Configure a webhook URL per organization in the Settings page. oakallow sends two types of events:
- approval.created fires when your agent creates an approval request. The payload includes the tool name, parameters, reason, approval ID, and expiration time.
- approval.decided fires when a human approves or denies the request. The payload includes the decision, who decided, and any notes.
Payloads are signed with HMAC-SHA256 using your organization's webhook secret. Verify the X-Oakallow-Signature header to confirm the request is from oakallow.
Webhooks are fire-and-forget from oakallow's side. If your endpoint is unreachable, the approval still exists and can be polled via GET /v1/approvals/:id as a fallback.