Documentation menu

Docs/Response channels

Response Channels

PausePoint delivers pause notifications via SMS, email, or Slack. Channel availability depends on your plan.

Channel Free Starter Pro Enterprise
SMS Yes Yes Yes Yes
Email No Yes Yes Yes
Slack No No Yes Yes
WhatsApp No No No Yes

SMS#

No setup required from the developer. PausePoint handles the Twilio number. You provide the recipient phone number in E.164 format.

Format: +[country code][number] — no spaces, dashes, or parentheses.

text
+15550100       # US
+447700900000   # UK
+61400000000    # Australia

Message format the human receives:

text
[PausePoint] Your agent wants to send a $340 wire to Acme Corp. Approve?

Respond here: https://api.pausepoint.dev/respond/TOKEN

Email#

Pass any email address as the recipient. PausePoint sends an HTML email with large tap-to-respond buttons for each option.

The subject line is: "Action required from your AI agent"

The email is mobile-optimized — each option renders as a large, full-width tap target with the respond_url embedded. The human taps a button in their email app and is taken to the response page.


Slack#

Pass a Slack incoming webhook URL as the recipient. You create the webhook URL once in Slack and never need to touch it again.

How to create a Slack incoming webhook:

  1. Go to api.slack.com/apps
  2. Create a new app (or use an existing one) → "Incoming Webhooks" → Activate
  3. Click "Add New Webhook to Workspace" → Pick a channel
  4. Copy the webhook URL: https://hooks.slack.com/services/T.../B.../...

What the Slack message looks like:

text
Action required from an AI agent

Your agent wants to send a $340 wire to Acme Corp. Approve?

Options: Approve | Reject
[Respond Now] ← button linking to respond_url

Response Page Security#

Every pause generates a unique HMAC-SHA256 signed response token. The token is embedded in the SMS link as respond_url.

Token properties: - Encodes the pause ID and expiry timestamp in the payload - Signed with the server's SECRET_KEY using HMAC-SHA256 - Single-use: invalidated the moment the human submits a response - Expiry-enforced: tokens cannot be used past expires_at, regardless of usage status

The hash of the token (not the token itself) is stored in the database. The plaintext token only exists in the SMS link and in-transit — it is never logged or stored.

URL structure: https://api.pausepoint.dev/respond/{token}

The static HTML page at /respond/ reads the token from window.location.pathname, calls GET /v1/respond/{token} to load the question, then POST /v1/respond/{token} to submit.