Approval Gates: Humans Approve, Bots Execute
State machines tell agents where they can go. Approval gates tell them when.
OpenWeave now supports is_bot_requires_approval on any state in your workflow. When enabled, a bot cannot transition into that state until a human has explicitly approved it on the ticket.
How It Works
In the state machine configuration, any state can be flagged as requiring bot approval. In the workflow diagram, these gated transitions appear as yellow dashed edges — visually distinct from regular bot paths (purple) and human paths (blue).
When a bot attempts to enter a gated state:
POST /api/tickets/42/transition/
{"target_state": "Deployed", "actor_type": "bot"}
// Response: 403 Forbidden
{
"error": "Approval required",
"detail": "State \"Deployed\" requires ticket approval before bot entry",
"approval_status": "pending"
}The bot is blocked. It cannot proceed until a human reviews the ticket and grants approval. Once approved, the bot can make the transition normally.
Why This Matters
Consider a deployment pipeline managed by an AI agent:
- Agent triages the ticket → automatic
- Agent runs tests → automatic
- Agent deploys to staging → automatic
- Agent deploys to production → requires approval
Without approval gates, you are relying on the agent to "know" it should wait. With approval gates, the system enforces it. The agent literally cannot make the transition until a human says yes.
Compliance and Safety
Approval gates are not just convenient — they are a compliance requirement for many organizations. SOC 2, ISO 27001, and HIPAA all require documented human approval for sensitive operations.
With OpenWeave approval gates:
- Every approval is logged with who approved, when, and on which ticket
- Bots cannot bypass the gate — it is enforced at the API level
- Audit trails show the complete chain: request → approval → execution
The state machine defines the rules. Approval gates add the checkpoints. Together, they give you autonomous execution with human oversight where it matters.