> ## Documentation Index
> Fetch the complete documentation index at: https://onecli.sh/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# List pending approvals across the organization

> Long-polls for manual-approval requests awaiting a decision across **every** project in the organization. Returns immediately when any are pending, otherwise holds the connection open (up to `timeoutSeconds`) until one arrives or the poll times out.

Each request carries its own `projectId`; submit the decision to the existing `POST /approvals/{id}/decision` route with that project's `X-Project-Id`. Authenticate with an organization API key (`oc_org_...`) — the poll itself sends no `X-Project-Id`. Requires the admin or owner role. Available on OneCLI Cloud and self-hosted Enterprise.




## OpenAPI

````yaml /openapi.yaml get /org/approvals/pending
openapi: 3.1.0
info:
  title: OneCLI API
  version: '1.0'
  description: >
    The OneCLI API lets you manage agents, secrets, policy rules, app
    connections, and user settings programmatically.


    **Base URL:** `https://api.onecli.sh/v1` (Cloud) or
    `http://localhost:10254/v1` (self-hosted)


    ## Authentication


    All endpoints require authentication via one of:


    - **API Key** — `Authorization: Bearer <key>` header. Generate keys in the
    dashboard or via `GET /v1/user/api-key`.

    - **Session** — Cookie-based session from the web dashboard.


    For organization-scoped API keys, include the `X-Project-Id` header to
    specify which project to operate on.
servers:
  - url: https://api.onecli.sh/v1
    description: OneCLI Cloud
  - url: http://localhost:10254/v1
    description: Self-hosted (Docker)
security:
  - bearerAuth: []
tags:
  - name: Agents
    description: Manage agents and their access tokens, secrets, and configuration.
  - name: Secrets
    description: Manage credentials that the gateway injects into outbound requests.
  - name: Rules
    description: >-
      Manage policy rules that control how agents interact with external
      services.
  - name: Approvals
    description: >-
      Long-poll for pending manual-approval requests and submit approve/deny
      decisions.
  - name: User
    description: Manage your user profile and API keys.
  - name: Projects
    description: >-
      Manage projects within your organization. Requires admin role for
      create/update and owner role for delete. Cloud only.
  - name: Team
    description: Provision team members programmatically. Requires admin role. Cloud only.
  - name: Apps
    description: >-
      Manage app connections (OAuth and direct credentials), BYOC configuration,
      permission catalogs, and blocklists.
  - name: Connections
    description: App connections as a top-level resource.
  - name: Utility
    description: Health check and project resource summaries.
  - name: Agent Setup
    description: >-
      Endpoints agents and orchestrators use to bootstrap gateway access
      (container config, credential stubs, gateway skill).
  - name: Migration
    description: Migrate data from a self-hosted instance to OneCLI Cloud.
  - name: Organization Settings
    description: >-
      Organization-wide policy settings. Available on OneCLI Cloud and
      self-hosted Enterprise.
  - name: Organization Secrets
    description: >-
      Manage secrets at the organization level. Organization secrets apply
      across all projects. Available on OneCLI Cloud and self-hosted Enterprise.
  - name: Organization Rules
    description: >-
      Manage policy rules at the organization level. Organization rules apply
      across all projects. Available on OneCLI Cloud and self-hosted Enterprise.
  - name: Organization Connections
    description: >-
      Manage app connections at the organization level. Available on OneCLI
      Cloud and self-hosted Enterprise.
  - name: Organization App Config
    description: >-
      Connect apps (OAuth and direct credentials) and manage BYOC app
      configuration at the organization level. Available on OneCLI Cloud and
      self-hosted Enterprise.
  - name: Organization Approvals
    description: >-
      Long-poll for manual-approval requests across every project in the
      organization. Available on OneCLI Cloud and self-hosted Enterprise.
  - name: Partner Organizations
    description: >-
      Create and manage customer organizations as a partner. Requires a Partner
      API key. Cloud only.
  - name: Partner Projects
    description: Manage projects within an unclaimed partner organization. Cloud only.
  - name: Partner Secrets
    description: >-
      Manage partner-level secrets inherited by every organization you manage.
      Cloud only.
  - name: Partner Budgets
    description: >-
      Cap how much an organization can spend on a partner LLM key. Owner or
      admin only. Cloud only.
  - name: Partner Members
    description: >-
      Manage who can sign in to your partner portal. Owner or admin only. Cloud
      only.
  - name: Organization Partner
