Skip to main content
POST
/
v1
/
delegations
/
offer
Offer Delegation
curl --request POST \
  --url https://api.truthlocks.com/v1/delegations/offer \
  --header 'Content-Type: application/json' \
  --header 'X-API-Key: <api-key>' \
  --data '
{
  "from_agent_id": "550e8400-e29b-41d4-a716-446655440000",
  "to_agent_id": "550e8400-e29b-41d4-a716-446655440001",
  "scopes": [
    "datasets:read",
    "models:read"
  ],
  "ttl_seconds": 3600,
  "conditions": {
    "max_invocations": 100
  }
}
'
{
  "delegation_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "from_agent_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "to_agent_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "scopes": [
    "<string>"
  ],
  "ttl_seconds": 123,
  "conditions": {},
  "status": "offered",
  "token": "<string>",
  "created_at": "2023-11-07T05:31:56Z",
  "expires_at": "2023-11-07T05:31:56Z"
}
Creates a cross-tenant trust delegation offer. Trust delegations allow agents in one tenant to grant specific, scoped permissions to agents in another tenant — enabling secure multi-organization AI workflows without sharing credentials. Delegation offers are time-limited and scope-restricted. The target tenant must explicitly accept the offer before the delegation becomes active. All delegation lifecycle events are recorded in the transparency log.

Delegation Constraints

ConstraintLimitDescription
Max depth3Delegations cannot be re-delegated beyond 3 hops
Max TTL24 hoursDelegations automatically expire after the specified duration
Scope boundPer-offerEach delegation is limited to explicitly listed scopes
Cross-tenant delegations are a privileged operation. The offering agent must have the delegations:offer permission and the target tenant must be in the offering tenant’s trusted partners list.

Authentication

X-API-Key
string
required
API key with delegations:offer scope. Alternatively, pass a Bearer JWT token in the Authorization header.
X-Tenant-ID
string
required
Tenant identifier of the offering party.

Request

offered_by_agent_id
string
required
MAIP agent identifier of the agent offering the delegation.
target_tenant_id
string
required
Tenant identifier of the target organization that will receive the delegation offer.
scopes
string[]
required
Array of permission scopes being delegated (e.g. datasets:read, models:read, orchestrations:execute). The accepting agent will only have access to these specific scopes.
max_depth
integer
Maximum re-delegation depth. Range: 1 to 3. Defaults to 1 (no re-delegation). A value of 2 allows the accepting agent to re-delegate to one additional party.
ttl_hours
integer
Time-to-live in hours. Range: 1 to 24. The delegation expires automatically after this period. Defaults to 1.
purpose
string
Human-readable description of why this delegation is being offered. Recorded in the audit trail.

Response

id
string
Unique delegation offer identifier.
status
string
Delegation status. Always offered on creation.
offered_by_agent_id
string
The agent that created the offer.
offered_by_tenant_id
string
Tenant of the offering agent.
target_tenant_id
string
Target tenant that may accept the offer.
scopes
string[]
Delegated permission scopes.
max_depth
integer
Maximum re-delegation depth.
expires_at
string
ISO 8601 timestamp when the offer expires if not accepted.
created_at
string
ISO 8601 timestamp of creation.

Authorizations

X-API-Key
string
header
required

API key for machine-to-machine authentication

Body

application/json
from_agent_id
string<uuid>
required

Delegating agent

to_agent_id
string<uuid>
required

Receiving agent

scopes
string[]
required

Scopes to delegate (must be subset of delegating agent scopes)

ttl_seconds
integer

Delegation time-to-live in seconds (max 7 days)

Required range: 60 <= x <= 604800
conditions
object

Conditional constraints on the delegation

Response

Delegation offered

delegation_id
string<uuid>
from_agent_id
string<uuid>
to_agent_id
string<uuid>
scopes
string[]
ttl_seconds
integer
conditions
object
status
enum<string>
Available options:
offered,
active,
expired,
revoked
token
string

Delegation acceptance token (returned on offer)

created_at
string<date-time>
expires_at
string<date-time>