The latest articles on DEV Community by madebyaman (@madebyaman). https://dev.to/madebyaman https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F93848%2Fd4828cfa-d9eb-40f9-9b5b-4b3c5c74e236.png https://dev.to/madebyaman en madebyaman Mon, 29 Jun 2026 18:35:58 +0000 https://dev.to/madebyaman/making-human-approvals-trustworthy-4855 https://dev.to/madebyaman/making-human-approvals-trustworthy-4855 <p>At first, approvals sound simple.</p> <p>Show a button. Let someone click approve. Continue the workflow.</p> <p>But real approvals are much harder than that.</p> <p>Nod has to answer important questions:</p> <ul> <li>Who requested this approval?</li> <li>Who approved or rejected it?</li> <li>Was the person allowed to decide?</li> <li>Did the approval expire?</li> <li>Was the callback delivered?</li> <li>Can we prove what happened later?</li> </ul> <p>That is why Nod stores approvals as real state, not temporary UI.</p> <p>Each approval has a status:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pending approved rejected expired canceled </code></pre> </div> <p>Only one final decision can win. If two people click at the same time, Nod must safely accept the first valid decision and reject stale attempts.</p> <p>Slack also needs careful handling. Nod verifies Slack signatures, checks the approval and channel, and stores an actor snapshot for the audit log. After a decision, Slack messages can be updated so old buttons are no longer useful.</p> <p>Webhooks also need trust. Nod signs every callback so customer apps can verify it before continuing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">event</span> <span class="o">=</span> <span class="nx">nod</span><span class="p">.</span><span class="nx">webhooks</span><span class="p">.</span><span class="nf">verify</span><span class="p">({</span> <span class="nx">rawBody</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">,</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NOD_WEBHOOK_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>We learned that approvals are not just a product feature. They are a security system.</p> <p>A good approval layer needs:</p> <ul> <li>Authorization</li> <li>Idempotency</li> <li>Expiration</li> <li>Webhook signing</li> <li>Retry logic</li> <li>Audit logs</li> </ul> <p>That is what Nod is built around.</p> h0hackathon madebyaman Mon, 29 Jun 2026 18:35:13 +0000 https://dev.to/madebyaman/why-nod-is-an-approval-layer-not-a-workflow-engine-2j0b https://dev.to/madebyaman/why-nod-is-an-approval-layer-not-a-workflow-engine-2j0b <p>One of the biggest decisions we made while building Nod was what not to build.</p> <p>Nod is not a workflow engine.</p> <p>It does not:</p> <ul> <li>Run customer code</li> <li>Store workflow steps</li> <li>Resume execution cursors</li> <li>Hold customer infrastructure credentials</li> </ul> <p>Instead, Nod does one thing well: it handles the human decision.</p> <p>Your app stays in control of the workflow. Nod only answers the question:</p> <blockquote> <p>Did a human approve this action?</p> </blockquote> <p>The developer experience looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">approval</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">nod</span><span class="p">.</span><span class="nx">approvals</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">idempotencyKey</span><span class="p">:</span> <span class="s2">`deploy:</span><span class="p">${</span><span class="nx">commitSha</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">policyId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">prod_deploy</span><span class="dl">"</span><span class="p">,</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Deploy to production?</span><span class="dl">"</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">repo</span><span class="p">:</span> <span class="dl">"</span><span class="s2">justnod/web</span><span class="dl">"</span><span class="p">,</span> <span class="nx">commitSha</span><span class="p">,</span> <span class="nx">diffUrl</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>After a human approves or rejects, Nod sends a signed webhook:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">event</span> <span class="o">=</span> <span class="nx">nod</span><span class="p">.</span><span class="nx">webhooks</span><span class="p">.</span><span class="nf">verify</span><span class="p">({</span> <span class="nx">rawBody</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">,</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NOD_WEBHOOK_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">approval.approved</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">deployToProduction</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">data</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>This separation keeps Nod simple and useful.</p> <p>The customer owns:</p> <ul> <li>The agent</li> <li>The workflow</li> <li>The business logic</li> <li>The final side effect</li> </ul> <p>Nod owns:</p> <ul> <li>The approval request</li> <li>The policy</li> <li>The human decision</li> <li>The audit trail</li> <li>The signed callback</li> </ul> <p>That boundary made the product much cleaner. Developers do not need to move their whole system into Nod. They only add one approval checkpoint where risk begins.</p> h0hackathon madebyaman Mon, 29 Jun 2026 18:34:31 +0000 https://dev.to/madebyaman/building-nod-with-vercel-and-amazon-aurora-postgresql-4e8g https://dev.to/madebyaman/building-nod-with-vercel-and-amazon-aurora-postgresql-4e8g <p>Nod is an approval API for AI agents, scripts, and workflows.</p> <p>The idea is simple:</p> <ul> <li>Your app wants to do something risky.</li> <li>Nod asks a human for approval.</li> <li>The human approves in Slack or web.</li> <li>Nod sends a signed callback.</li> <li>Your app continues safely.</li> </ul> <p>We built the web app on <strong>Vercel</strong>. The dashboard lets teams manage:</p> <ul> <li>Workspaces</li> <li>Members and roles</li> <li>Approval policies</li> <li>Slack channels</li> <li>API keys</li> <li>Callback endpoints</li> <li>Approval history</li> </ul> <p>For the database, we used <strong>Amazon Aurora PostgreSQL</strong>. Nod needs a strong relational database because approval data must be correct. An approval is not just a UI card. It has a lifecycle.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pending -&gt; approved pending -&gt; rejected pending -&gt; expired pending -&gt; canceled </code></pre> </div> <p>Aurora stores the source of truth:</p> <ul> <li>Approval requests</li> <li>Human decisions</li> <li>Policy versions</li> <li>Webhook events</li> <li>Delivery attempts</li> <li>Audit logs</li> </ul> <p>The backend runs on AWS with Lambda workers. One worker sends Slack notifications. Another sends signed callbacks. Another expires old approvals.</p> <p>A typical flow looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>App or agent -&gt; Nod API -&gt; Aurora PostgreSQL -&gt; Slack or web approval -&gt; Signed callback -&gt; App continues </code></pre> </div> <p>Vercel helped us move fast on the user experience. Aurora gave us the reliable data layer needed for real approvals. Together, they helped us build Nod as infrastructure, not just a demo.</p> h0hackathon