Backstop

Approval endpoints

REST endpoints for listing, approving, and denying pending queries.

The approval endpoints are REST (not JSON-RPC). They are used by operators — humans or automation — to review and act on queries held by the gateway.

GET/pending approval:read scope

Returns all queries currently awaiting a decision, sorted oldest-first.

Response:

{
  "pending": [
    {
      "id": "appr_4f9e2c1a",
      "agent_id": "cursor-local",
      "sql": "DROP TABLE users",
      "risk_level": "CRITICAL",
      "snapshot_id": "snap_a3f9e2c1",
      "snapshot_age_seconds": 45,
      "safety_metadata": { ... },
      "created_at": "2026-05-06T10:30:00Z"
    }
  ]
}
POST/approve/{id} approval:write scope

Approves a pending query. The agent can now resubmit. Returns 200 on success, 404 if ID not found, 409 if already decided.

Request: No body required.

Response:

{
  "status": "approved",
  "approval_id": "appr_4f9e2c1a",
  "decided_at": "2026-05-06T10:31:00Z"
}
POST/deny/{id} approval:write scope

Denies a pending query. The query is permanently rejected. Returns 200 on success.

Response:

{
  "status": "denied",
  "approval_id": "appr_4f9e2c1a",
  "decided_at": "2026-05-06T10:31:30Z"
}