Quickstart: gate your first AI agent action

Create a workspace

Sign in at sentrail.dev and create a workspace. Set the environment to test while you integrate — test workspaces run full policy evaluation but are labeled separately in audit logs.

Connect GitHub

Go to Tools → GitHub → Connect. Sentrail will redirect you through GitHub OAuth. After authorization, your workspace stores an access token server-side — the token is never exposed to agents.Copy the webhook URL shown after connecting:

https://<project-ref>.supabase.co/functions/v1/webhook-github

Add it to your GitHub repository or organization settings under Webhooks. Set the content type to application/json and add a webhook secret — you will paste this secret into Sentrail’s tool configuration.

Create an API key

Go to Settings → API Keys → New Key. Give the key a name and assign the gateway scope. Copy the key — it starts with agk_ and is shown only once.

agk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Store the key in a secret manager immediately. Sentrail stores only a SHA-256 hash and cannot recover the raw value.

Write your first gated action

Replace the GitHub API base URL in your agent with the Sentrail gateway. Pass your API key as a Bearer token and include an agent identifier header.

curl -X POST \
  https://<project-ref>.supabase.co/functions/v1/gateway-proxy/github/repos/owner/repo/issues \
  -H "Authorization: Bearer agk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
  -H "X-Agent-Id: my-coding-agent" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Fix login bug",
    "body": "The logout button is broken on mobile.",
    "labels": ["bug"]
  }'

If no matching policy exists, Sentrail defaults to require_approval — the action is not forwarded automatically. You will receive a 202 response:

{
  "ok": true,
  "decision": "require_approval",
  "reason": "No policy matched; defaulting to approval",
  "approvalRequestId": "550e8400-e29b-41d4-a716-446655440000",
  "auditLogId": "...",
  "correlationId": "...",
  "pollUrl": "/functions/v1/gateway-proxy/status/..."
}

A reviewer must approve the action in the Sentrail dashboard before it executes. If you want unmatched actions to be allowed immediately, create an explicit allow policy with actionPattern: "*" at a low priority number.

Exception: repos.delete (repository deletion) is blocked outright even if no policy matches, regardless of the default.

Create a require_approval policy

Go to Policies → New Policy and configure:

Field	Value
Tool	`github`
Action pattern	`pull_request.create`
Risk level	`high`
Mode	`require_approval`
Priority	`10`

Now repeat the request but for a pull request:

curl -X POST \
  https://<project-ref>.supabase.co/functions/v1/gateway-proxy/github/repos/owner/repo/pulls \
  -H "Authorization: Bearer agk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
  -H "X-Agent-Id: my-coding-agent" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Add feature X",
    "head": "feature-x",
    "base": "main"
  }'

You will receive a 202 response:

{
  "ok": true,
  "decision": "require_approval",
  "reason": "Policy 'Require approval for PRs' matched",
  "approvalRequestId": "550e8400-e29b-41d4-a716-446655440000",
  "auditLogId": "...",
  "correlationId": "...",
  "pollUrl": "/functions/v1/gateway-proxy/status/..."
}

The action is paused until a reviewer approves or denies it in the Sentrail dashboard.

See the audit log

Go to Audit Logs in the dashboard. Every evaluated action is logged — the decision, which policy matched, the agent identity, the payload preview, and the correlation ID linking the approval request to its execution result.