# Approvals

When an [execution policy](/cli-policies/) has the `require_approval` action, an agent's matching action pauses and raises an **approval request**. You decide whether it proceeds. Approvals live under `dvx policy approvals`.

## See what's waiting

```bash
dvx policy approvals list
```

Each pending request has an external ID, the agent it came from, and what the agent was trying to do.

## Approve or deny

```bash
dvx policy approvals approve <external_id> --note "looks fine - one-off migration"
dvx policy approvals deny    <external_id> --reason "not allowed in production"
```

Approving lets the agent's action proceed; denying blocks it. Your note or reason is recorded with the decision.

## How approvals fit together

1. You create an execution policy with `--action require_approval` (see [Policies](/cli-policies/)).
2. When an agent hits a matching action, it's held and a request appears in `dvx policy approvals list`.
3. You approve or deny it.
4. The decision - and who made it - is captured in the [audit log](/cli-audit/).

Use `--mode simulate` on a policy first if you want to see how often it *would* fire before you start gating real actions behind approvals.