Skip to content
← Blog
Guides

Email-Based Approval Workflows: One-Click Approve from Your Inbox

Approval gates no longer require logging into the console. Designated approvers can now approve or reject workflow steps directly from email with cryptographically signed one-click action buttons.

JT
JieGou Team · · 5 min read

Approval steps are one of the most important governance controls in AI automation. They ensure that a human reviews critical outputs before they reach customers, get published, or trigger financial transactions. But there has always been a friction problem: the approver has to log into the console, navigate to the approval queue, review the context, and click approve or reject. For busy managers and executives who live in their email, that context switch is a workflow killer.

We built email-based approvals to eliminate that friction entirely.

How It Works

When a workflow hits an approval step configured with email delivery, the following sequence executes automatically:

  1. Workflow pauses — The execution engine parks the workflow in a “waiting for approval” state, just like console-based approvals.
  2. Context email sent — An email is dispatched to the designated approver containing a summary of the workflow context: what triggered it, what the previous steps produced, and what will happen next depending on the decision.
  3. One-click action buttons — The email includes prominent Approve and Reject buttons. Each button contains a unique, signed action URL.
  4. Decision captured — When the approver clicks a button, the action URL resolves to a lightweight API endpoint that validates the token and records the decision.
  5. Workflow resumes — The execution engine picks up the workflow from exactly where it paused, with the approval decision and approver metadata available to subsequent steps.

The entire flow takes seconds from the approver’s perspective. Open email, review context, click a button. No login required.

Security Design

Email-based approvals must be at least as secure as console-based approvals. Here is how the token system works:

HMAC-signed tokens — Each action URL contains a token signed with HMAC-SHA256 using a server-side secret. The token encodes the workflow execution ID, the approval step ID, the action (approve or reject), and an expiration timestamp. Tampering with any field invalidates the signature.

Configurable expiry — Tokens expire after a configurable period, defaulting to 72 hours. After expiry, clicking the button returns a clear error message directing the approver to the console. This prevents stale approvals from executing weeks later.

Single-use enforcement — Each token can only be used once. After the first click, the token is marked as consumed. Subsequent clicks on the same button (or the opposite button) return a “decision already recorded” message. This prevents replay attacks and double-submissions.

Lightweight validation endpoint — The action URL resolves to a dedicated API endpoint that validates the HMAC signature, checks token expiry, verifies single-use status, records the decision, and resumes the workflow. No session or authentication cookie is required because the signed token itself is the credential.

Configuring Email Approvals in the Workflow Editor

Workflow creators configure email-based approvals using the same ApprovalStepEditor UI they already know. The only new option is the delivery method selector:

  • Console only (default) — Approval appears in the console approval queue. Approver must log in.
  • Email notification — Approval email sent to the designated approver with one-click action buttons. The approval also appears in the console queue as a fallback.
  • Both — Email notification plus console queue entry. Useful during the transition period as teams adopt email approvals.

The approver’s email address is pulled automatically from their RBAC user profile. If the designated approver role maps to multiple users, each receives the email, and the first to act captures the decision.

Audit Trail and Compliance

Every email-based approval generates the same audit record as a console-based approval, plus additional metadata specific to the email channel:

  • Timestamp of the approval or rejection
  • Approver email address that performed the action
  • Action taken (approve or reject)
  • IP address of the client that clicked the action URL
  • User agent of the client
  • Token expiry and time remaining at the moment of action
  • Workflow context snapshot at the time of the approval step

This audit trail satisfies the same compliance requirements as console-based approvals. For organizations subject to SOC 2, HIPAA, or SOX, the email-based approval log provides equivalent evidence of human review and authorization.

Use Cases

Email-based approvals unlock governance for teams that were previously avoiding approval steps because of the login friction:

Content publishing pipelines — An editor drafts a blog post using an AI recipe. The workflow generates the post, then hits an approval step. The marketing manager receives the email on their phone, reads the summary, and taps Approve between meetings. The workflow continues to generate social media posts and newsletter content from the approved draft.

Financial transaction workflows — An analyst prepares an invoice batch using an automation workflow. The CFO receives the approval email with a summary of the batch total, line item count, and vendor breakdown. One tap to approve, and the batch moves to the payment system.

Deployment gates — An engineer submits a configuration change through an automated deployment workflow. The DevOps lead receives the approval email with the diff summary and environment target. Approve from Slack’s email integration or directly from their inbox.

Getting Started

Email-based approvals are available on all plans. Open any workflow with an approval step, select “Email notification” as the delivery method, and run the workflow. The designated approver will receive the email within seconds of the workflow reaching the approval gate.

For teams already using approval steps, enabling email delivery is a one-click configuration change per step. No workflow restructuring required.

approvals workflows email automation governance

Explore more

⚙️ Approval Gates 📖 What are AI Workflows? 📖 What is AI Automation? 📖 What is AI Governance?
Share this article

Related articles

AI for Professional Services: 5 Workflows That Save 20 Hours/Week

Discover five AI-powered workflows that help consulting firms, law firms, and accounting practices reclaim 20 hours per week — from client intake to deliverable review.

Workflow of the Week: Automated Client Onboarding

Build an automated client onboarding workflow in JieGou that saves 2+ hours per new client — from welcome email to task creation to Slack notification.

Beyond Cron and Webhooks: Four Event-Driven Triggers for Reactive AI Automation

JieGou adds four event-driven trigger types — run completion chaining, connector data changes, email received, Slack messages, and browser events — to complement existing cron and webhook triggers for fully reactive automation.

Enjoyed this post?

Get workflow tips, product updates, and automation guides in your inbox.

No spam. Unsubscribe anytime.

← Back to all posts