Governance
Pause an agent and take over.
Pause, rotate, or revoke a token, then hand back the conversation to a human.
Token first
Make sure the agent has these scopes.
Create a new token or update the agent's current token before trying the calls below.
Required token scopes
context:read
approvals:read
approvals:write
email:send
Outcome
What this gives you.
A person can step in without losing the trail of what the agent saw, drafted, or did.
Use when
The operational shape.
- An agent behaves unexpectedly or reaches a sensitive situation.
- A human needs to pause sends while reviewing activity.
- You need a clear audit record before deciding what happens next.
API sequence
The calls to make.
01
Restrict or pause the token
PATCH/v1/tokens/{token_id}/
Use session auth to disable sends temporarily and narrow permission scope.
Default example
Use pause when you expect to restore the same token after review.
{
"action": "pause"
}
Rotate token
Use rotate when the current secret may be exposed but the agent should keep working.
{
"action": "rotate"
}
02
Permanently revoke token access
DELETE/v1/tokens/{token_id}/
Use this when you need immediate removal of the token.
03
Review recent activity
GET/v1/activity/
Inspect messages, workflow executions, approvals, and file events.
04
Resolve held actions
GET/v1/approvals/
List held actions, then approve or reject a specific approval with approvals:write.
05
Send the human response
POST/v1/messages/
Continue from the same inbox with a clean audit trail.
Default example
Use this as the default shape for this step.
{
"to": [{"email": "client@example.com"}],
"reply_to_message_id": "msg_123",
"text_body": "Jumping in here to confirm the next step."
}
Controls
Review points.
- Revocation takes effect on the next API call.
- Approval queues keep blocked actions visible instead of letting them silently fail.