Guides

Delegate Authority

Delegate Authority provides verifiable mandates for agents acting on your customers' behalf.

🚧

Delegate Authority is currently in early access. Reach out to [email protected] to participate.

Delegate Authority lets a verified person authorize an agent to act on their behalf within a specific scope. The person uses an existing Verifiable Credential to mint a new credential that carries the delegated scope. The agent presents the new credential at execution time, and a Verifier confirms both that the verified person authorized the delegation and that the agent presenting it is the one named.

Where Verify Identity confirms a person and Sign Transactions confirms what a person agreed to, Delegate Authority confirms what an agent is authorized to do on a person's behalf.

When to use it

Delegate Authority fits situations where a person authorizes another party, often an AI agent, to act under a defined scope, and the recipient needs verifiable proof of that authorization rather than a claim from the agent itself.

  • AI agent payments. An AI agent making a payment on behalf of the verified person, with the per-transaction or per-period limit pre-approved.
  • AI assistant tasks. An AI assistant booking travel, making reservations, or executing other transactions under constraints set by the verified person.
  • Family or fiduciary delegation. A parent delegating authority over a child's records, or a fiduciary acting on a principal's behalf within an explicit scope.

Scope

A Delegate Authority credential carries the scope of what the agent is allowed to do. Scopes are application-specific. Common elements include:

  • Spending caps. Maximum amount the agent can authorize, per transaction or per period.
  • Allowed payees or actions. A list of permitted recipients or operations.
  • Validity window. Start and end times for the delegation.
  • Expected agent identity. The credential the agent must present to act.

Verifiable Intent is one example of a structured format for expressing such a scope.

How it works

Delegate Authority sequence

The Verifier performs the following checks on the response:

  • Delegation signature. The delegated credential is signed by a key bound to the verified Holder's existing credential.
  • Holder credential. The Holder's credential signature chains to Proof Root CA R1, the trust anchor in your trust store.
  • Agent identity. The agent presenting the credential matches the one named in the delegation.
  • Scope. The action falls within the declared scope.

Together, those checks ensure the response is cryptographic proof that a verified person authorized this specific agent for this specific action.

For the technical specifics of building the request and validating the response, see Verify a Credential (OID4VP).

See also: Use Cases · Verify a Credential · Sign Transactions

Updated 2 days ago