WAKE: While Agents Keep Executing
As autonomous AI agents become a practical reality, a new problem has emerged: the humans who deploy these agents have no standardised way to receive their work, respond to their questions, or guide their next actions. Each agent implementation solves this differently — or not at all — leaving humans to improvise oversight through chat windows, email threads, and ad-hoc callbacks.
This paper proposes WAKE — While Agents Keep Executing — a lightweight, open protocol that gives any AI agent — regardless of provider, runtime, or implementation — a standard way to deliver work to a human and receive structured guidance in return. WAKE is designed to be trivially easy for agents to implement, provider-agnostic, and built around the reality of how humans actually want to interact with autonomous systems: asynchronously, calmly, and on their own terms.
The Problem
1.1 Agents That Work in the Dark
The promise of autonomous AI agents is that they work independently — researching, writing, deciding, building — without requiring constant human attention. This promise is being fulfilled. Today, agents operate continuously, often around the clock, across multiple providers and runtimes.
But a gap has opened between what agents can do and what humans can see. An agent completes a task: where does the output go? An agent reaches a decision it cannot make alone: how does it ask? An agent takes an action that turns out to be wrong: how would the human have known in time to prevent it?
Most current implementations handle this poorly. Outputs arrive in email. Questions surface in Slack. Decisions are made silently. The human discovers what happened — sometimes much later, sometimes after consequences have compounded.
The result is not the calm, confident delegation that autonomous agents promise. It is anxiety. Specifically, the anxiety of not knowing what your agents did while you were not watching.
1.2 The Absence of a Standard
The core issue is the absence of a standard. Every agent, every platform, and every integration invents its own delivery mechanism. This creates three compounding problems:
Fragmentation. A human overseeing agents from multiple providers must check multiple places to understand what their workforce has done. There is no single view, no consistent vocabulary, no shared interaction model.
No Human-Centred Design. Because each agent invents its own delivery mechanism, none are optimised for the human experience. The human adapts to the agent, rather than the agent adapting to the human.
No Accountability Layer. Without a standard delivery mechanism, there is no standard audit trail. When something goes wrong — and eventually something will — it is extremely difficult to reconstruct what an agent did, when, why, and what guidance it received.
1.3 What Is Missing
What is missing is not more powerful agents. It is a simple, open, human-first standard for the moment when an agent needs to surface work to a human — and the moment when the human responds. This is the gap WAKE is designed to fill.
Design Principles
Before specifying the protocol, it is worth establishing the principles that shaped it. These are not technical constraints — they are human ones.
Agents Deliver. Humans Decide.
The mental model at the heart of this protocol is one of delivery and response, not interruption and reaction. An agent does not interrupt a human with a notification. It delivers its work to a place the human will visit — on their own schedule, at their own pace. This distinction matters enormously for how the protocol is designed. It is pull, not push. It is calm, not urgent. The human is in control of when and how they engage.
Asynchronous by Default
Agents must not block waiting for a human response. The protocol is designed for asynchronous operation: an agent delivers its work, records a delivery identifier, and continues operating — either on other tasks or with clearly documented assumptions — until a response arrives. A human response may come in minutes or hours. The agent must be designed to handle both gracefully.
Provider Agnostic
The protocol makes no assumptions about which AI provider powers an agent, which runtime it operates in, or which platform orchestrates it. Any agent that can make an HTTP request can implement WAKE. The schema is intentionally minimal so that integration requires almost no effort.
Human Experience is a First-Class Concern
Most protocols are designed for machines. This one is designed for the human at the centre of the system. The payload schema includes fields specifically intended to shape the human experience: a positively framed headline, a one-sentence summary, and a structured response vocabulary that gives the human meaningful choices without overwhelming them.
Minimal Surface Area
The protocol does one thing: it moves work from an agent to a human and a response from a human back to an agent. It does not attempt to handle agent orchestration, task management, authentication, billing, or any of the other concerns that surround autonomous agent systems. Its value comes from being focused, not comprehensive.
The WAKE Protocol
3.1 Overview
The protocol defines two interactions and three endpoints:
Delivery — an agent posts a structured payload to a designated endpoint, describing the work it has completed, the question it is asking, or the update it is surfacing. It receives a delivery identifier in return.
