The architecturally distinct bit is that you're validating at the service-action layer (send-email, merge-PR, transfer-funds) instead of at the tool-call layer inside whichever agent's running. A permission hook in Claude Code is only as trustworthy as the Claude Code process itself, and it doesn't carry over if you swap in a different agent next week. PS sits one layer up with stable, cross-agent semantics, and it's the thing that actually holds the OAuth tokens, so the agent can't leak them even if it wanted to.

Push-to-approve on a separate device is also the right channel, since the whole point is that you don't trust whatever just asked.

Curious: are the per-service schemas hand-written or generated from each provider's OpenAPI?

Permission Slip is an open-source approval layer that sits between an AI agent and your accounts (I built it for Openclaw, but works with Claude code local, etc)

You configure what the agent can do on its own vs. what needs you. eg. Auto-approve read actions. Require a tap on your phone for anything destructive or irreversible — sending an email, merging a PR, moving money. The agent submits a structured, schema-validated action; Permission Slip decides per your rules; your credentials never leave the box.

Permission Slip authenticates via OAuth on services like Google, Microsoft, Slack, and soon others. Or can use an API key. And then your agent user permission slip CLI to perform actions on your behalf through those services but only when you approve.

Openclaw recently added native approvals so maybe that kills this. But the point of Permission Slip is that you don't have to trust the agent performing the action but rather you trust a small, deterministic, open-source codebase that you can read, audit, and run yourself to hold your keys and enforce the rules.

This also prevents that annoying thing when OpenClaw glitches and does the same thing like 10 times... in this case, you would approve the action the first time and then the email would get sent for example. But the remaining 9 times would show up as approval requests in the Permission Slip IOS app but you could deny and then tell OpenClaw to get it's act together.

I built this in 8 weeks as a side project, mostly from my phone with AI coding agents doing the typing and me running architecture and review. Lost too much sleep having fun with how much is possible using mobile apps to code.

Where it's at: Google and Slack are the most fleshed out. iPhone app is live. I've only run it in local dev and the hosted beta environment so far — my next milestone is spinning up my own instance on a Raspberry Pi at home.

If you want to try it: play with the hosted version at permissionslip.dev, but don't put anything sensitive there yet — it's a beta playground. If you can see this being useful for your own Openclaw setup, I recommend self-hosting on a Pi in your home network. Should be fast in theory but I haven't tested that yet.

Have to get to work soon so will be slow to reply until my lunch break and later in the evenincg.

Repo: https://github.com/supersuit-tech/permission-slip. Feedback and PRs very welcome — it's beta and has rough edges and was mostly me building something for me that maybe others will want to use to, and then me wanting to explore if I could actually get everything set up as a full SAAS product in a few weeks.

Still blown away with what's possible today.