> ## Documentation Index
> Fetch the complete documentation index at: https://conto.finance/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Governance Approvals

> Require owner or admin review before API key, policy, and freeze-configuration changes apply

# Governance Approvals

Governance approvals let you protect sensitive organization changes behind a second review step.
When a protected action is attempted, Conto creates a governance approval request instead of
applying the change immediately.

Use this when API key lifecycle, policy updates, or freeze-configuration changes should leave an
explicit review trail.

## What Can Be Protected

Current governance approval actions cover:

* API key creation, rotation, and revocation
* Freeze-configuration updates
* Policy creation, update, and deletion
* Policy-rule creation, update, and deletion

## Roles

| Role     | What it can do                                                                  |
| -------- | ------------------------------------------------------------------------------- |
| `OWNER`  | Configure which actions require governance approval; approve or reject requests |
| `ADMIN`  | Approve or reject requests that are already pending                             |
| `VIEWER` | Cannot configure governance approvals or decide requests                        |

## How It Works

```
User attempts protected change
  → Conto creates a governance approval request
    → Owner/Admin reviews the request in Settings
      → APPROVED: Conto applies the original change
      → REJECTED or EXPIRED: original change is not applied
```

Every request keeps the requester, requested payload, decision comment, timestamps, and decision
actor together in one audit trail.

## Set It Up

<Steps>
  <Step title="Open the Governance tab">
    Sign in to the dashboard and open the **Governance** tab in organization settings.
  </Step>

  <Step title="Choose protected actions">
    Toggle on the actions that should pause for review before they apply.
  </Step>

  <Step title="Optional: add webhook visibility">
    If your compliance, audit, or ticketing system needs a copy of governance events, add a
    `WEBHOOK` notification channel and subscribe it to `governance.approval.requested` and
    `governance.approval.decided`.
  </Step>

  <Step title="Test one protected change">
    Try a protected action such as updating a policy or rotating an API key. You should see a
    pending governance approval request instead of an immediate mutation.
  </Step>
</Steps>

## Review a Request

Owners and admins review pending requests in the same **Governance** settings tab.

For each request, Conto shows:

* The protected action, such as `POLICY_UPDATE` or `API_KEY_ROTATE`
* The target resource and resource ID
* The requester and request timestamp
* The serialized request payload
* Expiration time
* Decision history and optional reviewer comment

Approve when the change is expected and authorized. Reject when the request should not be applied.

## Webhooks and Audit Trail

Governance approval webhooks are notification-only. External systems can observe the request and
decision lifecycle, but the actual approve/reject action still happens in Conto.

* Webhook event reference: [/integrations/notification-channels](/integrations/notification-channels#governance-approval-webhooks)
* Audit log review: [/guides/audit-logs](/guides/audit-logs)
* Role expectations: [/guides/roles-permissions](/guides/roles-permissions)

## API Surface

If you need to inspect the current setup or pending requests programmatically, the dashboard uses:

* `GET /api/governance/approval-settings`
* `PATCH /api/governance/approval-settings`
* `GET /api/governance/approval-requests`
* `POST /api/governance/approval-requests/{id}/decide`

These routes use the signed-in dashboard session rather than SDK keys.
