ThreadCamp
Start free
Human-in-the-loop

Human-in-the-loop email approvals

Let agents draft and act on email, but keep a human in the loop for anything that sends. ThreadCamp's per-inbox approve-first policy holds every agent send as a pending draft until a person approves it - and the approval is what executes the send.

Start free - no cardRead the docs

The blast-radius problem

The loudest objection to giving an autonomous agent an email address is blast radius: what if it emails the wrong person, or the right person a hundred times, at machine speed? Rate limits and scoped keys reduce the damage but do not remove the category of risk - an agent that can send can send a mistake. Human-in-the-loop closes that gap by making a person the final gate on outbound mail.

Approve-first, per inbox

In ThreadCamp, autonomy is a property of the inbox, not a global switch. Set an inbox to approve-first and every send from it is intercepted. Instead of going out, the message is stored as a pending draft and the API returns status pending_approval with an approval_id. A human reviews it in the approval queue - or an API client with the right scope calls the approve endpoint - and that approval is the call that actually transmits the message.

POST /v1/inboxes
{ "domain": "acme-agents.email",
  "autonomy": "approve-first" }

// the agent attempts a send ->
POST /v1/emails
{ "from": "outreach@acme-agents.email", "to": ["lead@example.com"], ... }
-> { "status": "pending_approval", "approval_id": "apr_..." }

// a human approves in the queue (or via API) ->
POST /v1/approvals/apr_.../approve
-> { "status": "sent", "message_id": "msg_..." }

It fails closed

The design point is that nothing sends by default under approve-first. If the human never approves, the draft simply expires; there is no path where a pending message leaks out on a timeout. This is the opposite of after-the-fact logging, where the mail has already been delivered by the time anyone looks. It also composes with the rest of ThreadCamp's guardrails: sandbox keys for testing, scoped keys to limit which inboxes an agent can touch, and bounce auto-pause to stop a misbehaving run.

When to use which policy

Use auto for low-risk, high-volume transactional mail such as receipts and notifications. Use approve-first for anything an agent should never send unattended - cold outreach, replies to customers, anything sent from a real brand domain. Use notify when you want a human aware of activity without blocking delivery. Because the policy is per inbox, a single agent fleet can run all three at once.

Related

Keep reading

Email for AI agents

Give an autonomous agent its own real inbox.

Outreach agent

Send scheduled, approved outreach from a real domain.

Receive email programmatically

Read inbound mail via webhooks or polling.

Questions

What is human-in-the-loop email for AI agents?

It is a policy where an agent can draft and attempt a send, but the message is held as a pending draft until a person approves it. The human approval is the action that actually executes the send, so no agent email leaves the system without sign-off.

How is approve-first different from just logging what the agent sent?

Logging is after the fact - the mail has already gone. Approve-first is a gate before delivery: the send returns status pending_approval and an approval_id, and nothing is transmitted until a human approves. It fails closed, not open.

Can I mix autonomous and approved inboxes?

Yes. Autonomy is set per inbox: auto for low-risk transactional sends, approve-first for outbound the agent should not send unattended, and notify to alert a human without blocking. One agent fleet can use all three.

Ship agent email with a human gate.

No credit card. Full API, MCP and webhooks on the free tier.

Start freeRead the docs