[{"data":1,"prerenderedAt":558},["ShallowReactive",2],{"navigation":3,"\u002Fguides\u002Fdelegation":89,"\u002Fguides\u002Fdelegation-surround":555},[4,40,63,76],{"title":5,"path":6,"stem":7,"children":8,"icon":39},"Getting Started","\u002Fgetting-started","1.getting-started\u002F1.index",[9,11,15,19,23,27,31,35],{"title":10,"path":6,"stem":7},"Introduction",{"title":12,"path":13,"stem":14},"Quick Start: Service Provider","\u002Fgetting-started\u002Fquickstart-sp","1.getting-started\u002F2.quickstart-sp",{"title":16,"path":17,"stem":18},"Quick Start: Identity Provider","\u002Fgetting-started\u002Fquickstart-idp","1.getting-started\u002F3.quickstart-idp",{"title":20,"path":21,"stem":22},"Quick Start: Agent","\u002Fgetting-started\u002Fquickstart-agent","1.getting-started\u002F4.quickstart-agent",{"title":24,"path":25,"stem":26},"Quick Start","\u002Fgetting-started\u002Finstallation","1.getting-started\u002F5.installation",{"title":28,"path":29,"stem":30},"How It Works","\u002Fgetting-started\u002Fhow-it-works","1.getting-started\u002F6.how-it-works",{"title":32,"path":33,"stem":34},"For Service Providers","\u002Fgetting-started\u002Ffor-service-providers","1.getting-started\u002F7.for-service-providers",{"title":36,"path":37,"stem":38},"CLI (apes & ape-shell)","\u002Fgetting-started\u002Fcli","1.getting-started\u002F8.cli",false,{"title":41,"path":42,"stem":43,"children":44,"icon":39},"Ecosystem","\u002Fecosystem","2.ecosystem\u002F1.index",[45,47,51,55,59],{"title":46,"path":42,"stem":43},"Overview",{"title":48,"path":49,"stem":50},"OpenApe Auth","\u002Fecosystem\u002Fauth","2.ecosystem\u002F2.auth",{"title":52,"path":53,"stem":54},"OpenApe Grants","\u002Fecosystem\u002Fgrants","2.ecosystem\u002F3.grants",{"title":56,"path":57,"stem":58},"nuxt-auth-sp","\u002Fecosystem\u002Fnuxt-auth-sp","2.ecosystem\u002F4.nuxt-auth-sp",{"title":60,"path":61,"stem":62},"escapes","\u002Fecosystem\u002Fescapes","2.ecosystem\u002F5.escapes",{"title":64,"icon":39,"path":65,"stem":66,"children":67,"page":39},"Security","\u002Fsecurity","3.security",[68,72],{"title":69,"path":70,"stem":71},"Compliance","\u002Fsecurity\u002Fcompliance","3.security\u002F1.compliance",{"title":73,"path":74,"stem":75},"Threat Model","\u002Fsecurity\u002Fthreat-model","3.security\u002F2.threat-model",{"title":77,"icon":39,"path":78,"stem":79,"children":80,"page":39},"Guides","\u002Fguides","4.guides",[81,85],{"title":82,"path":83,"stem":84},"Capabilities & Grants","\u002Fguides\u002Fcapabilities","4.guides\u002F1.capabilities",{"title":86,"path":87,"stem":88},"Delegation","\u002Fguides\u002Fdelegation","4.guides\u002F2.delegation",{"id":90,"title":86,"body":91,"description":549,"extension":550,"links":551,"meta":552,"navigation":185,"path":87,"seo":553,"stem":88,"__hash__":554},"docs\u002F4.guides\u002F2.delegation.md",{"type":92,"value":93,"toc":538},"minimark",[94,98,107,111,122,129,133,138,257,261,379,386,390,430,433,459,463,466,491,495,517,521,534],[95,96,86],"h1",{"id":97},"delegation",[99,100,101,102,106],"p",{},"Delegation allows a user to authorize an agent to act ",[103,104,105],"strong",{},"on their behalf"," at a specific service. Unlike regular grants (where the agent requests permission for itself), delegations are pre-approved by the delegator.",[108,109,28],"h2",{"id":110},"how-it-works",[112,113,118],"pre",{"className":114,"code":116,"language":117},[115],"language-text","Delegator creates delegation → Grant is auto-approved\n                             → Delegate (agent) can use it\n                             → Target service sees: \"agent acting for delegator\"\n","text",[119,120,116],"code",{"__ignoreMap":121},"",[99,123,124,125,128],{},"A delegation grant has ",[119,126,127],{},"type: 'delegation'"," and includes both the delegator and delegate identities. The target service can distinguish between direct agent actions and delegated actions.",[108,130,132],{"id":131},"creating-a-delegation","Creating a Delegation",[134,135,137],"h3",{"id":136},"via-cli","Via CLI",[112,139,143],{"className":140,"code":141,"language":142,"meta":121,"style":121},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","# Delegate to another