My Requests (approvals)
One page, two hats. Requesters track, cancel, and execute their approval requests for gated certificate operations; admins and owners review the queue and approve or reject. Requests expire after 7 days if nobody acts.
Open it from the user menu (top right) → My Requests.
When requests are created
Approval requirements are configured per operation in Settings → General → Approval requirements — separate toggles for issue, reissue, renew, revoke, and download (General settings). When a gated operation is attempted:
- Operators (and anyone below admin) get an approval request instead of immediate execution — it lands here as
pending_approval. - Admins and owners are auto-approved: the request is recorded for the audit trail and they can execute straight away.
For the concept and design of the workflow, see Approval workflow.
Views
Admins and owners see a segmented switch in the header:
- My Requests — requests you created, any status.
- Pending Reviews — requests awaiting review in the current project, with a live count badge (e.g. Pending Reviews (3)).
Non-admin users only see My Requests. A second segmented control filters both views by status: All · Pending · Approved · Rejected · Executed · Failed · Expired · Cancelled.
The request table
| Column | Content |
|---|---|
| Operation | Colour-coded tag: issue (blue), reissue (cyan), renew (green), revoke (red), download (purple). |
| Certificate | Link to the certificate detail (name, primary domain, or ID). |
| Requested By | Who filed the request — shown in the Pending Reviews view only. |
| Status | Status tag; executing shows a live spinner. |
| Requested | Relative time (hover for the exact timestamp). |
| Reviewer | Approved by X or Rejected by X once reviewed. |
| Actions | Context-dependent buttons — see below. |
Expand a row for the full record: certificate, domain, operation, requester, the rejection reason (if rejected), and the execution error (if execution failed).
Statuses
| Status | Meaning |
|---|---|
pending_approval | Waiting for a reviewer. Expires 7 days after creation. |
approved | Green-lit — the requester (or an admin) can now execute it. |
rejected | Declined by a reviewer; the reason shows in the expanded row. |
executing | Execution in progress. |
executed | Done — a View Job button links to the resulting job. |
execution_failed | Approved and executed, but the operation errored. |
expired | Nobody acted within 7 days. File a new request. |
cancelled | Withdrawn by the requester (or an admin). |
As a requester
- Trigger a gated operation from the certificate pages — you'll be told an approval request was created.
- Track it under My Requests; you'll also be notified when it's reviewed (if notification rules are set up).
- While
pending_approvalorapproved, you can Cancel it (confirmation dialog). - Once
approved, click Execute and confirm. Execution enqueues the operation as a job. For download requests, the file opens immediately in a new tab via a single-use download token. - After
executed, View Job jumps to the job detail with the run's logs. - If it lands in
execution_failed, hover Error for the message. A Retry button appears only for transient error classes (JOB_QUEUE_ERROR,CA_ERROR,STATUS_CONFLICT) — anything else needs a fresh request after fixing the cause.
Execute and retry are allowed for the original requester or a project admin.
As an approver
- Switch to Pending Reviews — the badge count tells you if anything is waiting.
- Expand a row to inspect the certificate, domain, operation, and requester.
- Click Approve — the request flips to
approvedand the requester is notified. Execution is not automatic; the requester still pulls the trigger. - Or click Reject — a dialog asks for an optional reason, which the requester sees in the expanded row.
Rules enforced by the backend:
- Approve/Reject require the Admin project role or higher.
- Self-approval is blocked — you cannot approve your own request, regardless of role (separation of duties).
- Acting on an already-expired request marks it
expiredinstead. - Approval actions are rate-limited (10 per minute per user).
Approve and Reject buttons also appear on pending rows in My Requests for admins — handy when reviewing a colleague's request that shows up in a shared certificate context — but self-approval is still rejected by the API.
Notifications
The workflow emits approval.requested, approval.approved, approval.rejected, approval.executed, and approval.expired events — route them to Email/Slack/Teams via notification rules. Pending reviews you're eligible for also count on the main dashboard.