Tool Execution and Approvals

When agents interact with your connected services, they use tools to read data and take actions. This page explains how tool execution works and how you control what agents can do through permissions and approvals.

What are Tool Calls?

Tools are the actions agents can perform in your connected services. Each tool represents a specific operation, such as:

  • Read operations: Get tasks, list projects, search contacts, view records
  • Create operations: Create task, add contact, post message
  • Update operations: Update status, change assignee, modify due date
  • Delete operations: Remove task, delete record, archive item

    • When you ask an agent to do something, it identifies which tools are needed and executes them to fulfill your request. For example, if you ask "Create a task in Asana called 'Review proposal' due Friday," the agent uses the "Create Task" tool with the appropriate parameters.

    Each connection comes with its own set of tools based on what the external service supports. The more connections you add, the more tools your agents can access.

    Permission Levels

    Every tool has a permission level that determines how the agent can use it. You configure these permissions per tool, per connection.

    Allowed

    The agent executes the tool automatically without asking for confirmation. Use this for:

  • Read-only operations that do not modify data
  • Low-risk actions you trust completely
  • Frequent operations where approval would slow you down
    • Example: Reading tasks, listing projects, searching contacts

    Requires Approval

    The agent proposes the action and waits for your explicit approval before executing. Use this for:

  • Operations that modify existing data
  • Actions with meaningful consequences
  • Tools you want visibility into before they run
    • Example: Updating task status, changing assignments, modifying records

    Denied

    The agent cannot use this tool under any circumstances. Use this for:

  • Destructive operations like deletion
  • Sensitive actions you never want automated
  • Tools that could cause irreversible changes
    • Example: Deleting tasks, removing contacts, archiving projects

    The Approval Workflow

    When an agent needs to use a tool that requires approval, the execution pauses and prompts you for confirmation.

    Step 1: Agent Proposes an Action

    The agent determines which tool to use and prepares the action. Instead of executing immediately, it presents the proposed action to you in the chat.

    Step 2: Review the Proposal

    You see exactly what the agent wants to do, including:

  • The name of the tool (e.g., "Update Task")
  • The target connection (e.g., "Asana - Marketing Workspace")
  • The specific parameters (e.g., task name, new status, assignee)

    • This transparency lets you verify the action is correct before it runs.

    Step 3: Approve or Deny

    You make a decision:

  • Approve: The agent executes the action and continues with the conversation
  • Deny: The agent does not execute the action and acknowledges your decision

    • The agent waits for your response and does not proceed until you choose.

    Step 4: Agent Continues

    After your decision, the agent either:

  • Confirms the action was completed (if approved)
  • Acknowledges the denial and offers alternatives or stops

    • The conversation continues normally from there.

    Approving or Denying Actions

    When the agent requests approval, you interact with the approval prompt in the chat interface.

    What You See

    The approval prompt displays:

  • Tool name: The specific action being proposed
  • Connection: Which connected service will be affected
  • Parameters: The details of what will be created, updated, or modified
  • Approve button: Click to allow the action
  • Deny button: Click to reject the action

    • How to Approve

  • Review the proposed action details
  • Verify the parameters are correct
  • Click the Approve button
  • The agent executes the action and reports the result

    • How to Deny

  • Review the proposed action
  • If something is wrong or you do not want to proceed, click Deny
  • The agent acknowledges the denial and does not execute the action

    • Adding Notes

    When approving or denying, you can add a note to provide context:

  • When approving: Notes are stored with the execution record for audit purposes
  • When denying: Notes help the agent understand why and potentially suggest alternatives

    • To add a note, type in the note field before clicking Approve or Deny. Notes are optional but useful for record-keeping and clarification.

    Configuring Permissions

    You set tool permissions in the connection settings. This gives you granular control over each tool in each connection.

    Where to Set Permissions

  • Navigate to the Connections page
  • Click on the connection you want to configure
  • Go to the Permissions tab
  • Find the tool you want to modify
  • Select the permission level: Allowed, Requires Approval, or Denied
  • Click Save

    • Changes take effect immediately for all agents using that connection.

    Best Practices

    Allow read operations

    Reading data does not change anything, so it is generally safe to allow. This lets agents answer questions quickly without interruption.

    List Tasks       -> Allowed
Get Project      -> Allowed
Search Contacts  -> Allowed
    Require approval for write operations

    Creating and updating data has consequences. Requiring approval gives you oversight without blocking functionality entirely.

    Create Task      -> Requires Approval
Update Task      -> Requires Approval
Add Comment      -> Requires Approval
    Deny destructive operations

    Deletion and other irreversible actions should typically be denied. If you need to delete something, do it manually in the original service.

    Delete Task      -> Denied
Remove Project   -> Denied
Archive Workspace -> Denied

    Adjusting Over Time

    Start with stricter permissions and relax them as you build trust:

  • Begin with most write operations requiring approval
  • Track which approvals you always grant without hesitation
  • Consider moving those tools to Allowed
  • Keep destructive operations Denied unless you have a specific need

    • Viewing Tool History

    All tool executions are logged, giving you a complete record of what agents have done.

    Where to Find Tool History

  • Open a conversation thread
  • Look for tool execution entries in the chat history
  • Each entry shows the tool name, result, and timestamp

    • What the History Shows

    For each tool execution, you can see:

  • Tool name: Which action was performed
  • Connection: Which service was used
  • Parameters: What data was sent
  • Result: Success or failure, plus any response data
  • Timestamp: When the action occurred
  • Approval status: Whether approval was required and granted

    • Using History for Auditing

    The tool history serves as an audit trail for your team:

  • Review what actions agents have taken
  • Verify that approvals were handled correctly
  • Investigate issues by examining past executions
  • Track patterns in tool usage across conversations

    • Next Steps

  • Chatting with Agents - Learn how to interact with agents effectively
  • Connections Overview - Add and configure connections
  • Knowledge Base - Understand how agents learn from your data