Skip to main content

Approval Workflows for Agent Payments

Approval workflows let you keep low-risk agent payments fast while routing exceptional cases through human review. In Conto, approvals are part of the payment control plane, not an afterthought layered on later.

When to Use Approval Workflows

Approval workflows are a strong fit when you need any of the following:
  • Payments above a finance threshold
  • New recipients that have not built trust yet
  • Category-specific review, such as treasury or vendor onboarding flows
  • Role-based approvals for finance, ops, or compliance
  • Dual control or sequential review for larger transfers

How the Flow Works

How Conto Matches a Workflow

Conto evaluates active workflows in priority order and picks the first workflow whose trigger conditions match the payment context.

Supported trigger conditions

TriggerWhat it matches
amountThresholdAmounts at or above a threshold
currencyCurrency-specific review
categoriesCategory-based review, such as vendor or infrastructure spend
agentIdsA specific set of agent IDs inside the organization
agentTypesSpecific agent frameworks or classes
newRecipientsFirst-time recipients
counterpartyTrustLevelLow-trust or unknown counterparties
This makes approval workflows a good complement to trust scoring and counterparty rules. For example, you can auto-approve trusted vendors while forcing review for unknown recipients. agentIds is especially useful for staged rollouts and verifier pilots. It lets you bind a workflow to one or two agents in a mixed org without turning on the same review path for every other agent.

Workflow Settings That Matter

SettingWhat it does
priorityHigher-priority workflows match first
requiredApprovalsNumber of approvals needed before a payment moves forward
timeoutHoursExpiration window for pending requests
allowSelfApprovalWhether the initiator can approve their own request
approverRolesRole-based access, such as OWNER or ADMIN
specificApproversExplicit user allowlist for a workflow
sequentialApprovalEnforces approval order when specific approvers are set
Any rejection ends the workflow immediately. Approvals accumulate until the required approval count is reached.

External Approval Channels

Approval requests can be delivered to external channels so finance or ops teams can act without logging into Conto for every review. Supported channels include:
  • Slack
  • Email
  • Telegram
  • WhatsApp
  • Webhook
Each decision records the acting channel, and Conto keeps an audit trail of who approved, when they approved, and how the request was resolved. For step-by-step setup, see /guides/external-approvals.

Pattern 1: Single approval for large payments

SettingExample
TriggeramountThreshold = 100
Required approvals1
Approver rolesOWNER, ADMIN
Best forDay-to-day spend that only needs review above a threshold

Pattern 2: Review first-time recipients

SettingExample
TriggernewRecipients = true
Required approvals1
Approver rolesADMIN
Best forPreventing agents from sending funds to unknown addresses without review

Pattern 3: Dual control for sensitive transfers

SettingExample
TriggeramountThreshold = 5000
Required approvals2
Self approvalfalse
Best forTreasury, vendor onboarding, or high-value transfers

Pattern 4: Sequential approval for finance + security

SettingExample
Specific approversfinance lead, then security lead
Sequential approvaltrue
Best forControls that require ordered sign-off from multiple stakeholders

Pattern 5: Scoped verifier pilot in a shared org

SettingExample
TriggeramountThreshold = 0, agentIds = ["agent_ap_demo"]
Required approvals1
Best forRunning a verifier like Delta against one agent first

Pair Approval Workflows with Trust Scoring

One of the highest-signal combinations is:
  1. Use trust scoring to classify counterparties.
  2. Let trusted or verified recipients flow normally.
  3. Route unknown or deteriorating counterparties into approval workflows.
That gives you a fast path for established counterparties and a controlled path for new or risky ones.

Canonical Approval Architecture

The most common production stack looks like this:
  • Policy engine blocks clearly disallowed payments outright.
  • Trust scoring enriches the recipient before the payment is evaluated.
  • Approval workflows catch the gray area between auto-approve and hard deny.
  • External channels deliver requests to the real stakeholders.
  • Audit logs and webhooks make the outcome visible to finance and operations systems.

External Approvals

Connect Slack, email, Telegram, WhatsApp, or webhooks

Trust Scoring

Use counterparty trust as an approval trigger

Securing Agents

See where approvals fit in a layered policy model

Architecture Patterns

Visual reference for approval and payment flows