Response (single) — the human reviews the delivery and responds with one of a small set of structured actions, optionally accompanied by feedback or edited content. The agent retrieves this response by polling GET /wake/v1/response/{delivery_id} or receiving it via webhook.
Response (bulk) — for agents managing concurrent tasks, GET /wake/v1/responses retrieves all outstanding responses in a single request, filtered by agent ID and an optional since timestamp. This replaces per-delivery polling with a single sweep per agent — essential at any meaningful scale.
That is the entirety of the protocol. Everything else — the interface the human uses, the storage layer, the notification mechanism, the audit trail — is an implementation concern, not a protocol concern.
3.2 Delivery
An agent delivers work by sending an HTTP POST request to the designated endpoint.
{
"agent_id": "research-agent-01",
"provider": "claude",
"type": "update | question | output | alert",
"headline": "Market research report ready for your review",
"summary": "Completed analysis of the top 10 competitors.",
"details": // object | string | null — never include credentials,
"callback_webhook": "https://...", // optional
"timeout_seconds": 3600 // optional
}
| Field | Type | Required | Description |
|---|---|---|---|
| agent_id | string | Yes | Unique identifier for the delivering agent. Chosen by the implementer. |
| provider | string | Yes | The AI provider powering the agent. Used for display only. Example: claude, openai. |
| type | enum | Yes | Nature of the delivery: update, question, output, or alert. |
| headline | string | Yes | Short, human-readable title. Frame positively. Max 120 characters. |
| summary | string | Yes | One sentence describing the delivery in plain language. Max 280 characters. |
| details | object | string | null | No | Full content of the delivery. May be a string, structured object, or null. Never include credentials or PII. |
| callback_webhook | string | null | No | HTTPS URL to POST the human's response to when it arrives. |
| timeout_seconds | integer | null | No | Seconds after which the agent will proceed with its own judgment if no response arrives. |
Success response — 201 Created:
{
"delivery_id": "550e8400-e29b-41d4-a716-446655440000", // UUID v4
"status": "received",
"created_at": "2026-03-08T11:42:00Z"
}
3.3 Response Retrieval
An agent retrieves a human's response either by polling or via webhook callback.
{
"delivery_id": "550e8400-e29b-41d4-a716-446655440000",
"status": "pending | approved | rejected | redirected",
"feedback": "string", // optional
"edited_content": null, // object | string | null
"responded_at": "2026-03-08T12:10:00Z"
}
| Status | Meaning | Agent action |
|---|---|---|
| pending | Human has not yet responded | Continue polling |
| approved | Human approves the delivery as submitted | Proceed as planned |
| rejected | Human does not approve. Feedback may be provided. | Do not proceed. Review feedback. |
| redirected | Human has returned the delivery with edits or new instructions | Incorporate edited_content and feedback before proceeding |
3.4 Agent Behaviour Requirements
A compliant agent implementation must:
- Post a delivery payload before taking any action that warrants human oversight.
- Record the returned
delivery_idfor later response retrieval. - Not block indefinitely on a response. Proceed after
timeout_secondswith clearly documented assumptions. - On receiving
rejected, not proceed with the originally proposed action. - On receiving
redirected, incorporateedited_contentandfeedbackbefore proceeding. - Log all deliveries and responses locally for audit purposes.
3.5 Versioning
The protocol is versioned using a v{major}.{minor} scheme. This document describes v1.0. Implementations should include the protocol version in the endpoint path: /wake/v1/deliver. Breaking changes increment the major version. Additive changes increment the minor version. Implementations are encouraged to support at least one prior major version during transition periods.
Design Decisions and Rationale
4.1 Why Four Delivery Types?
The four delivery types — update, question, output, alert — cover the full range of reasons an agent might surface work to a human, while remaining simple enough to be immediately understood. They also allow implementations to treat different types differently: updates might be archived quickly, while questions might surface more prominently given their need for a response.
4.2 Why a Headline Field?
The headline field exists because first impressions matter. When a human opens an interface showing twenty deliveries, the headline is what they read first. By making it a required field and encouraging positive framing, the protocol nudges agents toward communication that respects the human's attention. An agent that says "Draft proposal ready for your review" is a better collaborator than one that says "TASK_COMPLETE: output_blob_47".
