How do I require human approval before an AI agent runs an action?

Call Cosignet from your agent (via its MCP server or REST API) before the high-risk step. Cosignet pauses, sends a person an approval request showing the exact action, and only returns an approved decision after they confirm with a passkey. Your agent proceeds only on an explicit approved status, so a timeout or denial fails closed.

Can I add an approval step before a production deploy, fund transfer, or data deletion?

Yes. Cosignet is built for exactly these high-risk actions — production deploys, fund transfers, data deletion, and admin commands. The approver sees a field-by-field breakdown of the exact action and signs it with a passkey before it executes.

Does Cosignet work with MCP and REST APIs?

Yes. Cosignet ships an MCP server for AI agents and a REST API for scripts, CI/CD, and backend workflows, plus webhooks and an SDK. Both long-poll for the human decision so clients behind NAT or a firewall still get the result.

How is a Cosignet approval verifiable and tamper-evident?

Each approval is a passkey signature bound to the exact action, recorded in a public, append-only transparency log. Anyone can independently verify the inclusion proof, the passkey signature, and the signed tree head in the browser — the audit trail does not depend on trusting Cosignet. The log withholds the payload by default; a customer can optionally publish an individual approval's full action, payload, and a PBKDF2 hash of the approver's verified email for public proof.

CCOSIGNET

Critical Action Control

Control critical actions before they execute.

Cosignet pauses high-risk actions — production deploys, fund transfers, data deletion, admin commands, agent-driven automation — shows the exact payload to an approver, and returns a cryptographically-bound decision before your system proceeds. Change the command, amount, recipient, or endpoint after approval and the signed decision no longer matches.

Try the live demo View demo dashboard Read the docs MCP approval gate

Free to start — no credit card. No Docker, no agent rewrite. Works behind NAT.

Built on Cloudflare
Standard WebAuthn passkeys
Every approval independently verifiable
Open-source verifiers

Approval required

Agentsupport-agent

Actionrefund_payment

Amount$4,200.00

Toacct_8821

PaymentExternal

sha-256 · 9f2c…a17b

Approve with passkeyReject

Live demo

Try a critical-action approval

Create a real approval request bound to a demo payload {"action":"demo","amount":"$0"}. Review the exact action, approve it with your device passkey, and see the signed decision returned to the system. The same routes power production.

What to gate

Actions that should not run silently

Put an explicit approval in front of the irreversible, costly, or externally-visible calls your automation, agents, and services make.

Payment Refunds, payouts, invoices, plan changes
Production Deploys, config changes, database writes
Destructive Delete or export data, drop resources, rotate secrets
External Customer emails, Slack posts, support replies
Admin API MCP tools, user deletion, permission changes, billing
Code Merge a high-risk PR, trigger a release

Who it's for

One gate, three jobs

AI app builders

Add approval gates to tool calls without building your own auth flow. One call before the risky action; continue only on a signed yes.

Security teams

Require human, attributable, passkey approval — and a signed audit trail — before agents touch production systems.

Founders

Ship agents that can actually act, without handing them unchecked authority over money, data, or infrastructure.

How it works

Three steps, one binding

Critical action → passkey approval → signed decision → audit trail

1. Your system requests approval

An MCP tool call or a single HTTP request — from your agent, script, CI/CD pipeline, or backend service — carries the exact action payload.

// MCP tool: request_human_approval
{
  "action": "Wire transfer to vendor",
  "payload": { "to": "acct_8821", "amount_usd": 4200, "memo": "INV-2025-118" },
  "approver_username": "alex"
}

curl -X POST https://cosignet.com/api/confirmations \
  -H 'content-type: application/json' \
  -H 'X-Api-Key: $COSIGNET_API_KEY' \
  --data '{"username":"alex","action":"Wire transfer to vendor",
    "payload":{"to":"acct_8821","amount_usd":4200,"memo":"INV-2025-118"}}'

2. The approver reviews the exact action

The approver opens the link and sees a clear, field-by-field breakdown of the exact action — not raw code — then signs it with a passkey. User verification is required. Every field of the signed payload is shown, and the raw payload plus its SHA-256 are one tap away for verification.
```
Action:      Wire transfer to vendor
To:          acct_8821
Amount Usd:  4200
Memo:        INV-2025-118
sha-256:     9f2c…a17b   ← the exact data being signed
```
Challenge = nonce ‖ SHA-256(payload). What the approver saw is what got signed.
3. Cosignet returns a signed decision

The status flips to approved with the raw WebAuthn assertion stored as proof. The assertion is bound to the challenge, so it cannot be replayed against a different payload.
```
GET /api/confirmations/{id}
{
  "status": "approved",
  "payloadHash": "9f2c…a17b",
  "credentialId": "…",
  "rawAssertion": { "response": { "clientDataJSON": "…", "signature": "…" } }
}
```

Why not just ask in Slack?

A confirmation says “yes”. Cosignet signs what was approved.

A Slack button, a confirmation modal, or a workflow tool records that someone clicked — there's no cryptographic proof a specific human approved a specific operation, and prompt injection can talk an agent past a soft "yes". None of them bind that click to the exact action: if the agent changes the recipient, amount, endpoint, or command after the click, nothing breaks.

Cosignet's signature covers nonce ‖ SHA-256(payload). Change any field after approval and the signed decision no longer matches — so the approval is evidence about a specific operation, not just UI reassurance. It complements IAM and audit logs; it does not replace them.

