Skip to main content

E1500. Approvals disabled at this scope

Severity: ERROR. Class: ApprovalsDisabled (subclass of RuntimeError). Stable code: E1500.

What happened

You called request_approval(), but the effective approvals toggle for the requesting API key resolved to off. The backend rejected the request with HTTP 412 Precondition Failed before queueing any approval row:

{
  "error": "approvals_disabled_at_scope",
  "resolved_scope": "api_key",
  "reason_code": "E1500",
  "documentation": "https://docs.controlzero.ai/errors/E1500-approvals-disabled"
}

The resolved_scope is the scope whose toggle was off: api_key, project, org, or default (nothing is configured anywhere, so the fail-closed default applies).

Why it matters

Approvals are off by default. An unconfigured organization cannot silently accept approval traffic that no human will ever review, so the toggle cascade fails closed. Until an administrator turns approvals on at one of the scopes, every request_approval() call returns this error and the SDK honors the original deny.

How to fix

Turn approvals on at the scope you want to govern. In the dashboard, open Settings -> Approvals and flip the toggle for the org, a project, or a specific API key. The cascade walks most-specific to least-specific (api_key -> project -> org -> default), and the first configured scope wins. See Approval settings and cascade for the full precedence rules.

The error body's resolved_scope tells you which level is in effect, so you know exactly which toggle to change.

Catching this error

Python

from controlzero import Client
from controlzero.errors import ApprovalsDisabled

client = Client()
decision = client.guard("Bash:sudo apt-get install foo")
try:
    pending = client.request_approval(decision)
except ApprovalsDisabled as exc:
    print(f"Enable approvals at scope: {exc.resolved_scope}")

Node

import { Client, ApprovalsDisabled } from '@controlzero/sdk';

const client = new Client();
const decision = await client.guard('Bash:sudo apt-get install foo');
try {
  const pending = await client.requestApproval(decision);
} catch (err) {
  if (err instanceof ApprovalsDisabled) {
    console.log(`Enable approvals at scope: ${err.resolvedScope}`);
  }
}

E1500 vs E1704

CodeCauseOperator action
E1500Approvals are configured at a scope but offTurn the toggle on
E1704Approvals are not configured at any scopeConfigure approvals at the right scope

Modern backends resolve to default rather than 404, so most callers only need to handle E1500.

See also