Delegates
Delegate Definition
A delegate is a software agent that can prove key possession, accept mandates, sign actions, and be revoked.
Framework or hosting stack does not determine eligibility.
Qualification Criteria
An agent qualifies for APIS issuance only if it can:
- Generate and hold a cryptographic key pair.
- Complete proof-of-possession challenge.
- Consume and enforce scoped mandates.
- Sign outbound actions or requests.
- Accept revocation and stop acting under revoked credentials.
Runtime Expectations
Delegates should expose:
- stable passport DID
- key identifier/fingerprint
- current active mandate identifiers
- signing evidence on protected actions
Operational Constraints
Delegates must never treat capability claims as unlimited authority. Runtime policy must require valid mandate scope and freshness.
Sub-Delegation
APIS supports two principal-selected modes:
no sub-delegation(default)controlled sub-delegationwith explicit depth and mandatory scope reduction
If a deployment does not implement safe sub-delegation controls, it should disable sub-delegation entirely.