Approve an agent’s access request
When one of your agents hits a permission wall, it can ask for access in-band (see In-band access requests). Those requests land in your Notifications for you to approve or deny.
Find the request
Go to Notifications in the sidebar. Under the PLATFORM ACCESS REQUESTS heading, each pending request appears as a card showing which agent is asking and for what. The list refreshes on its own every few seconds.
Only admins can act on these, and only for requests in their own organisation.
Approve or deny
Each card has two buttons: Approve (green) and Deny (red). Click one. The card shows a brief busy state while it works, and if something goes wrong the error appears inline under that specific card, so one failing request never blocks the others.
What Approve does depends on why the agent’s call was blocked:
- Missing grant: approving grants the scope to the agent. The agent can retry immediately.
- Blocked by policy: approving adds an allow rule to that member’s policy. This needs the member to already have a policy assigned. If they do not, you will see
no_policy_assignedand should assign a policy first, then approve. - Platform not connected: this cannot be approved in one click yet. You will see a “connect first” message. Connect an account for that platform, then come back and approve.
Deny works for any request and simply records the denial. The requesting member is notified of the outcome either way, and the decision is written to the audit log.
After approval
Approving does not re-run the agent’s original call. The agent is told to retry its use_platform call, which now succeeds. If the agent has already stopped, it will pick the access up on its next attempt.
Next
- In-band access requests: how the whole flow works
- Configure an agent’s permissions
- Manage user policies