agent at a specific service\napes grants delegate --to agent@example.com --at api.example.com\n\n# With scopes\napes grants delegate --to agent@example.com --at api.example.com --scopes read,write\n\n# With time limit\napes grants delegate --to agent@example.com --at api.example.com --approval timed --expires 2025-12-31\n","bash",[119,144,145,154,180,187,193,217,222,228],{"__ignoreMap":121},[146,147,150],"span",{"class":148,"line":149},"line",1,[146,151,153],{"class":152},"sHwdD","# Delegate to another agent at a specific service\n",[146,155,157,161,165,168,171,174,177],{"class":148,"line":156},2,[146,158,160],{"class":159},"sBMFI","apes",[146,162,164],{"class":163},"sfazB"," grants",[146,166,167],{"class":163}," delegate",[146,169,170],{"class":163}," --to",[146,172,173],{"class":163}," agent@example.com",[146,175,176],{"class":163}," --at",[146,178,179],{"class":163}," api.example.com\n",[146,181,183],{"class":148,"line":182},3,[146,184,186],{"emptyLinePlaceholder":185},true,"\n",[146,188,190],{"class":148,"line":189},4,[146,191,192],{"class":152},"# With scopes\n",[146,194,196,198,200,202,204,206,208,211,214],{"class":148,"line":195},5,[146,197,160],{"class":159},[146,199,164],{"class":163},[146,201,167],{"class":163},[146,203,170],{"class":163},[146,205,173],{"class":163},[146,207,176],{"class":163},[146,209,210],{"class":163}," api.example.com",[146,212,213],{"class":163}," --scopes",[146,215,216],{"class":163}," read,write\n",[146,218,220],{"class":148,"line":219},6,[146,221,186],{"emptyLinePlaceholder":185},[146,223,225],{"class":148,"line":224},7,[146,226,227],{"class":152},"# With time limit\n",[146,229,231,233,235,237,239,241,243,245,248,251,254],{"class":148,"line":230},8,[146,232,160],{"class":159},[146,234,164],{"class":163},[146,236,167],{"class":163},[146,238,170],{"class":163},[146,240,173],{"class":163},[146,242,176],{"class":163},[146,244,210],{"class":163},[146,246,247],{"class":163}," --approval",[146,249,250],{"class":163}," timed",[146,252,253],{"class":163}," --expires",[146,255,256],{"class":163}," 2025-12-31\n",[134,258,260],{"id":259},"via-api","Via API",[112,262,264],{"className":140,"code":263,"language":142,"meta":121,"style":121},"POST \u002Fapi\u002Fdelegations\n{\n  \"delegate\": \"agent@example.com\",\n  \"audience\": \"api.example.com\",\n  \"grant_type\": \"timed\",\n  \"duration\": 86400,\n  \"scopes\": [\"read\", \"write\"]\n}\n",[119,265,266,274,280,301,317,333,343,374],{"__ignoreMap":121},[146,267,268,271],{"class":148,"line":149},[146,269,270],{"class":159},"POST",[146,272,273],{"class":163}," \u002Fapi\u002Fdelegations\n",[146,275,276],{"class":148,"line":156},[146,277,279],{"class":278},"sMK4o","{\n",[146,281,282,285,289,292,295,298],{"class":148,"line":182},[146,283,284],{"class":159},"  \"delegate\"",[146,286,288],{"class":287},"s2Zo4",":",[146,290,291],{"class":278}," \"",[146,293,294],{"class":163},"agent@example.com",[146,296,297],{"class":278},"\"",[146,299,300],{"class":163},",\n",[146,302,303,306,308,310,313,315],{"class":148,"line":189},[146,304,305],{"class":159},"  \"audience\"",[146,307,288],{"class":287},[146,309,291],{"class":278},[146,311,312],{"class":163},"api.example.com",[146,314,297],{"class":278},[146,316,300],{"class":163},[146,318,319,322,324,326,329,331],{"class":148,"line":195},[146,320,321],{"class":159},"  \"grant_type\"",[146,323,288],{"class":287},[146,325,291],{"class":278},[146,327,328],{"class":163},"timed",[146,330,297],{"class":278},[146,332,300],{"class":163},[146,334,335,338,340],{"class":148,"line":219},[146,336,337],{"class":159},"  \"duration\"",[146,339,288],{"class":287},[146,341,342],{"class":163}," 86400,\n",[146,344,345,348,350,354,356,359,361,364,366,369,371],{"class":148,"line":224},[146,346,347],{"class":159},"  \"scopes\"",[146,349,288],{"class":287},[146,351,353],{"class":352},"sTEyZ"," [",[146,355,297],{"class":278},[146,357,358],{"class":163},"read",[146,360,297],{"class":278},[146,362,363],{"class":352},", ",[146,365,297],{"class":278},[146,367,368],{"class":163},"write",[146,370,297],{"class":278},[146,372,373],{"class":163},"]\n",[146,375,376],{"class":148,"line":230},[146,377,378],{"class":278},"}\n",[99,380,381,382,385],{},"The