Approval Workflows

In high-compliance environments, sensitive changes shouldn't happen without a second pair of eyes. CustomKeys Approval Workflows enforce a "Four-Eyes Principle" for protected environments.

How it Works

  1. Request: A developer attempts to update a secret in a Protected Environment (e.g., production).
  2. Pending State: The change is not applied immediately. It enters a pending state.
  3. Review: Admins or Owners receive a notification. They can review the proposed change (key only, value remains hidden in the request list).
  4. Resolution: An approver (who must NOT be the requester) approves or rejects the change.
  5. Execution: If approved, the secret is updated and the version is committed.

Configuring Approvals

Approvals are automatically enabled for any environment marked as is_protected for Business and Enterprise plans.

Real-time Notifications

Approval requests are broadcasted via WebHook and Slack integrations (if configured), ensuring fast turnaround times for critical production fixes.

Last updated: 4/20/2026Report Issue