The approval gate for AI agents.
Permission Slip sits between your agent and the world. Structured actions — send an email, merge a PR, charge a card, run a query — stop at a human or a rules engine before they ship. Credentials stay on your server. The agent never sees a token.
# agent submits a structured action
POST /api/v1/actions → connector=gmail action=send
# permission slip routes it
→ auto-approve rule? no
→ 📱 push to your phone
# you decide
✓ approve → executes via Gmail OAuth on the server
agent receives the result. it never sees the token.
How it works
A single Go binary with the React UI embedded. SQLite for storage. OAuth credentials stay on your machine and are swapped in at the wire.
Agent submits an action
Your agent POSTs a schema-validated action to Permission Slip's API — connector, verb, parameters. No raw HTTP, no shell, no tokens.
Permission Slip routes it
Auto-approve rules can let routine actions through (scoped by parameter, time window, or count). Anything else fans out to a push notification.
You approve, the server executes
Tap approve on your phone. Permission Slip calls the upstream API with the OAuth token it stores on your server. The agent gets the result.
Features
Credentials never touch the agent
OAuth tokens and API keys are stored encrypted on your server. The agent submits an action; Permission Slip calls the upstream API. A compromised agent can't leak keys it never held.
Structured actions, not raw API calls
Each connector defines verbs and a schema. The agent submits typed parameters — not arbitrary HTTP, not shell. Rules and approvals match on those fields directly.
Auto-approve rules
Let routine actions through automatically — scoped by parameter value, time window, or request count. Everything else routes to a human.
Push notifications
iOS and Android apps deliver approval requests over APNs/FCM via Expo's push service. Approve or deny from the lock screen.
Ed25519-signed audit log
Every request, decision, and execution is recorded with a timestamp and a cryptographic signature. Tamper-evident, exportable.
One binary, SQLite, your box
A single Go binary with the React frontend embedded. Runs on a Raspberry Pi, a VM, anything Linux. Apache 2.0.
Self-host on your tailnet
Runs anywhere Linux runs — a Raspberry Pi 5 in a drawer, a home server, a VM, a VPS. Pairs with Tailscale for private HTTPS: no port forwarding, no DNS, no manual TLS. Reachable only from devices on your tailnet.
Architecture
your devices (laptop, phone, agent host)
│
│ https://permissions.<tailnet>.ts.net
▼
┌──────────────────────────────────┐
│ Tailscale │
│ WireGuard mesh + Let's Encrypt │
│ not on the public internet │
└──────┬───────────────────────────┘
│ tailscale serve → :8080
▼
┌──────────────────────────────────┐
│ Permission Slip (Go binary) │
│ API + embedded React UI │
│ ┌────────┐ │
│ │ SQLite │ │
│ └────────┘ │
└──────────────────────────────────┘Five-minute setup
# 1. build the binary
git clone https://github.com/supersuit-tech/permission-slip
cd permission-slip && make build
# 2. join your tailnet
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up --hostname=permissions
# 3. serve over HTTPS
sudo tailscale serve --bg --https=443 8080
# 4. start permission slip
./bin/server
# reachable at https://permissions.<tailnet>.ts.net
# only from devices on your tailnetRaspberry Pi friendly
Cross-compile with GOOS=linux GOARCH=arm64, copy the binary to a Pi 5, run it on idle silicon for the cost of a coffee a year.
Free Let's Encrypt TLS
tailscale serve issues and renews certs for your ts.net hostname. Nothing to manage.
Works for headless agents
Cloud VMs and CI runners join the tailnet with a single auth key and hit Permission Slip like any HTTPS endpoint.
Cloudflare Tunnel, a reverse proxy on a real domain, or a plain LAN deployment all work too — see the deployment guide.
Connectors
Each connector defines the verbs an agent can submit, the schema for each verb, and the OAuth or API-key flow used to execute it on your behalf.
Airtable
Bases, records, and automations your agent can propose changes for.
Amadeus
Travel distribution APIs for search, booking, and itinerary workflows.
Asana
Tasks, projects, and updates with approvals before anything ships.
AWS
Cloud APIs across compute, storage, messaging, and the rest of the stack.
Calendly
Scheduling links and availability without exposing calendar details.
Confluence
Spaces and pages — create or update documentation with human sign-off.
Datadog
Metrics, monitors, and incidents so agents can investigate safely.
Discord
Messages and webhooks for team alerts and bot-driven workflows.
DocuSign
Send and track agreements; execution only after approval.
DoorDash
Delivery and marketplace actions scoped to your merchant account.
Dropbox
Files and shared folders with vault-backed credentials.
Expedia
Travel inventory and booking flows through partner APIs.
Figma
Design files, comments, and exports your team controls.
GitHub
Issues, pull requests, and repo automation with PATs in the vault.
Workspace, Cloud, and OAuth-backed Google APIs per your setup.
HubSpot
CRM contacts, deals, and marketing actions with clear guardrails.
Intercom
Conversations and support workflows triggered by agents.
Jira
Issues, sprints, and transitions — ideal for engineering approvals.
Kroger
Retail and loyalty integrations where your keys stay in the vault.
Linear
Issues and projects for product and engineering teams.
Profile and company APIs for recruiting and social workflows.
Make
Scenario-style automation hooks for multi-step agent playbooks.
Meta
Graph and marketing APIs across Meta’s family of apps.
Microsoft
Microsoft 365, Azure, and Graph — scoped to your tenant.
Monday.com
Boards, items, and updates with approval before writes land.
MongoDB
Atlas and data APIs with credentials never shown to the model.
MySQL
Relational queries and migrations behind your stored connection.
Netlify
Deploys, DNS, and serverless hooks for your sites.
Notion
Pages, databases, and comments synced with human review.
PagerDuty
Incidents, on-call, and escalation policies agents can trigger.
Plaid
Financial account linking and data with strict compliance posture.
PostgreSQL
SQL access and admin tasks using secrets from the credential vault.
QuickBooks
Invoices, payments, and accounting reads/writes you approve first.
Redis
Cache and data structure operations against your Redis deployment.
Salesforce
CRM objects, flows, and Apex-adjacent operations on your org.
SendGrid
Transactional and marketing email with templates you control.
Shopify
Storefront, orders, and inventory changes via the Admin API.
Slack
Channels, messages, and slash-style workflows for your workspace.
Square
Payments, catalog, and POS-adjacent APIs for commerce teams.
Stripe
Charges, customers, and billing — always behind explicit approval.
Supabase
Postgres, auth, and edge functions as a managed backend surface.
Trello
Cards, lists, and boards for lightweight project tracking.
Twilio
SMS, voice, and messaging with rate and content rules you set.
Vercel
Deployments, env vars, and project settings for your frontend stack.
Walmart
Marketplace and retail partner APIs scoped to your seller account.
X
Posts, media, and social graph actions via the X API.
Zapier
Zaps and app connections as a bridge for thousands of tools.
Zendesk
Tickets, macros, and help center updates for support teams.
Zoom
Meetings, webinars, and recordings orchestrated with your account.
Logos are trademarks of their respective owners. See the connectors overview for how connectors work and how to write your own.
Open source
Apache 2.0. Single Go binary, embedded React UI, SQLite. Run it on your own box, write your own connectors, send a PR.
View on GitHub