Quickstart — wire up the agent approval gate in five minutes

1. Register an agent

In the Developer Console → AI Agents section at start.1pass.dev, create a new agent.

Field	Value
Name	e.g. Codex (production)
Type	codex / claude / cursor / custom
Auth mode	signed (recommended) — stealing the token alone gets the attacker nowhere
Allowed action_type	(optional) allowlist. Leave empty for no limit
Allowed IP / CIDR	(optional) if you only call from a server, IP locking is recommended

Right after registration, the page shows these values once — save them immediately:

• LOGI_AGENT_TOKEN — Bearer token
• LOGI_AGENT_PRIVATE_KEY — Ed25519 private key (PEM, signed mode only)
• LOGI_AGENT_PUBLIC_ID — agt_xxxx

2. Install the MCP server (Claude Code example)

// ~/.claude.json
{
  "mcpServers": {
    "logi-approval": {
      "command": "npx",
      "args": ["-y", "@logi-auth/mcp-approval"],
      "env": {
        "LOGI_AGENT_TOKEN":       "logi_agt_...",
        "LOGI_AGENT_PRIVATE_KEY": "-----BEGIN PRIVATE KEY-----\n...",
        "LOGI_AGENT_PUBLIC_ID":   "agt_xxxxxx",
        "LOGI_API_URL":           "https://api.1pass.dev"
      }
    }
  }
}

Codex CLI and Cursor work the same way as long as they support the same MCP server stdin/stdout protocol. To integrate directly, use the curl or SDK examples in the API reference.

3. Tell the agent the rules

In CLAUDE.md, AGENTS.md, or the system prompt:

You have access to logi__request_approval. ALWAYS call it BEFORE:
- Changing any ads budget by >20% or absolute >1,000,000 KRW
- Running migrations on production databases
- Sending more than 100 emails/SMS in one batch
- Spending >100,000 KRW on any external API
- Deploying to production

If the tool returns status != "approved", ABORT and tell the user.
NEVER proceed without explicit approval for these categories.

For detailed rule examples, see the Setup guide.

4. Test

On the demo page (demo.1pass.dev/agent-approval), receive a live push and confirm it.

Or with a single curl (in bearer_only mode):

curl -X POST https://api.1pass.dev/api/agents/approvals \
  -H "Authorization: Bearer $LOGI_AGENT_TOKEN" \
  -H "Idempotency-Key: $(uuidgen)" \
  -H "Content-Type: application/json" \
  -d '{"action_type":"test.echo","title":"Test","body":"X → Y"}'

Response:

{
  "auth_req_id": "aar_abc123",
  "status": "pending",
  "number_match": "428193",
  "expires_in": 300,
  "interval": 2
}

A push arrives on the phone, and the same 6-digit number_match appears on both sides. After Face ID, the user decides on the phone — poll with the same auth_req_id and you'll get status: "approved".