LangChain authorization gate
Require human approval before LangChain agents act.
LangChain agents can invoke tools that call APIs, write files, execute code, and deploy infrastructure. Permission Protocol adds an external authorization gate — an approval receipt that must exist before any tool call executes. The agent pauses, a human approves, and execution continues only with a cryptographic proof of authorization.
The problem
LangChain's HITL (human-in-the-loop) patterns let you interrupt agents, but they don't produce a verifiable record of who approved what. When something goes wrong, you have logs — not proof. Permission Protocol wraps any LangChain tool in an authorization gate that issues a signed receipt before execution.
Code example.
Before — no gate
from langchain.tools import tool
@tool
def deploy_service(service_name: str) -> str:
"""Deploy a service to production."""
# No authorization check — agent can deploy freely
return run_deploy(service_name)After — authorization gate
from langchain.tools import tool
from permission_protocol import require_approval
@tool
@require_approval(
action="deploy",
resource_fn=lambda args: f"{args['service_name']}:production",
policy="production-deploy",
)
def deploy_service(service_name: str) -> str:
"""Deploy a service to production."""
# Agent pauses here until a receipt is issued
return run_deploy(service_name)
# Agent output when gate fires:
# → Approval required: https://app.permissionprotocol.com/approve/4ac91
# → Waiting for authorization...
# → ✓ Approved by sarah.kim
# → ✓ Receipt: pp_r_8f91c2How it works.
Wrap the tool
Add @require_approval to any LangChain tool. The decorator intercepts the call before execution and submits an authorization request to Permission Protocol.
Human receives approval request
The configured reviewer gets an approval link showing the tool name, arguments, agent identity, and the policy being evaluated. They approve or reject.
Receipt issued, execution continues
On approval, Permission Protocol issues a signed authority receipt. The decorator verifies it and allows the tool call to proceed. On rejection, the tool raises PermissionDenied.
The receipt it produces.
{
"receipt_id": "pp_r_8f91c2a4",
"action": "deploy",
"resource": "billing-service:production",
"actor": "langchain-agent",
"approved_by": "sarah.kim",
"policy": "production-deploy",
"timestamp": "2026-05-16T14:22:11Z",
"signature": "pp_sig_MEQCIBx4..."
}FAQ.
Does this work with LangGraph?
Yes. LangGraph interrupt() nodes are a natural integration point. You can configure Permission Protocol to fire at any node boundary and resume the graph only when a receipt is issued.
Can the agent retry while waiting for approval?
The decorator blocks the tool call synchronously by default. You can configure a timeout after which the tool raises PermissionDenied if no decision is received.
How does this differ from LangChain's built-in HITL?
LangChain's HITL patterns interrupt execution but don't produce a verifiable record of who approved what, under which policy, at what time. Permission Protocol issues a cryptographic receipt that any enforcement point can independently verify.
Can I gate specific tools and not others?
Yes. Apply @require_approval selectively. Most teams gate tools that touch production systems, databases, financial operations, or external APIs and leave read-only tools ungated.
Get the gate running today.
Free for individual developers. The quickstart takes under five minutes. Enterprise plans for teams that need audit trails, policy management, and self-hosted authority nodes.