Human-in-the-loop email approvals
Let agents draft and act on email, but keep a human in the loop for anything that sends. ThreadCamp's per-inbox approve-first policy holds every agent send as a pending draft until a person approves it - and the approval is what executes the send.
The blast-radius problem
The loudest objection to giving an autonomous agent an email address is blast radius: what if it emails the wrong person, or the right person a hundred times, at machine speed? Rate limits and scoped keys reduce the damage but do not remove the category of risk - an agent that can send can send a mistake. Human-in-the-loop closes that gap by making a person the final gate on outbound mail.
Approve-first, per inbox
In ThreadCamp, autonomy is a property of the inbox, not a global switch. Set an inbox to approve-first and every send from it is intercepted. Instead of going out, the message is stored as a pending draft and the API returns status pending_approval with an approval_id. A human reviews it in the approval queue - or an API client with the right scope calls the approve endpoint - and that approval is the call that actually transmits the message.
POST /v1/inboxes
{ "domain": "acme-agents.email",
"autonomy": "approve-first" }
// the agent attempts a send ->
POST /v1/emails
{ "from": "outreach@acme-agents.email", "to": ["lead@example.com"], ... }
-> { "status": "pending_approval", "approval_id": "apr_..." }
// a human approves in the queue (or via API) ->
POST /v1/approvals/apr_.../approve
-> { "status": "sent", "message_id": "msg_..." }It fails closed
The design point is that nothing sends by default under approve-first. If the human never approves, the draft simply expires; there is no path where a pending message leaks out on a timeout. This is the opposite of after-the-fact logging, where the mail has already been delivered by the time anyone looks. It also composes with the rest of ThreadCamp's guardrails: sandbox keys for testing, scoped keys to limit which inboxes an agent can touch, and bounce auto-pause to stop a misbehaving run.
When to use which policy
Use auto for low-risk, high-volume transactional mail such as receipts and notifications. Use approve-first for anything an agent should never send unattended - cold outreach, replies to customers, anything sent from a real brand domain. Use notify when you want a human aware of activity without blocking delivery. Because the policy is per inbox, a single agent fleet can run all three at once.
Keep reading
Questions
What is human-in-the-loop email for AI agents?
It is a policy where an agent can draft and attempt a send, but the message is held as a pending draft until a person approves it. The human approval is the action that actually executes the send, so no agent email leaves the system without sign-off.
How is approve-first different from just logging what the agent sent?
Logging is after the fact - the mail has already gone. Approve-first is a gate before delivery: the send returns status pending_approval and an approval_id, and nothing is transmitted until a human approves. It fails closed, not open.
Can I mix autonomous and approved inboxes?
Yes. Autonomy is set per inbox: auto for low-risk transactional sends, approve-first for outbound the agent should not send unattended, and notify to alert a human without blocking. One agent fleet can use all three.
Ship agent email with a human gate.
No credit card. Full API, MCP and webhooks on the free tier.