CLAUDE LABJP
FORK — Claude Code 2.1.212 changes what /fork does: it copies your conversation into a new background session with its own row in claude agents, so you can keep working. The old in-session subagent is now /subtaskLIMITS — WebSearch calls are now capped at 200 per session by default, and subagent spawns get the same 200 ceiling, so a runaway search or delegation loop stops on its ownMCPBG — MCP tool calls running past two minutes now move to the background automatically, keeping the session usable. Tune the threshold with CLAUDE_CODE_MCP_AUTO_BACKGROUND_MSPLANFIX — Fixed plan mode auto-running file-modifying Bash commands such as touch and rm without a permission prompt or an SDK canUseTool callbackSONNET5 — Claude Sonnet 5 is running on introductory pricing of $2 per million input tokens and $10 per million output. After August 31 it moves to $3 and $15IPO — Bankers are reportedly lining up investor meetings for Anthropic ahead of a possible public listing as soon as OctoberFORK — Claude Code 2.1.212 changes what /fork does: it copies your conversation into a new background session with its own row in claude agents, so you can keep working. The old in-session subagent is now /subtaskLIMITS — WebSearch calls are now capped at 200 per session by default, and subagent spawns get the same 200 ceiling, so a runaway search or delegation loop stops on its ownMCPBG — MCP tool calls running past two minutes now move to the background automatically, keeping the session usable. Tune the threshold with CLAUDE_CODE_MCP_AUTO_BACKGROUND_MSPLANFIX — Fixed plan mode auto-running file-modifying Bash commands such as touch and rm without a permission prompt or an SDK canUseTool callbackSONNET5 — Claude Sonnet 5 is running on introductory pricing of $2 per million input tokens and $10 per million output. After August 31 it moves to $3 and $15IPO — Bankers are reportedly lining up investor meetings for Anthropic ahead of a possible public listing as soon as October
Articles/API & SDK
API & SDK/2026-04-21Advanced

Inserting Approval Gates Into Your Agents — A Production Design for Human-in-the-Loop With the Claude API

Once you put an agent in production, the requirement 'please get a human to approve just this specific decision' appears within days. This guide walks through the design patterns for retrofitting approval gates and handling suspend/resume correctly, with working code.

human-in-the-loop2agent13approvaltool-use22production111

Premium Article

When you hand tools to an agent, it usually works remarkably well. The problem is the small percentage of cases that slip past "usually," where something irreversible happens.

The first time I ran an agent in production, what scared me most wasn't bugs — it was the agent working too correctly. Once you list a payment API, an email sender, or a database DELETE as available tools, Claude will call them without hesitation when it decides they're needed. A flow that behaved perfectly in tests can, under real user edge cases, execute tools in an unexpected order. Before you notice, a wrongly-addressed invoice is sitting in a customer's inbox, or a partial refund has gone through to the wrong account.

This article covers production design patterns for inserting Human-in-the-Loop (HITL) — the pattern where a human steps in for specific decisions — into Claude API's standard tool_use / tool_result loop, with working code. Instead of giving up on autonomy entirely, the trick is to decide in advance where you'll stop, who approves, and what they'll see. The rest of this article walks through that design space end to end, starting from the risk framing and ending with a three-step rollout for an agent you're already running.

What to Think About Before Your Agent "Just Runs" Something

Before designing HITL, articulate what you actually want to stop. This is not purely a technical question; it's a business-risk question. In projects I've reviewed, teams that skipped this step ended up putting approval on every single tool call, and reviewers developed approval fatigue so severe that nobody actually read the requests anymore. The pattern is remarkably consistent: approvals start detailed, then degrade to "looks fine," then become a keyboard reflex.

You can reduce the design axes to three:

  • Irreversibility: Can the operation be undone? (payments, contract signing, external emails, DNS changes)
  • Blast radius: Does the impact stay inside one internal user, or does it touch external customers or public systems?
  • Amount / compliance threshold: Should the gate activate only above certain monetary thresholds, or when personal data, regulated data, or cross-jurisdictional data is involved?

Classify every tool along these axes into Red (always approve), Yellow (approve under conditions), and Green (automatic). Document this before writing code. Red means you always stop, Yellow means threshold logic, Green means run as usual. When the classification is explicit, the human reviewer also has a clear sense of what they're evaluating in each request. Putting this matrix in a shared document also gives you something product managers and legal reviewers can read and challenge, which is far harder to do with raw code.

A Common Misconception — "Approving Everything" Is Not Safer

It feels intuitively correct that more approval gates mean more safety, but in production it increases incidents. Humans who repeatedly receive monotonous approval requests stop reading them and start rubber-stamping — a well-documented phenomenon from aviation and healthcare, where it has caused catastrophic failures despite the presence of multiple "human-in-the-loop" controls.

In my experience, once a team routinely sees more than five approval requests per day per reviewer, the careful-reading rate drops sharply. Above ten per day, the rate collapses. The courage to remove gates and the quality of your Yellow thresholds determine the quality of production operations. At design time, estimate how many approvals per day each gate will fire. If the real number exceeds the estimate, loosen the threshold or add automation logic instead of burying your reviewers. It helps to track a simple metric: "what percentage of requests are rejected?" If that number is essentially zero for a given gate, the gate is probably providing no value, only cost.