    description: Inspect and detach an organization's partner relationship. Cloud only.
paths:
  /org/approvals/pending:
    get:
      tags:
        - Organization Approvals
      summary: List pending approvals across the organization
      description: >
        Long-polls for manual-approval requests awaiting a decision across
        **every** project in the organization. Returns immediately when any are
        pending, otherwise holds the connection open (up to `timeoutSeconds`)
        until one arrives or the poll times out.


        Each request carries its own `projectId`; submit the decision to the
        existing `POST /approvals/{id}/decision` route with that project's
        `X-Project-Id`. Authenticate with an organization API key (`oc_org_...`)
        — the poll itself sends no `X-Project-Id`. Requires the admin or owner
        role. Available on OneCLI Cloud and self-hosted Enterprise.
      operationId: listOrgPendingApprovals
      parameters:
        - name: exclude
          in: query
          required: false
          schema:
            type: string
          description: >-
            Comma-separated approval IDs to skip (already being handled) so the
            poll can hold open for genuinely new requests.
      responses:
        '200':
          description: Pending approval requests across the organization
          content:
            application/json:
              schema:
                type: object
                properties:
                  requests:
                    type: array
                    items:
                      $ref: '#/components/schemas/PendingApproval'
                  timeoutSeconds:
                    type: integer
                    description: How long the server holds the long-poll open, in seconds.
        '403':
          description: >-
            Insufficient permissions (requires an organization API key with the
            admin or owner role)
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
components:
  schemas:
    PendingApproval:
      type: object
      description: >-
        A manual-approval request awaiting a decision, tagged with the project
        it belongs to.
      properties:
        id:
          type: string
          description: >-
            Unique approval ID. Pass to `POST /approvals/{id}/decision` to
            decide it.
        projectId:
          type: string
          description: >-
            The project this request belongs to. Send it as `X-Project-Id` when
            submitting the decision.
        method:
          type: string
          description: HTTP method of the held request (e.g. `POST`).
        url:
          type: string
          description: Full URL of the held request.
        host:
          type: string
        path:
          type: string
        headers:
          type: object
          additionalProperties:
            type: string
          description: Sanitized request headers (auth headers removed).
        bodyPreview:
          type: string
          nullable: true
          description: >-
            Human-readable, length-bounded rendering of the request body — safe
            to display directly.
        summary:
          type: object
          nullable: true
          description: >-
            Structured form of `bodyPreview` for richer rendering (an `action`
            label plus key/value `details`).
        agent:
          type: object
          description: The agent that made the request.
          properties:
            id:
              type: string
            name:
              type: string
            externalId:
              type: string
              nullable: true
        createdAt:
          type: string
          format: date-time
        expiresAt:
          type: string
          format: date-time
    Error:
      description: |
        Error responses take one of two shapes depending on the failing layer:
        route-level validation returns the flat shape (`{ "error": "..." }`),
        while authentication failures (401/403) and service errors (not-found,
        conflict, and service-level validation) return the envelope
        (`{ "error": { "message": "...", "type": "..." } }`).
      oneOf:
        - $ref: '#/components/schemas/ErrorFlat'
        - $ref: '#/components/schemas/ErrorEnvelope'
    ErrorFlat:
      type: object
      description: Flat error shape used by route-level validation.
      properties:
        error:
          type: string
      required:
        - error
    ErrorEnvelope:
      type: object
      description: >-
        Envelope error shape used for authentication failures and service
        errors.
      properties:
        error:
          type: object
          properties:
            message:
              type: string
            type:
              type: string
              description: Error category (e.g. `authentication_error`).
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      description: API key obtained from the dashboard or `GET /user/api-key`

````