delegation is ",[103,383,384],{},"auto-approved"," because the delegator (authenticated user) is creating it themselves.",[108,387,389],{"id":388},"listing-delegations","Listing Delegations",[112,391,393],{"className":140,"code":392,"language":142,"meta":121,"style":121},"# List all delegations (both as delegator and delegate)\napes grants delegations\n\n# JSON output\napes grants delegations --json\n",[119,394,395,400,409,413,418],{"__ignoreMap":121},[146,396,397],{"class":148,"line":149},[146,398,399],{"class":152},"# List all delegations (both as delegator and delegate)\n",[146,401,402,404,406],{"class":148,"line":156},[146,403,160],{"class":159},[146,405,164],{"class":163},[146,407,408],{"class":163}," delegations\n",[146,410,411],{"class":148,"line":182},[146,412,186],{"emptyLinePlaceholder":185},[146,414,415],{"class":148,"line":189},[146,416,417],{"class":152},"# JSON output\n",[146,419,420,422,424,427],{"class":148,"line":195},[146,421,160],{"class":159},[146,423,164],{"class":163},[146,425,426],{"class":163}," delegations",[146,428,429],{"class":163}," --json\n",[99,431,432],{},"The API supports filtering by role:",[112,434,436],{"className":140,"code":435,"language":142,"meta":121,"style":121},"GET \u002Fapi\u002Fdelegations?role=delegator   # delegations you created\nGET \u002Fapi\u002Fdelegations?role=delegate    # delegations granted to you\n",[119,437,438,449],{"__ignoreMap":121},[146,439,440,443,446],{"class":148,"line":149},[146,441,442],{"class":159},"GET",[146,444,445],{"class":163}," \u002Fapi\u002Fdelegations?role=delegator",[146,447,448],{"class":152},"   # delegations you created\n",[146,450,451,453,456],{"class":148,"line":156},[146,452,442],{"class":159},[146,454,455],{"class":163}," \u002Fapi\u002Fdelegations?role=delegate",[146,457,458],{"class":152},"    # delegations granted to you\n",[108,460,462],{"id":461},"validation","Validation",[99,464,465],{},"When a delegate uses a delegation grant, the target service validates:",[467,468,469,473,478,481,488],"ol",{},[470,471,472],"li",{},"The grant exists and is approved",[470,474,475,476],{},"The grant type is ",[119,477,97],{},[470,479,480],{},"The delegate identity matches the authenticated agent",[470,482,483,484,487],{},"The audience matches the target service (or is wildcard ",[119,485,486],{},"*",")",[470,489,490],{},"The grant hasn't expired or been revoked",[108,492,494],{"id":493},"security-considerations","Security Considerations",[496,497,498,501,504,507,510],"ul",{},[470,499,500],{},"Delegations follow the same lifecycle as regular grants (pending, approved, revoked, expired)",[470,502,503],{},"The delegator can revoke a delegation at any time",[470,505,506],{},"Scopes limit what the delegate can do -- omitting scopes means full access at that audience",[470,508,509],{},"Timed delegations auto-expire, reducing the risk of forgotten permissions",[470,511,512,513,516],{},"The ",[119,514,515],{},"decided_by"," field in the AuthZ-JWT shows the delegator, maintaining accountability",[108,518,520],{"id":519},"next-steps","Next Steps",[496,522,523,529],{},[470,524,525,528],{},[526,527,82],"a",{"href":83}," -- the underlying grant system",[470,530,531,533],{},[526,532,60],{"href":61}," -- privilege escalation using grants and delegations",[535,536,537],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .s2Zo4, html code.shiki .s2Zo4{--shiki-light:#6182B8;--shiki-default:#82AAFF;--shiki-dark:#82AAFF}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}",{"title":121,"searchDepth":149,"depth":156,"links":539},[540,541,545,546,547,548],{"id":110,"depth":156,"text":28},{"id":131,"depth":156,"text":132,"children":542},[543,544],{"id":136,"depth":182,"text":137},{"id":259,"depth":182,"text":260},{"id":388,"depth":156,"text":389},{"id":461,"depth":156,"text":462},{"id":493,"depth":156,"text":494},{"id":519,"depth":156,"text":520},"Let agents act on behalf of another user.","md",null,{},{"title":86,"description":549},"G1aKBP8giVZ5-_zSV74Z5LjODQONFF5NGkOOQ_r0YO0",[556,551],{"title":82,"path":83,"stem":84,"description":557,"children":-1},"How agents request permissions and humans approve them.",1776885317434]