Skip to main content

Overview

Agent Requests let AI agents and automated systems make changes through the Slash API with human approval. Write operations are not executed immediately — they create a pending request that must be approved before taking effect.

Setup

To use agent requests, create a read-only API key from the Slash dashboard under Settings > API Keys. When a read-only API key makes a write request, the operation is automatically deferred for approval instead of being rejected.

How It Works

  1. Your agent makes a write request to any API endpoint using a read-only API key
  2. Instead of executing, the API returns a 403 with the request ID in the x-deferred-action-id header and an approval URL in the response body
  3. An authorized user approves or rejects the request via the approval URL
  4. If approved, the original request is executed and the result is available via the API

Example

curl -X POST "https://api.slash.com/card" \
  -H "X-API-Key: $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "Marketing Card", "type": "virtual"}'
Response: 
HTTP/1.1 403 Forbidden
x-deferred-action-id: dfa_abc123

{"error": "Action requires approval: https://app.slash.com/home?modal=/deferred-action/dfa_abc123"}
The x-deferred-action-id header contains the request ID. The error message includes a URL where an authorized user can review and approve the request.

Checking Request Status

curl "https://api.slash.com/agent-request/dfa_abc123" \
  -H "X-API-Key: $API_KEY"

{
  "id": "dfa_abc123",
  "status": "pending",
  "display": {
    "title": "Create Virtual Card",
    "sections": [
      { "label": "Card Name", "value": "Marketing Card" },
      { "label": "Type", "value": "Virtual" }
    ]
  },
  "createdAt": "2026-03-05T07:00:00.000Z"
}

Status Values

StatusDescription
pendingAwaiting approval
approvedApproved, execution starting
runningCurrently executing
executedSuccessfully executed
rejectedRejected by approver
expiredExpired before approval
failedExecution failed
When status is executed, the response includes a result field containing the response that the original API call would have returned: 
{
  "id": "dfa_abc123",
  "status": "executed",
  "display": { ... },
  "result": {
    "id": "card_xyz789",
    "name": "Marketing Card",
    "status": "active"
  },
  "createdAt": "2026-03-05T07:00:00.000Z"
}