Integration in a minute

Gate critical actions in minutes

Call Cosignet before any privileged, irreversible, or high-risk operation — from an AI agent, CLI script, CI/CD pipeline, backend service, or admin tool. No inbound webhooks, open ports, or public IP: your code polls out over its existing connection, so it works from local CLI tools and locked-down VPCs behind NAT and firewalls.

# Add the remote MCP server to Claude Code
claude mcp add --transport http cosignet https://cosignet.com/mcp \
  --header "X-Api-Key: $COSIGNET_API_KEY"

# Your agent, script, or service calls the tool before a critical action:
#   request_human_approval(action, payload, approver_username)
# and reads back approved / rejected / expired / pending.

id=$(curl -s -X POST https://cosignet.com/api/confirmations \
  -H 'content-type: application/json' -H "X-Api-Key: $COSIGNET_API_KEY" \
  --data '{"username":"alex","action":"Deploy to production",
    "payload":{"service":"api","sha":"abc123"}}' | jq -r .id)

curl -s https://cosignet.com/api/confirmations/$id -H "X-Api-Key: $COSIGNET_API_KEY"

A typed SDK and integration examples live at gitlab.com/cosignet/sdk. Or call the REST API directly — two calls:

const base = "https://cosignet.com";
const headers = { "content-type": "application/json", "X-Api-Key": process.env.COSIGNET_API_KEY! };

const { id, url } = await fetch(`${base}/api/confirmations`, {
  method: "POST", headers,
  body: JSON.stringify({
    username: "alex",
    action: "Deploy to production",
    payload: { service: "api", sha: "abc123" },
  }),
}).then((r) => r.json());

// Poll until the approver signs it.
const status = await fetch(`${base}/api/confirmations/${id}`, { headers }).then((r) => r.json());

Security & honesty

What it guarantees, and what it does not

Cosignet is not an executor or policy engine; it is an approval and evidence layer for critical actions.

Guarantees

Keys never leave the approver's device. The passkey private key is generated and stored in the device's secure hardware (Secure Enclave / TPM). Cosignet never receives or stores it.
Biometric user verification (UV) is required for every approval.
Phishing resistance from WebAuthn where the RP ID and origin are enforced by the browser.
Payload binding: the challenge is nonce ‖ SHA-256(payload), so the signature covers the exact action. The approval page re-hashes the displayed data in your browser and shows a Display verified badge when it matches — proof the card was not spoofed.
Audit trail: the raw assertion is stored as proof a specific credential approved a specific payload.

Non-guarantees

No hardware device attestation for synced passkeys — a synced credential may exist on more than one device.
Cosignet does store the action payload — it has to, to show the approver exactly what they are signing and to compute the binding. Keep secrets out of the payload; pass references (IDs) instead of raw sensitive data. We are not a hash-only relay.
Cosignet binds the approval to the action; it does not execute the action or guarantee your system runs only what was approved.
No absolute security guarantees are made. The signature cannot be forged without the user's device, and the action cannot be swapped after approval without breaking the binding.

Public transparency log: every approval is committed to an append-only, independently verifiable log — check any approval yourself on the verify page, with tree heads anchored into Bitcoin (OpenTimestamps). The log withholds the payload by default; you can optionally publish an approval's full action, payload, and a hash of the approver's verified email for public proof — off unless you turn it on. See the security page for details.

Pricing

Pricing for Critical Action Control

Start free. Upgrade when Cosignet protects real production workflows.

Every plan includes the full core — MCP & REST API, signature-verified webhooks, outbound polling (works behind NAT), payload-bound approvals, and the passkey audit trail with a publicly verifiable transparency log. Approvers are always unlimited — you never pay per person who signs.

Free

$0/month

For testing, prototypes, and a first integration.

1 project · 2 members
Unlimited approvers
500 approvals / month
7-day audit history
MCP, REST & webhooks
Community support · no credit card

Request access

Recommended

Team

$49/month

For small teams protecting real workflows.

5 projects
5 members included, then +$9/member
Unlimited approvers
5,000 approvals / mo, then +$8 per 1,000
90-day audit history
Approval policies (roles, simple rules)
Webhook examples (GitHub / CI) · email support

Request access

Business

$249/month

For production controls and audit requirements.

20 projects
20 members included, then +$9/member
Unlimited approvers
50,000 approvals / mo, then +$5 per 1,000
1-year audit history
Audit-log export
SSO (OIDC / SAML) · coming
Advanced policies: quorum, timeout escalation · coming
Custom domain & branded approval page · coming
Priority support

Request access

Enterprise

Custom

For regulated teams and procurement.

Custom projects, members & volume
Device-bound credentials (non-syncable passkeys); attestation on roadmap
Single-tenant deployment on request
Custom retention & data residency
DPA & security questionnaire; custom SLA on request
SOC 2 / ISO 27001 on roadmap
Procurement & dedicated support

No credit card for Free. No Docker. No agent rewrite.
Approval volume is not the value — control, auditability, and preventing expensive mistakes are.
Signed decisions are bound to the exact action payload.
Protect deploys, deletes, exports, payments, secrets, and admin operations.

Need higher limits or device-bound credentials? Contact us.

Control critical actions before they execute.

Try a critical-action approval

Actions that should not run silently

One gate, three jobs

AI app builders

Security teams

Founders

Three steps, one binding

1. Your system requests approval

2. The approver reviews the exact action

3. Cosignet returns a signed decision

A confirmation says “yes”. Cosignet signs what was approved.

Gate critical actions in minutes

What it guarantees, and what it does not

Guarantees

Non-guarantees

Pricing for Critical Action Control

Free

Team

Business

Enterprise