{"id":"agentkitai-agentgate","name":"agentgate","homepage":"https://amitpaz1.github.io/agentgate/","repo_url":"https://github.com/agentkitai/agentgate","category":"infrastructure","subcategories":[],"tags":["ai-agents","human-in-the-loop","approval-workflow","mcp","policy-engine","webhooks","audit-trail","typescript"],"what_it_does":"AgentGate provides a human-in-the-loop approval workflow for AI agent actions. Agents request approvals via an authenticated HTTP API or an MCP server; a policy engine can auto-approve/auto-deny safe or dangerous actions and otherwise route decisions to humans through multiple channels (dashboard, Slack, Discord, email). It logs an audit trail and can notify external systems via signed webhooks with retries.","use_cases":["Human approval gates for sensitive agent actions (e.g., sending emails, deleting files, deploying to production)","Policy-based allow/deny/routing for agent tool calls","Compliance-friendly audit trails for agent decisions and actions","Integrating approval workflows into Slack/Discord and a web dashboard","Emitting webhook events for request lifecycle and decisions"],"not_for":["Public unauthenticated usage (authentication is required for all endpoints except /health)","Use cases requiring OAuth login/SSO flows (the API described uses API keys)","High-frequency real-time automation where decisions must be instant without human review"],"best_when":"You need an approval layer between autonomous AI agents and high-impact tools, with clear auditability and human override for non-auto-approved actions.","avoid_when":"You cannot operate the required server components (database, dashboard, bots/webhooks) or cannot manage API keys/policies reliably.","alternatives":["Open Policy Agent (OPA) with a custom approval/workflow layer","Self-hosted workflow/orchestration tools with approval steps (e.g., Temporal/queues + approval UI)","Other human-in-the-loop agent gateways (general purpose request/approval proxies)","Cloud provider IAM/guardrails (if the risk model maps cleanly to IAM policies, though less suited to arbitrary agent tool calls)"],"af_score":74.0,"security_score":74.8,"reliability_score":27.5,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T15:30:47.654620+00:00","interface":{"has_rest_api":true,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":null,"has_sdk":true,"sdk_languages":["TypeScript"],"openapi_spec_url":null,"webhooks":true},"auth":{"methods":["API key via Authorization: Bearer <key> header"],"oauth":false,"scopes":true,"notes":"API keys with fine-grained scopes are documented (admin, request:create, request:read, request:decide, webhook:manage). All endpoints except /health require a valid API key."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"No pricing information provided; appears to be self-hosted/open-source style."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":74.0,"security_score":74.8,"reliability_score":27.5,"mcp_server_quality":75.0,"documentation_accuracy":70.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":85.0,"rate_limit_clarity":80.0,"tls_enforcement":85.0,"auth_strength":80.0,"scope_granularity":85.0,"dependency_hygiene":45.0,"secret_handling":70.0,"security_notes":"API key auth with documented fine-grained scopes is a strong baseline. README claims 'SSRf protection, ReDoS defense, structured logging, graceful shutdown' and supports webhook signing via HMAC-SHA256 with an optional secret. TLS enforcement is not explicitly stated in the provided excerpt; rate limiting exists. Dependency hygiene and specific CVE status are not verifiable from provided content.","uptime_documented":0.0,"version_stability":45.0,"breaking_changes_history":0.0,"error_recovery":65.0,"idempotency_support":"false","idempotency_notes":"The README describes endpoints and retries for webhooks, but does not explicitly state idempotency keys or idempotent semantics for request creation or decision submission.","pagination_style":"none","retry_guidance_documented":true,"known_agent_gotchas":["Decision timeouts/async wait: agents must handle that approval may not be immediate (waitForDecision supports a timeout).","Use correct scopes on API keys; missing scopes will prevent actions (e.g., request:decide for /decide).","Webhook delivery failures are retried, so receiving systems should tolerate duplicate deliveries unless the payload includes a unique delivery/event id.","Rate limiting is per API key; burst traffic may receive 429 responses and should respect retry/backoff."]}}