Perplexity logo

Perplexity human-in-the-loop UX: connectors & tool permissions

Updated July 6, 2026

Perplexity’s human-in-the-loop model starts before the agent runs. Connector chips surface in the composer when a query touches personal data, and a dedicated permissions modal splits Gmail tools into read-only versus write/delete buckets with per-tool Allow and Disable controls.

Surface connectors in context

Typing “email” in the home composer reveals Gmail and Outlook connector chips beside Search and Computer mode.
Typing “email” in the home composer reveals Gmail and Outlook connector chips beside Search and Computer mode.

What works

  • Connector chips appear when the query signals personal-data intent — not buried in settings.
  • Gmail and Outlook sit as peer affordances next to Search and Computer, so users choose scope before sending.
  • The + chip pattern matches other composer attachments — low learning curve.

What we would push on

  • Chips may appear late — after the user already typed. Proactive suggestions on focus could help.
  • Unclear what happens if neither connector is added; copy could preview read-only vs connected modes.

Takeaway

Put data-source opt-in on the prompt surface when the query implies private context.

Granular Allow / Disable per tool

Gmail with Calendar connector modal: read-only vs write/delete tool groups with per-tool Allow toggles.
Gmail with Calendar connector modal: read-only vs write/delete tool groups with per-tool Allow toggles.

What works

  • Tools split into read-only and write/delete — users grasp risk tiers without reading legal copy.
  • Each tool has its own Allow control plus category-level Allow shortcuts.
  • Overview bullets explain what connected access enables before users commit.

What we would push on

  • Many toggles can fatigue users into blanket Allow — highlight recommended defaults.
  • Send an email and Draft a reply are separate; most users may not know which they need.

Takeaway

Human-in-the-loop for agents means per-capability consent, grouped by read vs write risk.

Steal this

  • Show connector chips in the composer when queries imply personal data.
  • Group agent tools by read vs write/delete risk.
  • Let users Allow capabilities individually, not only all-or-nothing.

Skip this

  • Connecting Gmail with a single opaque “Grant access” and no tool breakdown.
  • Running write tools before users understand what the agent can change.

Original gallery pages: Human in the Loop