At first, approvals sound simple.
Show a button. Let someone click approve. Continue the workflow.
But real approvals are much harder than that.
Nod has to answer important questions:
- Who requested this approval?
- Who approved or rejected it?
- Was the person allowed to decide?
- Did the approval expire?
- Was the callback delivered?
- Can we prove what happened later?
That is why Nod stores approvals as real state, not temporary UI.
Each approval has a status:
pending
approved
rejected
expired
canceled
Only one final decision can win. If two people click at the same time, Nod must safely accept the first valid decision and reject stale attempts.
Slack also needs careful handling. Nod verifies Slack signatures, checks the approval and channel, and stores an actor snapshot for the audit log. After a decision, Slack messages can be updated so old buttons are no longer useful.
Webhooks also need trust. Nod signs every callback so customer apps can verify it before continuing.
const event = nod.webhooks.verify({
rawBody,
headers: request.headers,
secret: process.env.NOD_WEBHOOK_SECRET!,
});
We learned that approvals are not just a product feature. They are a security system.
A good approval layer needs:
- Authorization
- Idempotency
- Expiration
- Webhook signing
- Retry logic
- Audit logs
That is what Nod is built around.
Top comments (0)