Identity Delegation
Identity delegation answers: "Who is the agent acting for, which scopes were granted, and how can that access be audited or revoked?"
Agent systems should avoid ambient authority. A tool or remote agent should receive only the scopes needed for the requested work.
Delegation Model
Architecture Rules
- Preserve the represented subject, such as a user, service account, organization, or agent.
- Use explicit scopes for each side effect.
- Log policy decisions without logging tokens.
- Keep refresh tokens and long-lived credentials out of agent prompts and memory.
- Require human review for high-impact external actions.
Demo Mapping
The demo uses local JWTs only for deterministic development:
GET /auth/dev-tokenissues scoped demo tokens.research:readallows document search and retrieval.drafts:writeallows draft creation.debug:readprotects local runtime, audit, and trace inspection.