Delegation (DATs)

Overview

A Delegation Attestation Token (DAT) is a signed token that grants scoped authority from one DID to another. DATs answer the question: “What is this agent authorised to do, and who authorised it?”

DATs are:

• Scoped — Define exactly which actions the agent may perform
• Time-bounded — Have explicit expiry times
• Constrainable — Carry enforceable constraints (rate limits, IP restrictions, etc.)
• Chainable — Form delegation chains from root principal to leaf agent
• Revocable — Can be revoked before expiry

Token Format

DATs use JWS Compact Serialization (three Base64URL-encoded parts separated by dots):

eyJhbGciOiJFZERTQSIs...  (header)
.
eyJpc3MiOiJkaWQ6aWRw...  (payload)
.
z3FXQjecWg3dBGZBCY9K...  (signature)

Header

{
  "alg": "EdDSA",
  "typ": "idprova-dat+jwt",
  "kid": "did:idprova:example.com:alice#key-ed25519-1"
}

Payload (Claims)

{
  "iss": "did:idprova:example.com:alice",
  "sub": "did:idprova:example.com:my-agent",
  "aud": "did:idprova:example.com:registry",
  "jti": "dat-2026-02-24-a1b2c3d4",
  "iat": 1740000000,
  "nbf": 1740000000,
  "exp": 1740086400,
  "scope": ["mcp:tool:*:read", "mcp:resource:docs:write"],
  "constraints": {
    "maxActions": 1000,
    "ipRange": ["10.0.0.0/8"],
    "maxRedelegationDepth": 2
  },
  "parentDat": "dat-2026-02-23-parent-id"
}

Scope Grammar

Scopes define what actions the delegated agent may perform:

scope = namespace ":" resource ":" action

Examples:

mcp:tool:*:read              — Read any MCP tool
mcp:tool:filesystem:write    — Write to filesystem MCP tool
mcp:resource:docs:*          — All actions on docs resources
a2a:agent:*:communicate      — Communicate with any A2A agent
http:api:users:read          — Read users API
idprova:delegate             — Issue sub-delegations

Wildcard rules:

• * matches any segment at that position
• Wildcards can only appear in the resource or action positions

Delegation Chains

Authority flows through chains: a human authorises Agent A, which delegates to Agent B, which sub-delegates to Agent C.

Principal (Alice)
  └─ DAT → Agent A  [scope: mcp:tool:*:*]
              └─ DAT → Agent B  [scope: mcp:tool:filesystem:*]
                          └─ DAT → Agent C  [scope: mcp:tool:filesystem:read]

Key rules:

1. Scope narrowing — Each child scope must be a subset of its parent scope. Agent B cannot grant Agent C mcp:tool:database:write if Agent B only has mcp:tool:filesystem:*.
2. Depth limits — The maxRedelegationDepth constraint limits how many further delegations are allowed. Default maximum: 5.
3. Chain verification — To verify a leaf agent’s authority, the verifier walks the chain from leaf to root, verifying each signature and confirming scope narrowing at each step.

Constraints

DATs carry enforceable constraints beyond scope:

Constraint	Description
maxActions	Maximum actions per token lifetime
ipRange	Restrict to specific IP ranges
maxRedelegationDepth	Max further delegation depth
rateLimit	Actions per time window
geoRestriction	Limit to specific jurisdictions

Constraints inherit and narrow through delegation chains. If Agent A has maxActions: 1000, Agent B can set maxActions: 500 but not maxActions: 2000.

Revocation

DATs can be revoked before expiry:

POST /v1/delegations/{jti}/revoke

Revocation cascades: When a parent DAT is revoked, all child DATs in the delegation chain become invalid. Verifiers must check revocation status for every DAT in the chain.

Verification

To verify a DAT:

1. Decode the JWS header and payload
2. Resolve the issuer’s DID Document
3. Verify the signature using the key referenced in kid
4. Check temporal validity (nbf ≤ now ≤ exp)
5. Check revocation status
6. If parentDat exists, verify the parent DAT recursively
7. Confirm scope is a subset of parent scope (if chained)

Next Steps

• Audit (Receipts) — Tamper-evident action records
• Trust Levels — Progressive trust model
• DAT Protocol Specification — Full technical reference