PERMISSION/PROTOCOL
← Integrations

CrewAI authorization gate

Authorization gates for CrewAI multi-agent workflows.

CrewAI crews delegate tasks between specialized agents, each with their own tools. Permission Protocol adds an authorization gate at the tool level — the agent pauses, a human approves, and execution only continues with a signed receipt. One decorator protects any tool in any crew.

The problem

CrewAI's task delegation model means one agent can trigger another's consequential actions autonomously. There's no built-in mechanism to require human authorization at the tool level or produce a verifiable record of who approved a specific action. Permission Protocol wraps any BaseTool in an authorization gate that issues a signed receipt before execution.

Code example.

Before — no gate

Python
from crewai.tools import BaseTool

class DeployTool(BaseTool):
    name: str = "deploy_service"
    description: str = "Deploy a service to production."

    def _run(self, service: str, environment: str) -> str:
        # No authorization check
        return deploy(service, environment)

After — authorization gate

Python — CrewAI BaseTool with authorization gate
from crewai.tools import BaseTool
from permission_protocol import require_approval

class DeployTool(BaseTool):
    name: str = "deploy_service"
    description: str = "Deploy a service to production."

    @require_approval(
        action="deploy",
        resource_fn=lambda args: f"{args['service']}:{args['environment']}",
        policy="production-deploy",
    )
    def _run(self, service: str, environment: str) -> str:
        # Pauses until receipt issued
        return deploy(service, environment)

# Crew output when gate fires:
# [DeployAgent] Calling deploy_service(billing-api, production)
# → Authorization required
# → Approval link: https://app.permissionprotocol.com/approve/7de22
# → Awaiting decision from [email protected]...
# → ✓ Receipt pp_r_c9a11f issued — proceeding

How it works.

01

Decorate _run

Add @require_approval to the _run method of any BaseTool. Works across every agent in the crew that uses that tool.

02

Approval request fires

When any agent calls the tool, Permission Protocol intercepts and routes an approval request to the configured reviewer — showing tool name, arguments, agent identity, and the active policy.

03

Receipt issued, crew continues

On approval, a signed receipt is issued. The tool executes with the receipt attached to the run context. On rejection, _run raises PermissionDenied, which CrewAI surfaces as a task failure.

The receipt it produces.

AuthorityReceipt — JSON
{
  "receipt_id": "pp_r_c9a11f32",
  "action": "deploy",
  "resource": "billing-api:production",
  "actor": "crewai-deploy-agent",
  "approved_by": "[email protected]",
  "policy": "production-deploy",
  "context": {
    "crew": "release-crew",
    "task": "deploy_billing_service"
  },
  "timestamp": "2026-05-16T16:05:44Z",
  "signature": "pp_sig_Kp9q..."
}

Full receipt format specification →

FAQ.

Does gating one tool affect the whole crew?

Only the specific tool is gated. Other tools in the crew that don't have @require_approval continue to execute freely. You control exactly which tools need authorization.

Can multiple agents share the same gated tool?

Yes. The gate fires for every invocation, regardless of which agent calls the tool. The receipt records which agent was the actor at the time of each call.

How does this interact with CrewAI's human input feature?

CrewAI's human_input=True pauses execution and asks for text input. Permission Protocol's gate is different — it issues a cryptographic receipt with a named approver, a policy, and a timestamp. They can run together, but the PP receipt is the verifiable proof.

Can I require approval for specific environments only?

Yes. Use a resource_fn to construct the resource string dynamically. Gate on resource='*:production' and leave staging/preview tools ungated.

Get the gate running today.

Free for individual developers. The quickstart takes under five minutes. Enterprise plans for teams that need audit trails, policy management, and self-hosted authority nodes.