Approval Workflows for Agent Payments
Approval workflows let you keep low-risk agent payments fast while routing exceptional cases through human review. In Conto, approvals are part of the payment control center, not an afterthought layered on later.When to Use Approval Workflows
Approval workflows are a strong fit when you need any of the following:- Payments above a finance threshold
- New recipients that have not built trust yet
- Category-specific review, such as treasury or vendor onboarding flows
- Role-based approvals for finance, ops, or compliance
- Dual control or sequential review for larger transfers
How the Flow Works
How Conto Matches a Workflow
Conto evaluates active workflows in priority order and picks the first workflow whose trigger conditions match the payment context. Workflow matching runs for every non-denied payment. That means a workflow can deliberately hold an otherwise policy-approved request, which is how verifier pilots such as Delta act as an approval gate without becoming the settlement layer. If the policy engine itself requires human approval and no custom workflow matches, Conto creates a one-review approval request through a system-managed route. This guarantees that every approval alert has a decision record that Owners, Admins, or Managers can open, approve, or reject. The system-managed route is internal and is not listed with configurable workflows.Supported trigger conditions
This makes approval workflows a good complement to trust scoring and counterparty rules. For example,
you can auto-approve trusted vendors while forcing review for unknown recipients.
agentIds is especially useful for staged rollouts and verifier pilots. It lets you bind a workflow
to one or two agents in a mixed org without turning on the same review path for every other agent.
Workflow Settings That Matter
Any rejection ends the workflow immediately. Approvals accumulate until the required approval
count is reached. When the final approval is recorded, Conto immediately invokes the payment
execution path for Conto-managed wallets. The approval remains recorded if custody execution
fails, and the request stays visible as needing execution attention. External and smart-contract
wallets still require their manual execution and confirmation flow.
External Approval Channels
Approval requests can be delivered to external channels so finance or ops teams can act without logging into Conto for every review. Supported channels include:- Slack
- Telegram
- Webhook
Recommended Patterns
Pattern 1: Single approval for large payments
Pattern 2: Review first-time recipients
Pattern 3: Dual control for sensitive transfers
Pattern 4: Sequential approval for finance + security
Pattern 5: Scoped verifier pilot in a shared org
Pair Approval Workflows with Trust Scoring
One of the highest-signal combinations is:- Use trust scoring to classify counterparties.
- Let trusted or verified recipients flow normally.
- Route unknown or deteriorating counterparties into approval workflows.
Canonical Approval Architecture
The most common production stack looks like this:- Policy engine blocks clearly disallowed payments outright.
- Trust scoring enriches the recipient before the payment is evaluated.
- Approval workflows catch the gray area between auto-approve and hard deny.
- External channels deliver requests to the real stakeholders.
- Audit logs and webhooks make the outcome visible to finance and operations systems.
Related Guides
External Approvals
Connect Slack, email, Telegram, WhatsApp, or webhooks
Trust Scoring
Use counterparty trust as an approval trigger
Securing Agents
See where approvals fit in a layered policy model
Architecture Patterns
Visual reference for approval and payment flows