Agent Approval Gate
Before an AI agent takes a consequential action, the user confirms it one more time on their phone.
The simplest way to stop a typo in an ad budget from approving ₩50,000,000 of spend: the user taps Reject once on their phone. That's what this feature does.
What makes it different
Compared with a Slack bot, an email notification, or ntfy.sh:
| Capability | Plain notification | logi Agent Approval |
|---|---|---|
| User confirmation | Visible | The exact content the user saw, SHA-256 sealed |
| Proof of decision | None | Device secure-key signature (non-repudiable) |
| Identity | Bot token | The same user identity as logi SSO |
| MFA-bombing defense | None | 6-digit match + cool-down + in-flight suppression |
| Audit log | Varies by bot | Hash chain + WORM trigger + 7-year retention |
| Standards | Proprietary | OAuth CIBA (RFC) + RAR (RFC 9396) compatible |
Scenario
Codex attempts to change the ad budget
↓
calls mcp__logi__request_approval
↓
logi → push to the user's phone (APNs/FCM)
↓
user: [Reject] or [Approve with Face ID]
↓
signed decision → returned to Codex
↓
Codex proceeds with the real action, or stopsEvery state transition in this flow is recorded as a hash chain in a dedicated audit table.
Next steps
- Quickstart — wire it into Claude Code / Codex / Cursor in five minutes
- Setup guide — how users write rules for their agents
- API reference — REST endpoints and response schemas
- Security — threat model and defense layers in detail