OpenClaw Exec Approvals: Human-in-the-Loop for Autonomous Agents

Q: Which actions can require approval in OpenClaw?

Any skill invocation can be marked as requiring approval. You configure this at the skill level using the requireApproval flag. Common candidates include actions that write data (creating records, sending messages), actions that cost money (API calls with usage fees), and actions that are difficult to reverse (file deletions, external webhook triggers).

Q: What happens if an approval times out?

If no response arrives within approvalTimeoutSeconds, the action is automatically rejected and the agent logs a timeout event. You can configure the agent's fallback behavior — either inform the user the action couldn't be taken, retry later, or escalate to a different channel. Default timeout is 300 seconds (5 minutes).

Q: Can I set different approval rules for different risk levels?

Yes. OpenClaw supports risk-tiered approvals via the approvalPolicy block. You can mark skills as low, medium, or high risk, then configure which tiers require approval. For example, low-risk actions auto-approve, medium-risk actions require approval during business hours only, and high-risk actions always require approval regardless of time.

Key Takeaways

Exec approvals pause agent action execution and wait for a human to approve or reject before proceeding
Mark any skill as requiring approval with the requireApproval flag in your skill config
Approval requests route to the channel configured in approvalChannel — Telegram, webhook URL, or the web UI
Default timeout is 300 seconds; timed-out approvals auto-reject and log a timeout event
Risk tiers let you auto-approve low-risk actions and require approval only for genuinely dangerous operations

The mistake most people make when building autonomous agents is treating approvals as a binary: either the agent does everything automatically or a human reviews every single step. Neither is right. Exec approvals give you a middle path — automation that runs at full speed until it hits a decision that warrants human eyes.

How Exec Approvals Work

When an agent wants to execute an action marked as requiring approval, OpenClaw intercepts the execution call before it runs. The agent's intended action — what skill, what parameters, what context — gets packaged into an approval request and sent to the configured reviewer.

The agent pauses. The reviewer sees the request with full context: what the agent is trying to do, why (based on the conversation), and what the consequences are. The reviewer approves or rejects. If approved, execution continues. If rejected, the agent receives a rejection signal and falls back to its configured behavior — typically informing the user the action couldn't be completed.

This happens asynchronously. The agent holds state between the approval request and the response, so the conversation can resume exactly where it left off once the reviewer decides. That state persistence is what makes exec approvals practical rather than just a hard stop.

💡

Approvals are per-action, not per-conversation

A single conversation can have some actions auto-execute and others require approval. The approval gate is on the skill, not the session. This means your agent can autonomously handle 90% of a task and only pause for the 10% that's genuinely risky.

What Actions Should Require Approval

Not everything needs human review. Blanket approval requirements on all actions make your agent unusable — every interaction becomes a waiting game. The goal is surgical placement: approvals on actions where a mistake is hard to reverse or has real consequences.

Good candidates for required approval:

External messaging — sending emails, posting to Slack, sending SMS. Hard to unsend, public-facing consequences.
Record creation or deletion — writing to databases, creating CRM entries, deleting files. Reversible but disruptive.
Financial actions — triggering payments, making API calls with per-call costs above a threshold, updating billing records.
Permission changes — adding users to systems, modifying access controls, changing security settings.
Bulk operations — any action that runs on more than N records at once, where N is configurable per skill.

Actions that don't need approval: reading data, generating reports, performing calculations, looking things up, summarizing content. These are reversible in the sense that nothing changes in the external world.

Configuring Exec Approvals

Approvals are configured at two levels: the gateway level (global settings) and the skill level (per-action requirements). Here's the gateway config block:

approvals:
  enabled: true
  approvalChannel: telegram
  approvalChatId: "123456789"    # Your reviewer's Telegram chat ID
  approvalTimeoutSeconds: 300
  timeoutBehavior: reject        # reject | escalate | auto-approve
  notifyOnTimeout: true

At the skill level, mark individual skills:

# In your skill configuration
skills:
  - name: send-email
    requireApproval: true
    approvalRiskLevel: high
    approvalMessage: "Agent wants to send an email. Review details before approving."

  - name: query-database
    requireApproval: false    # Read-only, no approval needed

  - name: create-crm-record
    requireApproval: true
    approvalRiskLevel: medium

The approvalMessage field lets you provide context-aware prompts to the reviewer. Make these specific — "Agent wants to send an email" is better than nothing but "Agent wants to send a follow-up email to the customer in the current conversation" is better still. The reviewer is making a decision; give them what they need to decide quickly.

⚠️

approvalChatId is sensitive

This ID routes approval requests to a specific chat. If it's wrong, approvals go nowhere and time out. If it points to the wrong person, they get approval requests for actions they can't evaluate. Test approval routing in a sandbox agent before deploying to production, and store the chat ID in an environment variable rather than hardcoding it in YAML.

