Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: ApproveAPI – Real-Time user approvals via email, SMS, and push (approveapi.com)
183 points by cyanflux 7 days ago | hide | past | web | favorite | 56 comments

I wish I built this. this is a great idea. it's simple and useful it's something I could have built myself in a couple of weeks and it aggregates a lot of business useful functionality into one place. I'm putting this in my list of businesses that are good ideas because they factor out internal projects repeated across many companies.

Reading the comments here it seems a lot of people are triggered. instead of acknowledging the idea is good and they wish they had build at themselves, they are in denial dismissing it's utility by saying it won't work as a business, or they could build it internally. I say this in the Spirit of a good hn comment is something we can learn from and I believe people can learn from examining their own reactions. it seems the denial and dismissal simply serves to make one feel better about the realisation that they missed the chance to build this even though they could have and it is a good idea. so instead of facing that feeling and learning something useful they "alter reality" by downplaying the idea is good to limit the pain.

my point is that that's not a very useful response because it neutralizes the opportunity that could be something to learn from. and I guess if you do this pattern of behaviour enough then, you stop yourself learning many times miss the chance to create things you want and maybe get addicted to this reaction of altering reality to feel better rather than learning something to get a result.

I appreciate your defense of these folks. It’s a kind gesture with great intent behind it. My response in no way takes away from the spirit of your post.

I think the core of why people are responding how they are is that there’s not a big moat here, yet. You mention people being triggered due to missing out on their opportunity to build it- but in reality someone can just knock these folks off after a couple of weekends. That’s not to say the tech here shouldn’t exist, or that this isn’t a business. It is, I’d pay for it, I just wouldn’t pay for long. That’s ok though, it’s just a specific type of business.

I hope they stumble across something sticky in their solution that makes them painful to replicate. These sorts of utilities are always welcome and they make bootstrapping faster and faster every year.

Hit y'all up on intercom but leaving my feedback here as well.

I built this out internally for my app, and it took me a little over a day to do it. Had this existed when I built it out, I absolutely would have just paid a buck per 100 emails to save myself time; however, I don't think it's a challenging enough problem on its surface to keep someone from re-writing it and replacing you long term. All that being said, it's a good foundational product, and hopefully you'll add some more features that make it sticky / become aggressive on pricing at scale.

Best of luck!

> I don't think it's a challenging enough problem on its surface to keep someone from re-writing it and replacing you long term

Agreed, it's nice to get something up and running for a personal project, but I'm building a commercial app that has to pass a basic security audit and every 3rd party service adds another attack vector and potential leak of sensitive data (like name, Email & phone).

I love the idea of being able to run a service like this though that's basically a set and forget hackathon project.

Wow, $1 for 100 emails is very very very very expensive. So expensive that I'd opt to build this in house rather and take on the costs associated with it and still come out saving money.

It's a pretty solid idea otherwise.

> I'd opt to build this in house rather and take on the costs associated with it and still come out saving money

This seems to be the default position of almost everyone in IT, everywhere I go. People make this claim without doing any calculations.

I can imagine building this in house would be at least a few weeks of developer work and some more devops. That's tens of thousands of dollars. You'd have to send a million emails to break even. How many of this kind of transactional email do you send per year?

It's a crazy calculation. For mass marketing it'd be outrageous. But for mission-critical business flows? It's a rounding error.

Anyone that’s at a scale where this is connected to business certical workflows is likely equipped to build this in house at a fraction of the cost. In terms of level of effort, this product itself is a rounding error.

Let's say there's a need to approve 10 things a week, each needing a 5 person approvals.

That's $2 per month of cost.

A developer costs $150k a year, and if it takes a month to develop, you could have the service for some 5000 months.

In-house developers should focus on the business domain, not on custom building business processes.

Go talk to your vendor management team about getting a $2/mo contract signed. What does support look like because if this goes down at 2 AM, business is impacted.

Legal needs to review because it is sending employee PII (emails, phone numbers, etc) to a third party, who now knows the individuals in critical "approval roles".

Next hit up security and have them do an audit since this is going to be part of a security control. For bonus points, the internal pentest team finds a bypass that ApproveAPI needs to fix.

Your $150k a year developer is now spending 3-5 hours a week for 3 weeks shepherding a vendor onboarding for something they could have built and tested in a few hours.

