allow, ask, or deny; client-side custom tools always pause so your application can execute them and return the result.
Runtime behavior
When a tool call is projected into the event stream:| Event | Meaning | Key fields |
|---|---|---|
agent.tool_use | Built-in tool call | id, name, input, evaluated_permission |
agent.mcp_tool_use | MCP tool call | id, name, input, mcp_server_name, evaluated_permission |
agent.custom_tool_use | Client-side custom tool request | id, name, input |
evaluated_permission can be:
| Value | Behavior |
|---|---|
allow | The platform executes the tool directly |
ask | The turn pauses and waits for user.tool_confirmation |
deny | The platform returns a denied tool result to the Agent |
permission_policy; they are executed by your client and resolved with user.custom_tool_result.
Configure policies on an agent
Configure built-in and MCP tool permissions inside the Agenttools array:
| Location | Applies to | Description |
|---|---|---|
tools[].configs[].permission_policy | One named tool | Per-tool override. For built-in tools, name is a built-in tool name such as Read; for MCP tools, name is the raw tool name exposed by that MCP server |
tools[].configs[].enabled | One named tool | Set to false to disable and deny that tool. When using enabled_tools, keep disabled tools out of that allowlist |
permission_policy.type values:
| Value | Runtime result |
|---|---|
always_allow | evaluated_permission: "allow" |
always_ask | evaluated_permission: "ask" and the turn waits for user.tool_confirmation |
always_deny | evaluated_permission: "deny" |
Pending action flow
When a tool call needs human or client input:- The stream emits
agent.tool_useoragent.custom_tool_use. - The stream emits
session.status_idlewithstop_reason.type: "requires_action". stop_reason.event_idslists the event IDs that need a response.- Your client sends a response event to
POST /api/v1/cloud/sessions/{session_id}/events. - The Agent continues the same turn.
Confirm a tool call
Use theid of the agent.tool_use event as tool_use_id. This is an evt_... event ID, not the model provider’s internal tool-use ID.
- Approve
- Deny
Complete a custom tool
Custom tools are configured on the Agent withtype: "custom"; see Agent Tools. When the Agent requests one, execute it in your application and respond with the agent.custom_tool_use event ID:
content value can be a string, one text block, or an array of text blocks. The returned event is stored with content-block shape.
FAQ
Q: Can one turn require multiple responses? A: Yes.stop_reason.event_ids may contain multiple event IDs; respond to each pending tool request.
Q: Do pending actions time out? A: No. They stay pending until resolved or until the session/turn is cancelled.
Q: Can custom tools use permission_policy? A: No. Custom tools are client-side, so the client is responsible for executing or refusing them.
Next steps
Tools
Equip your agent with built-in, MCP, and custom tools.
Session event stream
Stream agent thinking, messages, and tool calls over SSE.
Start a session
Run an agent against an environment.
Agent setup
Review Agent configuration.