How Signed Approval Tokens Work
Signed approval tokens add an extra verification step before an agent executes an approved action.
Stacksona Support
Last Update vor einem Tag
Who this article is for
Use this article if your organization requires stronger proof that an action was approved.
What signed approval tokens do
When signed approval tokens are enabled for an agent, approved decisions include a one-time token. The agent must validate the token with Stacksona Gate before running the gated tool.
When tokens are included
Tokens are included only when:
- Signed approval tokens are enabled for the agent.
- The decision is approved.
- The approval is tied to a specific decision.
Required agent behavior
When an agent receives an approved decision:
- Read the approval_token from the decision response.
- Send the token back to Stacksona Gate for validation.
- Execute the gated tool only if validation succeeds.
- Treat validation failure as a deny condition.
- Log the failure and request a fresh decision if needed.
POST /api/agent/approvals/validate
Example body:
{
"task_id": "task-abc-123",
"signature": "approval_token_here"
}
Best practices
- Do not validate approval tokens locally.
- Do not reuse tokens.
- Execute the approved action immediately after successful validation.
- If validation fails, do not run the tool.
- Alert an operator if token validation fails unexpectedly.