- The policy: who has to approve, in what order, and how strict the per-access limits are.
- The path to access: either an Administrator pre-approves an access window for a specific member, or an Operator requests one and approvers sign off.
- The active access record: once approved, it’s the row in the Approvals table with its own expiry, signature count, and revoke button.
Signers without an approval policy don’t use this flow. Members with sign rights sign directly and you’ll still see a full audit trail under the Signer’s Activity tab.
When you want an approval policy
Production releases
Two security leads must sign off before a release artifact is signed.
Separation of duties
Developers request to sign; managers approve. Audit shows both actors.
Compliance
SOC 2, PCI-DSS, or internal SDLC frameworks that require documented approval.
Bounded CI access
Pre-approve a CI identity for “10 signings within the next hour” instead of standing access.
How an approval flow works
Each step runs in order. Once the last step’s required approvals are reached, Infisical issues an active access record bounded by the policy’s per-approval limits. The Operator can then sign through the PKCS#11 module or the Sign API. Administrators can also pre-approve signing directly when the approval flow isn’t a fit, for example during an incident response where waiting on approvers would block recovery.Configure the approval policy
Open the Signer’s Approvals tab and click the pencil icon on the Approval Policy panel. The editor is a 2-step sheet.Approvers
Define one or more approval steps. To turn the policy off entirely, delete every step. The Signer reverts to direct signing.For each step:
Add more steps to run multiple sign-offs in sequence. For example: Step 1 Team Lead Review (1 approval), then Step 2 Security (2 approvals).Required-approval validation:
| Field | Description |
|---|---|
| Step name | Optional label like Security Team Review or Manager Sign-off. Visible to approvers in their queue. |
| Approvers | Eligible users or groups for this step. They must already be members of the Signer (any role). Group approvers let anyone in the group approve. Auditors can be members but cannot be approvers. |
| Required approvals | The number of distinct approvers that must approve before the step is complete. |
- A step must have at least one approver.
- Required approvals must be ≥ 1.
Approval limits
Per-approval caps that apply to every access record this policy issues:
You can combine both. For example:
| Field | Description |
|---|---|
| Signatures per approval | How many signing operations one approval is good for. Leave empty for unlimited. Set to 1 for “approve once per artifact”. |
| Signing window | How long the access record is valid after approval. Options: No limit, 1h, 8h, 24h, 7d, 30d. |
maxSignings=10 with signing window=1h issues access good for at most 10 sign calls within one hour of approval, whichever comes first.Access lifecycle
Every approved request becomes an active access record. On the Approvals tab it’s a row in the Requests table with its own status, expiry, and signature counter.Statuses you’ll see
| Status | Meaning |
|---|---|
| Pending | Approval workflow is in progress. Waiting on the current step’s approvers. |
| Active | All steps approved, access issued, still within window and signatures remaining. |
| Expired | Window has passed, or the signature count was exhausted. |
| Revoked | An Administrator revoked the access (or the requester cancelled the request). |
| Rejected | An approver rejected one of the steps. |
Approval paths
There are two ways someone gets active access on a Signer: Administrators pre-approve signing directly for someone else, or members open a request to sign that runs through the approval policy.- Pre-approve signing
- Request to sign
An Administrator gives a specific member access up-front. No approval workflow runs. The access is created Active immediately and the recipient can sign right away.
Typical use: pre-approving a CI machine identity for “10 signings within the next hour” right before a release pipeline runs.
Pick the recipient
Select the user or machine identity that should receive access. The list includes every Signer member except Auditors (including users reachable via a group).
Set the access terms
| Field | Description |
|---|---|
| Justification | Short note recorded on the access record for audit. Required. |
| Signatures allowed | How many sign operations the access permits. Capped at the policy’s Signatures per approval. Leave empty to fall back to the policy ceiling. |
| When access begins | Defaults to “now”. |
| When access expires | Capped at the policy’s Signing window. Leave empty to fall back to the policy ceiling. |
Per-access values cannot exceed the policy ceilings. Requesting
maxSignings=10 against a policy that allows 3 returns a 400 with a clear message. Omitting a field that the policy caps simply clamps to the ceiling, never silently unlimited.Approving or rejecting
If you’re an eligible approver for the current step of a pending request, an Approve or Reject action is visible on the request row.Open the request
Click the row on the Signer’s Approvals tab. Full details: requester, recipient, justification, requested signings, requested window, and which step is currently pending.
Revoking access
Administrators can revoke an active access record (or cancel a pending request) at any time. Hover the row on the Approvals tab; an X icon appears. Confirm in the dialog and:- Pending request cancels the workflow. No approver can act on it after that.
- Active access is immediately revoked. Subsequent sign calls return 403 with a clear message.
FAQ
I approved a request but nothing happened.
I approved a request but nothing happened.
The policy has more than one step and yours wasn’t the final step. Open the request to see which step is currently pending; the access record is issued only after the last step’s required approvals are reached.
I'm an Operator but I don't see Request to sign.
I'm an Operator but I don't see Request to sign.
Three possibilities:
- The Signer has no approval policy, so signing is direct and no request is needed.
- You already have active access. Sign directly under it.
- You don’t have sign permission. Check that your role on this Signer is Operator or Administrator (not Auditor).
Can a CI identity bypass approval?
Can a CI identity bypass approval?
Have an Administrator pre-approve access for that identity in advance with appropriate per-approval limits. The CI identity then signs under the access record directly without going through the review workflow.
Can I extend active access?
Can I extend active access?
No. Access records are immutable once issued. If you need more time or more signatures, submit a new request (or have an Admin pre-approve a new one) and revoke the old one if you want to be tidy.
What's the difference between Expired and Revoked?
What's the difference between Expired and Revoked?
Expired is automatic: the window ended or the signature count was reached. Revoked is explicit: an Administrator (or the requester via cancel) ended the access before its natural expiry. Either way, signing under it is no longer possible. The status difference shows up in the audit log.
What happens to a pending request when I edit the policy?
What happens to a pending request when I edit the policy?
Pending requests run under the policy that was active when they were submitted. Edits affect only new requests. To force a refresh, revoke the pending request and have the requester submit again.
What’s next
Signers
Manage the Signer itself: members, certificate, lifecycle.
PKCS#11 Module
Have the module auto-open signing requests on denied calls.