Skip to main content

My Requests (approvals)

One page, two hats. Requesters track, cancel, and execute their approval requests for gated certificate operations; admins and owners review the queue and approve or reject. Requests expire after 7 days if nobody acts.

Open it from the user menu (top right) → My Requests.

When requests are created

Approval requirements are configured per operation in Settings → General → Approval requirements — separate toggles for issue, reissue, renew, revoke, and download (General settings). When a gated operation is attempted:

  • Operators (and anyone below admin) get an approval request instead of immediate execution — it lands here as pending_approval.
  • Admins and owners are auto-approved: the request is recorded for the audit trail and they can execute straight away.

For the concept and design of the workflow, see Approval workflow.

Views

Admins and owners see a segmented switch in the header:

  • My Requests — requests you created, any status.
  • Pending Reviews — requests awaiting review in the current project, with a live count badge (e.g. Pending Reviews (3)).

Non-admin users only see My Requests. A second segmented control filters both views by status: All · Pending · Approved · Rejected · Executed · Failed · Expired · Cancelled.

The request table

ColumnContent
OperationColour-coded tag: issue (blue), reissue (cyan), renew (green), revoke (red), download (purple).
CertificateLink to the certificate detail (name, primary domain, or ID).
Requested ByWho filed the request — shown in the Pending Reviews view only.
StatusStatus tag; executing shows a live spinner.
RequestedRelative time (hover for the exact timestamp).
ReviewerApproved by X or Rejected by X once reviewed.
ActionsContext-dependent buttons — see below.

Expand a row for the full record: certificate, domain, operation, requester, the rejection reason (if rejected), and the execution error (if execution failed).

Statuses

StatusMeaning
pending_approvalWaiting for a reviewer. Expires 7 days after creation.
approvedGreen-lit — the requester (or an admin) can now execute it.
rejectedDeclined by a reviewer; the reason shows in the expanded row.
executingExecution in progress.
executedDone — a View Job button links to the resulting job.
execution_failedApproved and executed, but the operation errored.
expiredNobody acted within 7 days. File a new request.
cancelledWithdrawn by the requester (or an admin).

As a requester

  1. Trigger a gated operation from the certificate pages — you'll be told an approval request was created.
  2. Track it under My Requests; you'll also be notified when it's reviewed (if notification rules are set up).
  3. While pending_approval or approved, you can Cancel it (confirmation dialog).
  4. Once approved, click Execute and confirm. Execution enqueues the operation as a job. For download requests, the file opens immediately in a new tab via a single-use download token.
  5. After executed, View Job jumps to the job detail with the run's logs.
  6. If it lands in execution_failed, hover Error for the message. A Retry button appears only for transient error classes (JOB_QUEUE_ERROR, CA_ERROR, STATUS_CONFLICT) — anything else needs a fresh request after fixing the cause.

Execute and retry are allowed for the original requester or a project admin.

As an approver

  1. Switch to Pending Reviews — the badge count tells you if anything is waiting.
  2. Expand a row to inspect the certificate, domain, operation, and requester.
  3. Click Approve — the request flips to approved and the requester is notified. Execution is not automatic; the requester still pulls the trigger.
  4. Or click Reject — a dialog asks for an optional reason, which the requester sees in the expanded row.

Rules enforced by the backend:

  • Approve/Reject require the Admin project role or higher.
  • Self-approval is blocked — you cannot approve your own request, regardless of role (separation of duties).
  • Acting on an already-expired request marks it expired instead.
  • Approval actions are rate-limited (10 per minute per user).
note

Approve and Reject buttons also appear on pending rows in My Requests for admins — handy when reviewing a colleague's request that shows up in a shared certificate context — but self-approval is still rejected by the API.

Notifications

The workflow emits approval.requested, approval.approved, approval.rejected, approval.executed, and approval.expired events — route them to Email/Slack/Teams via notification rules. Pending reviews you're eligible for also count on the main dashboard.

See also