Yes but your internal developer still needs to go through legal and security for the same reasons, as well as the internal pen test. The only thing you get to skip is vendor management.

And in most cases, vendor management isn't going to get involved for something that will be expensed on a credit card for $2/mo

Anywhere that dysfunctional is probably going to take 3 months and internally bill you a small fortune for the infrastructure to host the app.

Once had an internal infrastructure team estimate £70K for the infrastructure to host a single static HTML page.... :-)

No one does this “approve 10 things a week with a 5 person approval” flow that isn’t already done in some organized platform or system. Where on earth is this use case happening that this is both a valid use case and a savvy enough customer to buy this solution? This is not a thing.

This will not be built in house at a fraction of the cost. In fact, it will be a massive, _massive_ waste of time.

But it is part of a business critical flow, and therefore handing it over to a third party is absolutely unthinkable.

> This seems to be the default position of almost everyone in IT, everywhere I go. People make this claim without doing any calculations.

I constantly see people not even considering what it means to be giving (potentially critical) business processes away to another company, not having any real knowledge in house, and not realizing that sometimes partners suck and won't help you fix problems in their software.

Neither is a sure bet all of the time, but just dismissing pulling things in house neglects a lot of other downsides to outsourcing.

I think that's a bit strong without talking about use cases.

Approvals here cost ~1¢. Picking a figure of $100k as a developer salary (as it was the first result in a quick search) that puts a lowish bound as about $400/day. So you could take your estimate of build & maintenance times per year, multiply by about 40-50,000 and that's how many approvals you're looking at.

So if you're google doing this every login, sure, that would be prohibitively expensive. If it's my accountants site doing it before they charge me a different amount for filing (there's one of these every year) or being the approve/reject part of an HR holiday system, or anything less common you'd have to be pretty big before it'd be worth spending a day or so building it yourself.

Personally I could see myself using it in some automated workflows I'm building now. Script runs, but before it does something irreversible (e.g. ordering an item) it checks with me that things look OK. It'll cost me a tiny fraction of the total spending, and it's ready right now (and works!).

Felt the same, though it really depends very much on your use case. If you end up in the thousands of daily approvals, then yes, that would be immensly expensive for the service it provides

Hey -- one of the creators here, thanks for your comment. We definitely don't want to price out companies from using our service so we are listening carefully.

I also want to mention that we do support volume pricing, so if you want to send lots of approvals per month we can work together on a price that makes sense for your use case -- just reach out to us at support@approveapi.com.

You are clearly baking in your Twilio/Mailgun costs in to the per-approval price. Why not just let me provide an API key and charge $5/mo for the service itself?

On average, a boring approval wastes maybe 1 minute between the requester waiting and the approver opening whatever system they use for approval. Over 100 approvals, this is 100 minutes wasted.

At $100 per hour for a professional, you could save around $159 by using this service.

Seems like the pricing works out to me. You just have to figure out how much time is wasted in traditional approval and how much time this approval method saves the customers.

I made a similar open source verification gateway recently. It supports emails and you can write other providers as plugins.


Not sure if I agree, but what do you think would be a fair price for something like this?

Curious how you calculated that -- mind sharing back of the napkin?

The price is right there on the page? $1 for 100 approvals (additional SMS cost not included)

I think they're referring to the other side of the equation, the cost of building it in house and maintaining it and coming out ahead.

Small Suggestion

In the `POST /prompt` endpoint provide a way to pass metadata that does not need to be shown to the user, and return that back in the prompt answer object sent in the webhook/callback.

This is helpful in cases, where I want to send some internal transaction or event reference codes that will help me to properly co-relate the answer into my flow.

Best of luck!

Thanks for the suggestion! This is on our product roadmap.

One way to track users is also to specify approve/reject redirect urls with random tokens (though we agree that private metadata is more ergonomic in this case).

How do you prevent email/web filtering applications that "scan" email/web URLs from triggering the confirmation/denials?

I think it looks good but needs examples of something other than just "yes/no" dialogs, or maybe all use cases are boiled down to that?

If not, you should include detailed examples for

"Send magic sign-in links, two-step verification, re-authenticate long-lived sessions, new device confirmations, verify identity for lost accounts or customer support."