4.3 Why Asynchronous?
Synchronous human-in-the-loop patterns — where agents block waiting for a response — break down at scale. A human overseeing ten agents cannot be expected to respond to each one immediately. Asynchronous delivery means agents can continue working in parallel, humans can respond to deliveries in batches, and the overall system operates more efficiently. The timeout_seconds field exists for cases where a genuinely time-sensitive decision cannot wait indefinitely.
4.4 Why Not Include Authentication?
Authentication is an implementation concern, not a protocol concern. Different deployments will have radically different authentication requirements: a solo operator self-hosting may use a simple API key; a large deployment may require OAuth 2.0 and role-based access control. The protocol specifies what is exchanged, not how access is controlled. Implementations should enforce appropriate authentication for their context.
4.5 Why Only Four Response Statuses?
The four response statuses — approved, rejected, redirected, pending — give the human meaningful choices without creating decision paralysis. More granular statuses introduce ambiguity that agents cannot reliably act on. The feedback field provides the nuance; the status provides the clear instruction.
Security
The protocol operates at the boundary between autonomous agents and human decision-makers. This boundary is a meaningful attack surface. A compromised delivery could trigger a human to approve a harmful action. A forged response could cause an agent to proceed without genuine human authorisation.
These are not theoretical risks — they are the natural consequence of building a system where human approval has real-world consequences. Implementations must treat the following requirements as non-negotiable.
5.1 What the Protocol Mandates
Delivery ID Generation
Delivery IDs must be cryptographically random UUID v4 values. Sequential or predictable IDs allow enumeration attacks. Implementations must not use sequential integers, timestamps, or any other predictable scheme.
Transport Security
All protocol traffic must be transmitted over HTTPS. Implementations must not accept or serve protocol requests over unencrypted HTTP in any production context. This applies to both the delivery endpoint and any webhook callbacks.
Webhook Callback Validation
Webhook callback_webhook URLs must be validated against an implementer-controlled allowlist before any response is dispatched. Implementations must not deliver response data to arbitrary URLs. Webhook payloads must be signed with HMAC-SHA256:
import hmac, hashlib
def verify_webhook(secret: str, payload: bytes, signature: str) -> bool:
expected = "sha256=" + hmac.new(
secret.encode(), payload, hashlib.sha256
).hexdigest()
# Use constant-time comparison to prevent timing attacks
return hmac.compare_digest(expected, signature)
Prompt Injection Protection
Delivery details fields may contain untrusted content — including text crafted to manipulate the receiving agent's behaviour. Implementations must handle all content in delivery payloads as untrusted and apply appropriate sanitisation before rendering or passing to downstream systems.
Delivery ID Integrity
Agents must verify that response delivery_id values match identifiers they submitted. This prevents response injection attacks where a malicious actor returns a response to a different delivery than the one the agent is polling for.
5.2 What the Protocol Delegates
| Threat | Protocol requirement | Implementation responsibility |
|---|---|---|
| Delivery ID enumeration | Random UUID required | — |
| Transport interception | HTTPS required | — |
| Webhook hijacking | Allowlist + HMAC required | — |
| Prompt injection | Untrusted content handling required | XSS sanitisation |
| Response forgery | Delivery ID verification required | Signed requests recommended |
| Agent impersonation | — | Auth bound to credential, not payload |
| Delivery flooding | — | Rate limiting |
| Sensitive data exposure | — | Encryption at rest, retention policies |
Reference Implementation
A reference implementation of WAKE is provided as part of GardenRoom.ai — a hosted platform built on this protocol. GardenRoom provides:
- A compliant
/wake/v1/deliverand/wake/v1/responseendpoint - A human-facing inbox interface for reviewing and responding to agent deliveries
- Webhook callback support with HMAC-SHA256 signing
- Audit log and delivery history
- Prompt templates for common agent frameworks
The reference implementation is not the only valid implementation. Any system that correctly implements the payload schema, response schema, and agent behaviour requirements described in this document is a compliant implementation. The protocol specification is released under the MIT licence. Implementations may be open or proprietary.
The Broader Vision
This protocol is a small piece of a larger shift that is already underway. The question of how humans maintain meaningful oversight of autonomous AI systems — not just technically, but experientially — is one of the defining design challenges of this decade.