Approval Channels

OpenClaw supports three channels for routing approval requests.

Telegram is the most common for personal and small-team setups. The reviewer gets a Telegram message with action details and inline Approve/Reject buttons. Response is instant — one tap. Configure with approvalChannel: telegram and your approvalChatId.

Webhook works for teams with existing tooling — Slack, custom dashboards, PagerDuty. OpenClaw POSTs the approval request as JSON to your webhook URL, and your system handles the UI and response routing. Configure with approvalChannel: webhook and approvalWebhookUrl. Your endpoint must respond with {"approved": true} or {"approved": false}.

Web UI provides a built-in approval queue accessible via the OpenClaw dashboard at /approvals. Works without any external service. Best for organizations that want a centralized approval log with full audit trail. Configure with approvalChannel: ui.

Risk Tiers and Approval Policies

Risk tiers let you build graduated approval policies without marking every individual skill manually. Define the tiers in your gateway config, then assign skills to tiers.

approvalPolicy:
  low:
    requireApproval: false
    autoApprove: true
  medium:
    requireApproval: true
    businessHoursOnly: true      # Auto-approve outside business hours
    businessHoursStart: "09:00"
    businessHoursEnd: "18:00"
    timezone: "America/New_York"
  high:
    requireApproval: always
    escalateAfterSeconds: 120    # Ping a second reviewer if no response

This configuration auto-approves low-risk actions (data reads, lookups), requires approval for medium-risk actions during business hours (and auto-approves outside hours when no reviewer is available), and always requires approval for high-risk actions with escalation to a backup reviewer after 2 minutes.

As of early 2025, the escalation feature supports chaining up to three reviewers before timing out. This is useful for organizations where primary approvers may be unavailable — rather than timing out and rejecting, the request works through a backup list.

Common Mistakes

The biggest mistake: requiring approval for too many actions. When everything needs approval, the human-in-the-loop becomes a bottleneck and reviewers start rubber-stamping without reading. Approval fatigue makes the whole system useless. Limit required approvals to the 5–10% of actions where human judgment genuinely matters.

Second mistake: setting timeoutBehavior: auto-approve. This exists for specific use cases but is dangerous as a default — it means any action will eventually execute if the reviewer doesn't respond. Use reject as your default timeout behavior. If you need actions to execute despite non-response, build that logic explicitly.

Third mistake: not testing the approval channel before going live. A misconfigured Telegram chat ID or broken webhook URL silently fails — approvals time out and get rejected, the agent can't do its job, and you have no idea why. Test the approval flow end-to-end in staging.

Fourth mistake: approval messages that don't give the reviewer enough context. "Approval required" is not an approval message. Include: what the agent wants to do, why (the trigger from the conversation), and what happens if rejected. Reviewers making uninformed decisions defeat the purpose of the approval system.

Frequently Asked Questions

What are exec approvals in OpenClaw?

Exec approvals are a safety mechanism that pauses agent action execution and waits for a human to approve or reject before proceeding. The agent identifies an action it wants to take, sends an approval request to the configured reviewer, and only executes if approved. Rejected actions are logged and the agent falls back to configured alternative behavior.

Which actions can require approval in OpenClaw?

Any skill invocation can be marked as requiring approval using the requireApproval flag at the skill level. Best candidates: external messaging (email, Slack), data writes or deletions, financial actions, permission changes, and bulk operations. Read-only actions like lookups and report generation rarely need approval.

How does the approval request get sent to the reviewer?

OpenClaw sends approval requests via the channel configured in approvalChannel — Telegram chat, webhook URL, or the web UI. The reviewer sees what action the agent wants to take, with Approve and Reject options. The agent waits up to approvalTimeoutSeconds before timing out and auto-rejecting.

What happens if an approval times out?

With timeoutBehavior: reject, the action is automatically rejected and logged as a timeout event. The agent falls back to its configured rejection behavior — typically informing the user. Configure notifyOnTimeout: true to alert the reviewer they missed a request. Default timeout is 300 seconds (5 minutes).

Can I set different approval rules for different risk levels?

Yes. The approvalPolicy block in gateway.yaml supports low, medium, and high risk tiers. Each tier can have different rules: auto-approve, business-hours-only approval, always require approval, and escalation chains. Assign skills to tiers with approvalRiskLevel in your skill config.

Does enabling exec approvals slow down the agent?

Only for actions that require approval — and only until the reviewer responds. Actions without approval requirements execute at normal speed. Use risk tiers to limit required-approval actions to genuinely risky operations. Approvals on routine tasks create reviewer fatigue and throughput bottlenecks that break the automation model.

T. Chen

AI Systems Engineer

T. Chen designs safety architectures for production AI agent systems, with a focus on human-in-the-loop controls, audit trails, and fail-safe configurations. Has implemented exec approval workflows for agents handling sensitive data operations across financial services and healthcare organizations.