecting an approval request in the first place, treat the email with suspicion and forward it to the org owner instead of clicking through.
Push notifications instead
If you’ve enabled push notifications on the AgentValet dashboard for this account, you’ll usually get the push first and act on it from there. Magic links are the fallback for offline / non-browser scenarios and for delegates who don’t have dashboard access.