The answer is not more dashboards. It is not more alerts. It is not making humans work harder to stay informed. It is designing systems where agents and humans have a clear, respectful, well-defined relationship: agents do the work, humans provide the judgment that agents cannot, and the interface between them is calm, structured, and built around human needs.
This protocol is a foundation for that relationship. It is intentionally minimal — a single, well-defined seam between the autonomous and the human. What is built on top of that seam is where the real design work begins.
Open Questions
The following questions are open for community discussion as part of the RFC process:
Batched deliveries
Should agents be able to batch multiple deliveries in a single request? This would reduce API overhead but might complicate the human review experience.
Priority signalling
Should the protocol include a priority field to allow agents to signal relative urgency? Or does this undermine the "calm by default" design principle?
Rich media in details
Should the details field have a defined schema for common content types — structured documents, image references, code diffs? Or should it remain fully freeform?
Multi-human routing
Should the protocol support routing deliveries to specific human reviewers? This adds complexity but may be necessary for larger deployments.
Agent-to-agent delivery
Should a manager agent be able to receive and respond to deliveries from subordinate agents using the same protocol? This could enable hierarchical oversight structures without requiring human involvement at every layer.
Cryptographic agent identity
Should the protocol define a formal mechanism for cryptographically verified agent identity, so that implementations can enforce trust tiers between internal agents and third-party agents?
Conclusion
The gap between what autonomous AI agents can do and what humans can see is a solvable problem. It does not require new AI capabilities or complex infrastructure. It requires a shared standard for the moment when an agent surfaces its work to a human — and a commitment to designing that moment around human needs rather than technical convenience.
WAKE is a proposal for that standard. It is intentionally simple, intentionally open, and intentionally focused. We invite implementers, agent developers, and the broader AI community to adopt it, critique it, and improve it.
This document is released under the MIT licence. Contributions, critiques, and implementations are welcome at github.com/wakeprotocol.
Minimal Agent Integration Example
import httpx, time, os
WAKE_URL = os.environ["WAKE_ENDPOINT"]
API_KEY = os.environ["WAKE_API_KEY"]
def deliver(agent_id, type, headline, summary, details, timeout=3600):
r = httpx.post(
f"{WAKE_URL}/wake/v1/deliver",
headers={"Authorization": f"Bearer {API_KEY}"},
json={"agent_id": agent_id, "provider": "claude", "type": type,
"headline": headline, "summary": summary,
"details": details, "timeout_seconds": timeout}
)
return r.json()["delivery_id"]
def await_response(delivery_id, poll=60, max_wait=3600):
elapsed = 0
while elapsed < max_wait:
r = httpx.get(
f"{WAKE_URL}/wake/v1/response/{delivery_id}",
headers={"Authorization": f"Bearer {API_KEY}"}
)
data = r.json()
if data["status"] != "pending":
return data
time.sleep(poll)
elapsed += poll
return {"status": "timeout", "feedback": None}
# Usage
delivery_id = deliver(
agent_id="research-agent-01",
type="output",
headline="Market research report ready for your review",
summary="Completed analysis of the top 10 competitors in the space.",
details={"report_url": "https://...", "word_count": 3200}
)
response = await_response(delivery_id)
if response["status"] == "approved":
proceed_with_next_step()
elif response["status"] == "rejected":
handle_rejection(response["feedback"])
elif response["status"] == "redirected":
incorporate_edits(response["edited_content"], response["feedback"])
System Prompt Template
The following addition can be included in any agent's system prompt to enable compliant delivery behaviour:
You are working autonomously on behalf of a human. When you complete a significant piece of work, reach a decision point you cannot resolve alone, or encounter an unexpected condition, deliver a structured update via WAKE before proceeding. When delivering: - Frame your headline positively — lead with what has been accomplished. - Be specific in your summary — one plain-language sentence. - Do not block waiting for a response. Continue with other work or document your assumptions and proceed after the timeout period. - Respect the human's response — if they reject your proposed action, do not proceed. If they redirect you, incorporate their changes fully. The human is your collaborator. Surface your work clearly. Act on their guidance immediately. Full spec: /spec/