Governance Approvals
Governance approvals let you protect sensitive organization changes behind a second review step. When a protected action is attempted, Conto creates a governance approval request instead of applying the change immediately. Use this when API key lifecycle, policy updates, or freeze-configuration changes should leave an explicit review trail.What Can Be Protected
Current governance approval actions cover:- API key creation, rotation, and revocation
- Freeze-configuration updates
- Policy creation, update, and deletion
- Policy-rule creation, update, and deletion
Roles
| Role | What it can do |
|---|---|
OWNER | Configure which actions require governance approval; approve or reject requests |
ADMIN | Approve or reject requests that are already pending |
VIEWER | Cannot configure governance approvals or decide requests |
How It Works
Set It Up
Open the Governance tab
Sign in to the dashboard and open the Governance tab in organization settings.
Optional: add webhook visibility
If your compliance, audit, or ticketing system needs a copy of governance events, add a
WEBHOOK notification channel and subscribe it to governance.approval.requested and
governance.approval.decided.Review a Request
Owners and admins review pending requests in the same Governance settings tab. For each request, Conto shows:- The protected action, such as
POLICY_UPDATEorAPI_KEY_ROTATE - The target resource and resource ID
- The requester and request timestamp
- The serialized request payload
- Expiration time
- Decision history and optional reviewer comment
Webhooks and Audit Trail
Governance approval webhooks are notification-only. External systems can observe the request and decision lifecycle, but the actual approve/reject action still happens in Conto.- Webhook event reference: /integrations/notification-channels
- Audit log review: /guides/audit-logs
- Role expectations: /guides/roles-permissions
API Surface
If you need to inspect the current setup or pending requests programmatically, the dashboard uses:GET /api/governance/approval-settingsPATCH /api/governance/approval-settingsGET /api/governance/approval-requestsPOST /api/governance/approval-requests/{id}/decide