Documentation
workflow.execute
workflow.execute
What this action is
Execute an automation workflow with side effects.
When to use it
Use this action when you are about to execute an automation workflow with side effects.
Real-world example
Example: your AI agent proposes an operation that would result in
workflow.execute. Before you apply the side effect, validate the exact payload with ASG.When not to use it
Do not use workflow.execute for planning, drafting, or simulation. Only call ASG when your system is prepared to execute on PASS or stop on WARN/BLOCK.
Allowed action_type values
This field is enforced. If it is not listed, do not send it.
execute
Canonical payload (This will PASS)
json
20 lines
{
"action_kind": "workflow.execute",
"action_type": "execute",
"ai_output": {},
"context": {
"account_id": "example",
"actor_user_id": "example",
"idempotency_key": "example",
"log_payload_preview": "example",
"payload_preview": "example",
"payload_schema": "example",
"recent_duplicate_count": 1,
"request_id": "example",
"session_user_id": "example",
"system_instructions": "example",
"user_input": "example",
"workflow": "example",
"workflowName": "example"Required context
| Field | Required | Type | Consequence |
|---|---|---|---|
account_id | Required | string | BLOCK: Missing required context (account_id). |
actor_user_id | Required | string | BLOCK: Missing required context (actor_user_id). |
idempotency_key | Required | string | BLOCK: Missing required context (idempotency_key). |
log_payload_preview | Required | string | WARN: Missing required context (log_payload_preview). |
payload_preview | Required | string | WARN: Missing required context (payload_preview). |
payload_schema | Required | string | WARN: Missing required context (payload_schema). |
recent_duplicate_count | Required | number | BLOCK: Missing required context (recent_duplicate_count). |
request_id | Required | string | BLOCK: Missing required context (request_id). |
session_user_id | Required | string | BLOCK: Missing required context (session_user_id). |
system_instructions | Required | string | BLOCK: Missing required context (system_instructions). |
user_input | Required | string | BLOCK: Missing required context (user_input). |
workflow | Required | string | BLOCK: Missing required context (workflow). |
workflowName | Required | string | BLOCK: Missing required context (workflowName). |
recent_actions_count | Optional | number | No direct consequence (not required). |
time_window_minutes | Optional | number | No direct consequence (not required). |
Decision behavior (PASS / WARN / BLOCK)
AI Safety Gate is fail-closed by design. If validation or approval polling cannot be safely completed (missing required context, invalid responses, timeouts, or unexpected errors), execution must stop.
| Status | What ASG returns | What you must do |
|---|---|---|
| PASS | Allowed by safety policy. | Execute the action. |
| WARN | Review required by safety policy. | Do not execute. Persist decision_id and wait for human approval. Approval does not modify policies and does not change the original decision — it authorizes execution for this specific decision_id. |
| BLOCK | Blocked by safety policy. | Do not execute. Fix payload/context and re-validate. |
Policy behavior
This ActionKind is evaluated against managed policies derived from the managed policy catalog.
Example threshold shapes used by applicable policies: {"maxActionsPerMinute":5}
Related policies: Identity policies, Data policies
| Policy summary | Severity | Required context | Thresholds | Approval | Remediation |
|---|---|---|---|---|---|
| Block actions when session identity/account mismatch is detected. | BLOCK | session_user_id, account_id, actor_user_id | — | — | Re-authenticate and validate server-side identity. Investigate potential replay or token confusion. |
| Block any attempt to bypass the Safety Gate or disable enforcement. | BLOCK | ai_output | — | — | Treat as hostile. Do not execute. Investigate the source prompt and upstream inputs. |
| Block prompt injection and instruction override attempts. | BLOCK | ai_output, system_instructions, user_input | — | — | Remove/neutralize attacker instructions. Use structured tool arguments. Re-run with sanitized user input. |
| Block repeated retries/loops that cause duplicate side effects. | BLOCK | idempotency_key, recent_duplicate_count | {"maxActionsPerMinute":5} | — | Enforce idempotency keys. Add dedupe. Stop runaway retries with backoff + circuit breakers. |
| Block when required integration context is missing. | BLOCK | workflow, workflowName, system_instructions, user_input, actor_user_id, account_id, request_id, idempotency_key | — | — | Include the required context fields so the gate can make a deterministic decision and record an auditable event. |
| Warn if logs attempt to store sensitive data or raw secrets. | WARN | log_payload_preview | — | WARN requires approval | Redact logs. Store references instead. Keep sensitive fields out of audit trails. |
| Warn when structured tool args are invalid/missing required fields. | WARN | payload_schema, payload_preview | — | — | Fix payload schema/validation. Require requiredContext fields before allowing execution. |
Approval behavior
If validation returns WARN, you must pause execution and wait for approval.
WARN requires human approval. Approval authorizes execution for the same decision_id and does not modify policies or change the original decision record.
WARN responses include a
decision_id and an approval_token.Applicable WARN policies for this ActionKind require explicit approval.
- See When approval is required.
- See WARN → approval lifecycle.
- See Polling behavior.
- If approval cannot be completed, see Approval failures.
Common errors
| Mistake | What happens | Fix |
|---|---|---|
| Using an unknown action_kind | BLOCK: Unknown action_kind. Supported action_kind values: money.move, money.refund, money.credit, money.payout, billing.change, billing.cancel, identity.role_change, identity.auth_change, identity.user_create, identity.user_delete, admin.access, data.export, data.import, data.read, data.write, data.delete, data.purge, data.share, messaging.send, messaging.broadcast, messaging.webhook, integrations.connect, integrations.disconnect, integrations.scope_change, workflow.execute, workflow.modify, support.case_update. | Fix: Unknown action kind |
| Using an unsupported action_type | BLOCK: Unknown action_type for action_kind workflow.execute. Supported action_type values: execute. | Use one of the allowed values listed above. |
| Omitting required context | BLOCK: Missing required context (workflow, workflowName, system_instructions). | Fix: Missing context |
| Sending the wrong JSON types | WARN: Schema mismatch. Proceeding with enforcement using normalized input. | Fix: Schema mismatch |
| Approval token generation fails | Approval token generation failed. Blocking by default. | Treat as BLOCK (fail closed). Retry validation later. |
Copy-paste examples
Minimal
json
20 lines
{
"action_kind": "workflow.execute",
"action_type": "execute",
"ai_output": {},
"context": {
"account_id": "example",
"actor_user_id": "example",
"idempotency_key": "example",
"log_payload_preview": "example",
"payload_preview": "example",
"payload_schema": "example",
"recent_duplicate_count": 1,
"request_id": "example",
"session_user_id": "example",
"system_instructions": "example",
"user_input": "example",
"workflow": "example",
"workflowName": "example"Full
json
22 lines
{
"action_kind": "workflow.execute",
"action_type": "execute",
"ai_output": {},
"context": {
"account_id": "example",
"actor_user_id": "example",
"idempotency_key": "example",
"log_payload_preview": "example",
"payload_preview": "example",
"payload_schema": "example",
"recent_duplicate_count": 1,
"request_id": "example",
"session_user_id": "example",
"system_instructions": "example",
"user_input": "example",
"workflow": "example",
"workflowName": "example",Legal & Responsibility Notice
Summary
Informational only
Provided for general guidance. Not legal, compliance, security, or professional advice.
You control implementation
You are responsible for policies, prompts, integrations, workflows, and regulatory requirements.
Liability limitation
To the maximum extent permitted by law, the company disclaims liability for losses arising from use of this documentation or implementations based on it.