A useful feature for a service like this is being able to set delegates both from the producer and consumer side. For example, if the person I sent the notification to doesn’t respond in <time window>, then send a request to this person (potentially their manager / emergency contact / etc...) . And, as someone receiving notifications, set another person as my delegate for a certain time window and for a specific application. This is what we have to deal with to handle OOO scenarios.

Looks good, quick testing seems to suggest it works pretty smoothly.

Small point, I'm not in the US so it'd be good to see the international SMS prices. There's no link I could see on the main page and the one after signing in doesn't resolve: https://dashboard.approveapi.com/full-sms-pricing

edit -

With customisation, can I put in links? Pictures?

Thanks! Oops, fixing the link now. We simply just pass along our at-cost price for sending an SMS via Twilio: https://www.twilio.com/sms/pricing/us.

Re: customization, we're quickly adding more customizations like colors/images, etc. Currently you can add a logo for your company, and customize all the text on the approval (approve text/reject text/title/body/etc). You can also specify redirect on {approve, reject} links to take the user somewhere after they answer the prompt.

Thanks! Bear in mind this is coming from a likely extremely low use user, but supporting links in the text that's sent may solve most problems other customisation would be used for when it comes to content (rather than look & feel).

FWIW, my current use-case I'd like to put in here is that I've got some auto-generated art based on user inputs that I'll be shipping off. There's some stuff that could go wrong, so having a final check before the order goes in would be great.

Currently the workflow would be

Auto generate

I check occasionally, manually set the order to go.

I'd like to change it to

Auto generate -> send me either the picture itself or a link to it, I hit approve/reject -> order completed automatically

For ~1 cent per order, it's not worth me even getting email alerting setup.

You can put links in the body of the request, most mail clients should render them without a problem

And there was me trying to be fancy adding in HTML. That works great, I'll integrate it all tonight, thanks :)

Hey! First of all, great work!

I hope it's okay if I give you a thought of mine. I built/am building a larger system but built-in is sending SMS's. I live in Israel, so Twilio works, but is an expensive option.

What I did is I have a sort of data access layer between the 'send SMS request' and many different API providers of the customers choosing. This lets them make a choice or, in my case, use a provider they already bought an SMS package with.

Really cool!

Some small feedback:

* The code in the "Test it in the Console" section is missing \'s, so you can't actually copy paste it as is now.

* The demo on the homepage suggests that there's some magic dynamic stuff happening in the email, which makes the actual email a bit of a letdown (though this is understandable)

Thanks for the feedback! You can copy an escaped version by clicking the icon in the upper-right.

The OpenAPI link is returning a 404. https://approveapi.com/docs/open-api-spec-2.0.json

Oops that's an outdated link, will fix asap. In the mean-time here is the spec: https://github.com/approveapi/openapi-spec

Interesting that you can use this for two-man rule...especially since this api is real-time. I'm having trouble thinking of scenario where I would use this feature at my company, but cool nonetheless

You just have to think of it as a sign-off rather than an approval, and you can quickly come up with many use cases for it.

For example, imagine that you are responsible for rolling the build this week, and you need to get a sign off from an assigned person on each sister team, confirming that they tested their feature area before you push the trigger and roll the build. You can either email and try to contact each person individually, but the cleanest way to solve this issue would be to create a multi-person approval, where you can track the status of a sign off for each sister team in real time. Approval serves as an affirmation in this scenario.

two man rule?

On the site it's called multi-person approvals, but this is the other name for it https://en.wikipedia.org/wiki/Two-man_rule

"ApproveAPI uses HTTP Basic Authentication where the username is your API key and the password is blank."

I'm not too fond of the lack of API password tbh. Cool idea otherwise.

Looks cool!

Can this be used for phone number verification? If so how this would work? The user would get a text with a link? Or shortcode?

Yes! The user would get a text with a link.

The email in the video on the site looks too much like a phishing attempt to me.

That's a mocked-up css animation, not a video of the actual email. Feel free to try the demo in the API dashboard to see the full UX.

This is neat but I wonder if companies would just build this themselves instead?

We built some of this functionality internally 6mos ago. Wish I had seen this then...

So ship it as a product. Offer competition.

They might do, but they also might opt not to if this solution exists?

Or they just don't build it and approve things not via an API. There may be a lot of processes out there that could benefit from something like this.

I like the API documentation formatting; how was this created?

It seems it's made with slate -> https://github.com/lord/slate

Nice, thank you!

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact