Blog · Comparison
Slack approval buttons vs payload-bound approvals
Posting an Approve / Reject button to Slack is the most common way teams add a human step to an automation. It’s a fine notification. As the security gate on an AI-agent action, it has a specific gap: the click isn’t bound to what actually runs.
What a Slack button actually proves
A Slack approval flow proves that a person (or whoever holds that Slack account) clicked a button at a point in time. That’s genuinely useful for routine notifications. But for a high-risk action it leaves three things open:
- No binding to the action. The click isn’t tied to the exact recipient, amount, endpoint, or command. If the agent changes the arguments between the click and the call, nothing detects it.
- Weak proof of who. A Slack click is an app event on a chat account, not a cryptographic signature from a verified device. It’s hard to use later as strong evidence.
- Prompt-injection surface. A soft “Are you sure?” is easy for an injected instruction to reframe or rush past.
What payload-bound approval adds
Cosignet keeps the human step but changes what the human signs. The approver confirms with a device passkey, and the WebAuthn signature covers a challenge built from the action itself:
challenge = nonce ‖ SHA-256(payload)Now the approval is inseparable from the operation. Change any field afterward and the signature no longer matches. The result is evidence about one specific action, signed by a key that never leaves the approver’s device, with biometric or PIN user verification required.
Side by side
| Property | Slack Approve button | Cosignet (payload-bound) |
|---|---|---|
| Bound to the exact action | No — records a click | Yes — signature over nonce ‖ SHA-256(payload) |
| Proof of approver | Slack app event | WebAuthn passkey (device-held key, user verification) |
| Resists post-approval drift | No | Yes — altered payload breaks the signature |
| Independently verifiable audit trail | No | Yes — public RFC-6962 transparency log + open verifiers |
| Works behind NAT / firewall | Needs Slack connectivity | Yes — long-poll over your outbound connection |
| Notification UX | Native in Slack | Telegram or email link (Slack not required) |
When a Slack button is fine
Honesty matters: if the action is low-risk, easily reversible, and you only need a heads-up plus a quick ack, a Slack button is the right amount of friction. Reach for payload-bound approval when the action is irreversible (deploys, fund transfers, data deletion, secret rotation, admin commands), when you need an audit trail that holds up later, or when an AI agent — not a fixed script — is choosing the arguments.
Cosignet is an approval and evidence layer, not an executor or policy engine: it doesn’t run the action or replace your existing controls. It makes the human decision real. For the broader picture, see human-in-the-loop for AI agents.