Five Places Where You Can Insert an Approval Gate

Where you place the gate along the agent's lifecycle trades off implementation complexity against safety. I usually choose from these five and combine them per project.

1. Just Before Tool Execution (Most Common)

Insert a gate immediately after Claude returns a tool_use block and before you actually call the tool. A human reviews the input parameters; if acceptable, you execute, otherwise you send back a rejection or correction message. The implementation is the simplest, and you can tune Red/Yellow/Green on a per-tool basis. It's also the easiest to explain to stakeholders, which matters more than it sounds when you're getting buy-in from legal or compliance teams.

2. Before Returning the Tool Result

After the tool runs, check the result before passing it back to Claude. For example, you might filter out personally identifiable information from database query results, or strip out rows that belong to customers outside a permitted region. Because you intercept before Claude uses the data for further reasoning, this suits privacy-sensitive or data-leak-prone cases. It's especially useful when the tool itself is safe to run (it only reads) but the content it returns might steer the agent into regulated territory.

3. Dynamic Gate Based on Parameter Values

The tool itself doesn't require approval, but the gate triggers only for specific inputs — for example, "auto-approve refunds under ¥10,000, require approval above." This is the design that most often balances operations load and safety, and it's almost always my first recommendation for a new project. You can compose several dimensions into the trigger: amount, customer tier, time of day, rate of the same operation within a short window. Each dimension you add is another lever for tuning later.

4. Plan Review at Session Start

Let Claude produce "just the plan" first, have a human review it, then start execution. This is useful for long-running agents or critical business processes, but you need a separate design for what happens when Claude tries to call new tools mid-session. The usual pattern is to allow a pre-approved set of tools to run freely after plan approval, while any tool outside the plan triggers a normal per-call gate. It's more state to track, but the user experience for both the agent and the operator is much smoother.

5. Fallback Gate on Anomaly Detection

The agent runs fully autonomous most of the time, with a human only stepping in when error rates or unexpected tool-call patterns appear. It requires integration with monitoring metrics, so implementation cost is higher, but it's worth adopting when you don't want to drop your automation rate. A simple starting point: if the agent calls the same tool more than N times within M minutes, or if two consecutive tool calls return errors, pause for review. These signals catch runaway loops and regression regressions without affecting normal traffic.

For the first iteration on a project, I recommend starting from #3 (dynamic gate). It's the pattern that fails the least. #1 and #2 are simple but tend to invite approval fatigue. #4 and #5 are more complex. Adding #1 or #5 later is easier because you'll have operations data to calibrate thresholds. This sequencing is the opposite of what looks "safer on paper," and it's the single most common mistake I see in initial HITL designs.

Thank you for reading this far.

Continue Reading

What follows includes implementation code, benchmarks, and practical content we hope you'll find useful. This site runs without ads — server and development costs are supported entirely by members like you. If it's been helpful, we'd be truly grateful for your support.

WHAT YOU'LL LEARN
You'll stop struggling to identify which operations are too risky to automate — you'll have a clear framework with five placement options for approval gates and three decision axes
You'll be able to suspend and resume the tool_use / tool_result loop, and you'll have concrete code connecting Claude API with Slack and email approval flows
You'll understand how to prevent production-specific incidents like privilege escalation, double execution, and expired approvals, with audit logs and timeout designs that stand up to compliance review
Secure payment via Stripe · Cancel anytime

Unlock This Article

Get full access to the rest of this article. Buy once, read anytime. This site is ad-free — your support goes directly toward keeping it running.

or
Unlock all articles with Membership →
Share

Thank You for Reading

Claude Lab is ad-free, supported entirely by members like you. We publish practical guides daily with implementation code, benchmarks, and production-ready patterns. If you've found it useful, we'd love to have you on board.

  • Copy-paste ready implementation code
  • New advanced guides published daily
  • $5/mo or $10 for lifetime access
View Membership →

Related Articles

API & SDK2026-07-09
Same Output, Different Path — Guarding Agent Trajectories with Invariants
When the default model changes, your final output can stay correct while the path your agent takes quietly shifts. Here is a trajectory regression harness built on recorded tool traces and deterministic invariants, with working code and measured numbers.
API & SDK2026-06-29
When Context Editing Made My Agent Re-run the Same Search — Field Notes on Clear Boundaries and Cache Invalidation
After turning on Context Editing to auto-clear tool results, the agent forgot what it had just read, re-ran the same tool, and the cache rebuilt every turn so costs went up. Field notes on instrumenting the silent regression and setting trigger, keep, and clear_at_least from measured data.
API & SDK2026-06-22
Putting a Ceiling on the pause_turn Loop: Running Long Server Tools Safely Unattended
A production design for continuing pause_turn safely in unattended runs, where long server tools like web_search and code execution are involved. Covers branching all four stop_reason values in one loop, capping continuations and wall-clock time, and accumulating usage across paused segments.
📚RECOMMENDED BOOKS
Build a Large Language Model (From Scratch)
Sebastian Raschka
LLM Dev
Prompt Engineering for LLMs
Berryman & Ziegler
Prompting
AI Engineering
Chip Huyen
AI Eng
* Contains affiliate links
See all →