> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Accept Cross-Tenant Delegation

> Accept a cross-tenant trust delegation offer, activating scoped permissions for the accepting agent.

Accepts a pending cross-tenant trust delegation offer. Once accepted, the accepting agent gains the delegated scopes for the duration specified in the original offer. The acceptance event is recorded in the transparency log with a cryptographic receipt.

Only agents within the target tenant specified in the original offer can accept it. The offer must still be in `offered` status and not yet expired.

### Authentication

<ParamField header="X-API-Key" type="string" required>
  API key with `delegations:accept` scope. Alternatively, pass a Bearer JWT
  token in the `Authorization` header.
</ParamField>

<ParamField header="X-Tenant-ID" type="string" required>
  Tenant identifier of the accepting party. Must match the `target_tenant_id`
  from the original offer.
</ParamField>

### Path Parameters

<ParamField path="id" type="string" required>
  Delegation offer identifier (e.g. `deleg_01HXYZ4A5B6C7D8E9F`).
</ParamField>

### Request

<ParamField body="accepted_by_agent_id" type="string" required>
  MAIP agent identifier of the agent accepting the delegation. Must belong to
  the target tenant.
</ParamField>

### Response

<ResponseField name="id" type="string">
  Delegation identifier.
</ResponseField>

<ResponseField name="status" type="string">
  Updated status. `active` upon successful acceptance.
</ResponseField>

<ResponseField name="offered_by_agent_id" type="string">
  The agent that created the original offer.
</ResponseField>

<ResponseField name="offered_by_tenant_id" type="string">
  Tenant of the offering agent.
</ResponseField>

<ResponseField name="accepted_by_agent_id" type="string">
  The agent that accepted the delegation.
</ResponseField>

<ResponseField name="accepted_by_tenant_id" type="string">
  Tenant of the accepting agent.
</ResponseField>

<ResponseField name="scopes" type="string[]">
  Delegated permission scopes now active for the accepting agent.
</ResponseField>

<ResponseField name="max_depth" type="integer">
  Maximum re-delegation depth.
</ResponseField>

<ResponseField name="accepted_at" type="string">
  ISO 8601 timestamp when the delegation was accepted.
</ResponseField>

<ResponseField name="expires_at" type="string">
  ISO 8601 timestamp when the delegation will automatically expire.
</ResponseField>

<ResponseField name="receipt_id" type="string">
  Transparency-log receipt anchoring this delegation acceptance event.
</ResponseField>


## OpenAPI

````yaml mint-openapi.yaml POST /v1/delegations/cross-tenant/accept
openapi: 3.0.3
info:
  title: Truthlocks API
  description: >
    Truthlocks is a universal verification infrastructure for documents,
    credentials, and digital assets.

    This specification defines the canonical API for interacting with Truthlocks
    services.


    ## Base URLs

    - **Production**: `https://api.truthlocks.com`

    - **Sandbox**: `https://sandbox-api.truthlocks.com`


    ## Authentication

    - **API Keys**: Use `X-API-Key` header for machine-to-machine operations

    - **Bearer Tokens**: Use `Authorization: Bearer <jwt>` for user-initiated
    operations


    ## Tenant Identity

    In production, tenant identity is derived from the authenticated context
    (API key or JWT).

    The `X-Tenant-ID` header is ignored in production to prevent spoofing.
  version: 1.0.0
  contact:
    name: Truthlocks Support
    url: https://truthlocks.com/support
    email: support@truthlocks.com
servers:
  - url: https://api.truthlocks.com
    description: Production API
  - url: https://sandbox-api.truthlocks.com
    description: Sandbox Environment
security:
  - APIKey: []
tags:
  - name: Authentication
    description: API key and token management
  - name: Issuers
    description: Issuer registration and trust management
  - name: Keys
    description: Cryptographic key management for issuers
  - name: Attestations
    description: Attestation lifecycle (mint, revoke, supersede)
  - name: Verification
    description: Attestation verification and proof bundles
  - name: Governance
    description: Issuer governance workflows (admin only)
  - name: Identity
    description: Organization, user, and role management
  - name: Audit
    description: Audit event queries
  - name: Platform
    description: Platform administration (super admin only)
  - name: Platform Review
    description: Staff review workflows for issuer applications
  - name: Tenant Console
    description: Tenant profile and lifecycle endpoints
  - name: Health
    description: Service health and readiness endpoints
  - name: Risk
    description: Risk signal ingestion and fraud detection
  - name: Risk Enforcement
    description: Risk enforcement actions — block, challenge, quarantine, and configuration
  - name: Billing
    description: Billing, subscription, and addon management
  - name: Machine Identity
    description: >-
      Machine Agent Identity Protocol (MAIP) — agent registration, sessions,
      trust, witness, compliance, orchestration, and observability
externalDocs:
  description: Transparency read-only API (separate service spec)
  url: >-
    https://github.com/truthlocks/truthlock/blob/main/docs/transparency/openapi.yaml
paths:
  /v1/delegations/cross-tenant/accept:
    post:
      tags:
        - Machine Identity
      summary: Accept Delegation
      description: |
        Accepts a pending delegation offer. The accepting agent must match the
        to_agent_id specified in the offer and provide the delegation token.
      operationId: maip.delegations.accept
      parameters:
        - name: delegationId
          in: path
          required: true
          schema:
            type: string
            format: uuid
          description: Delegation identifier
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - agent_id
                - token
              properties:
                agent_id:
                  type: string
                  format: uuid
                  description: Accepting agent (must match to_agent_id)
                token:
                  type: string
                  description: Delegation acceptance token from the offer
      responses:
        '200':
          description: Delegation accepted
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/MaipDelegation'
        '400':
          description: Validation error or token mismatch
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
        '401':
          description: Authentication required
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
        '404':
          description: Delegation not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
        '429':
          description: Rate limit exceeded
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
      security:
        - APIKey: []
components:
  schemas:
    MaipDelegation:
      type: object
      properties:
        delegation_id:
          type: string
          format: uuid
        from_agent_id:
          type: string
          format: uuid
        to_agent_id:
          type: string
          format: uuid
        scopes:
          type: array
          items:
            type: string
        ttl_seconds:
          type: integer
        conditions:
          type: object
          additionalProperties: true
        status:
          type: string
          enum:
            - offered
            - active
            - expired
            - revoked
        token:
          type: string
          description: Delegation acceptance token (returned on offer)
        created_at:
          type: string
          format: date-time
        expires_at:
          type: string
          format: date-time
    ErrorEnvelope:
      type: object
      required:
        - code
        - message
        - http_status
      properties:
        code:
          type: string
          description: Machine-readable error code
          enum:
            - AUTH_REQUIRED
            - AUTH_INVALID
            - PERMISSION_DENIED
            - TENANT_IDENTITY_UNVERIFIED
            - NOT_FOUND
            - VALIDATION_ERROR
            - CONFLICT
            - PAYLOAD_TOO_LARGE
            - RATE_LIMIT_EXCEEDED
            - QUOTA_EXCEEDED
            - SERVICE_UNAVAILABLE
            - INTERNAL_ERROR
        message:
          type: string
          description: Human-readable error message
        http_status:
          type: integer
          description: HTTP status code
        retry_after_ms:
          type: integer
          description: Milliseconds to wait before retrying (for rate limits)
        details:
          type: object
          description: Additional error context
      example:
        code: AUTH_REQUIRED
        message: Authentication required
        http_status: 401
  securitySchemes:
    APIKey:
      type: apiKey
      in: header
      name: X-API-Key
      description: API key for machine-to-machine authentication

````