`POST /api/tool-approvals/{id}/decide` — approve/reject one interactive approval by id. The SINGLE decide source (`services::tool_approvals::decide_approval`) every surface's Approve/Reject button resolves through: the service binds the workspace-membership authz to the approval row, CAS-resolves it, and resumes the paused agent. A bad verdict token -> 400; an approval the caller can't access -> 403; one that no longer exists / is already decided -> 404 / 400 from the service.
const url = 'https://example.com/api/tool-approvals/2489E9AD-2EE2-8E00-8EC9-32D5F69181C0/decide';const options = { method: 'POST', headers: {'Content-Type': 'application/json'}, body: '{"decision":"example","text":"example"}'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request POST \ --url https://example.com/api/tool-approvals/2489E9AD-2EE2-8E00-8EC9-32D5F69181C0/decide \ --header 'Content-Type: application/json' \ --data '{ "decision": "example", "text": "example" }'Parameters
Section titled “Parameters”Path Parameters
Section titled “Path Parameters”Pending tool-approval id
Request Bodyrequired
Section titled “Request Bodyrequired”The decide request body: the verdict token (approve/reject) plus an optional
free-text note the human attaches (surfaced to the agent in the resume wire).
object
Examplegenerated
{ "decision": "example", "text": "example"}Responses
Section titled “Responses”Decision recorded
{"decided": "<handle>"} — a decision acknowledgement echoing the chosen
outcome handle/status (e.g. an approval status or a workflow node decision
handle).
object
The decided outcome handle/status.
Examplegenerated
{ "decided": "example"}Structured client error
The canonical JSON body of every error response — the single source of truth
the frontend binds to. Every AppError serializes as this exact shape, and
the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is
what the frontend error schema is generated from, so there is no hand-written
error schema on either end.
object
Machine-readable, stable error code.
Present only on a quota-exceeded 403 — the inline upgrade-CTA payload.
object
The entitlement feature key that was hit, e.g. apps.max_count.
The plan’s limit for this key.
Where to send the user to upgrade.
Current usage (count or bytes, per the key).
Human-readable message (the server’s English text; the client may localize
by code).
Example
{ "code": "not_found"}Authentication required
The canonical JSON body of every error response — the single source of truth
the frontend binds to. Every AppError serializes as this exact shape, and
the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is
what the frontend error schema is generated from, so there is no hand-written
error schema on either end.
object
Machine-readable, stable error code.
Present only on a quota-exceeded 403 — the inline upgrade-CTA payload.
object
The entitlement feature key that was hit, e.g. apps.max_count.
The plan’s limit for this key.
Where to send the user to upgrade.
Current usage (count or bytes, per the key).
Human-readable message (the server’s English text; the client may localize
by code).
Example
{ "code": "not_found"}Permission denied
The canonical JSON body of every error response — the single source of truth
the frontend binds to. Every AppError serializes as this exact shape, and
the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is
what the frontend error schema is generated from, so there is no hand-written
error schema on either end.
object
Machine-readable, stable error code.
Present only on a quota-exceeded 403 — the inline upgrade-CTA payload.
object
The entitlement feature key that was hit, e.g. apps.max_count.
The plan’s limit for this key.
Where to send the user to upgrade.
Current usage (count or bytes, per the key).
Human-readable message (the server’s English text; the client may localize
by code).
Example
{ "code": "not_found"}Approval not found / already decided
The canonical JSON body of every error response — the single source of truth
the frontend binds to. Every AppError serializes as this exact shape, and
the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is
what the frontend error schema is generated from, so there is no hand-written
error schema on either end.
object
Machine-readable, stable error code.
Present only on a quota-exceeded 403 — the inline upgrade-CTA payload.
object
The entitlement feature key that was hit, e.g. apps.max_count.
The plan’s limit for this key.
Where to send the user to upgrade.
Current usage (count or bytes, per the key).
Human-readable message (the server’s English text; the client may localize
by code).
Example
{ "code": "not_found"}Structured server error
The canonical JSON body of every error response — the single source of truth
the frontend binds to. Every AppError serializes as this exact shape, and
the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is
what the frontend error schema is generated from, so there is no hand-written
error schema on either end.
object
Machine-readable, stable error code.
Present only on a quota-exceeded 403 — the inline upgrade-CTA payload.
object
The entitlement feature key that was hit, e.g. apps.max_count.
The plan’s limit for this key.
Where to send the user to upgrade.
Current usage (count or bytes, per the key).
Human-readable message (the server’s English text; the client may localize
by code).
Example
{ "code": "not_found"}