> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Offer Cross-Tenant Delegation

> Offer a scoped trust delegation to an agent in another tenant.

Creates a cross-tenant trust delegation offer. Trust delegations allow agents in one tenant to grant specific, scoped permissions to agents in another tenant -- enabling secure multi-organization AI workflows without sharing credentials.

Delegation offers are time-limited and scope-restricted. The target tenant must explicitly accept the offer before the delegation becomes active. All delegation lifecycle events are recorded in the transparency log.

### Delegation Constraints

| Constraint  | Limit     | Description                                                   |
| :---------- | :-------- | :------------------------------------------------------------ |
| Max depth   | 3         | Delegations cannot be re-delegated beyond 3 hops              |
| Max TTL     | 24 hours  | Delegations automatically expire after the specified duration |
| Scope bound | Per-offer | Each delegation is limited to explicitly listed scopes        |

<Warning>
  Cross-tenant delegations are a privileged operation. The offering agent must
  have the `delegations:offer` permission and the target tenant must be in the
  offering tenant's trusted partners list.
</Warning>

### Authentication

<ParamField header="X-API-Key" type="string" required>
  API key with `delegations:offer` scope. Alternatively, pass a Bearer JWT token
  in the `Authorization` header.
</ParamField>

<ParamField header="X-Tenant-ID" type="string" required>
  Tenant identifier of the offering party.
</ParamField>

### Request

<ParamField body="offered_by_agent_id" type="string" required>
  MAIP agent identifier of the agent offering the delegation.
</ParamField>

<ParamField body="target_tenant_id" type="string" required>
  Tenant identifier of the target organization that will receive the delegation
  offer.
</ParamField>

<ParamField body="scopes" type="string[]" required>
  Array of permission scopes being delegated (e.g. `datasets:read`,
  `models:read`, `orchestrations:execute`). The accepting agent will only have
  access to these specific scopes.
</ParamField>

<ParamField body="max_depth" type="integer">
  Maximum re-delegation depth. Range: `1` to `3`. Defaults to `1` (no
  re-delegation). A value of `2` allows the accepting agent to re-delegate to
  one additional party.
</ParamField>

<ParamField body="ttl_hours" type="integer">
  Time-to-live in hours. Range: `1` to `24`. The delegation expires
  automatically after this period. Defaults to `1`.
</ParamField>

<ParamField body="purpose" type="string">
  Human-readable description of why this delegation is being offered. Recorded
  in the audit trail.
</ParamField>

### Response

<ResponseField name="id" type="string">
  Unique delegation offer identifier.
</ResponseField>

<ResponseField name="status" type="string">
  Delegation status. Always `offered` on creation.
</ResponseField>

<ResponseField name="offered_by_agent_id" type="string">
  The agent that created the offer.
</ResponseField>

<ResponseField name="offered_by_tenant_id" type="string">
  Tenant of the offering agent.
</ResponseField>

<ResponseField name="target_tenant_id" type="string">
  Target tenant that may accept the offer.
</ResponseField>

<ResponseField name="scopes" type="string[]">
  Delegated permission scopes.
</ResponseField>

<ResponseField name="max_depth" type="integer">
  Maximum re-delegation depth.
</ResponseField>

<ResponseField name="expires_at" type="string">
  ISO 8601 timestamp when the offer expires if not accepted.
</ResponseField>

<ResponseField name="created_at" type="string">
  ISO 8601 timestamp of creation.
</ResponseField>


## OpenAPI

````yaml mint-openapi.yaml POST /v1/delegations/cross-tenant/offer
openapi: 3.0.3
info:
  title: Truthlocks API
  description: >
    Truthlocks is a universal verification infrastructure for documents,
    credentials, and digital assets.

    This specification defines the canonical API for interacting with Truthlocks
    services.


    ## Base URLs

    - **Production**: `https://api.truthlocks.com`

    - **Sandbox**: `https://sandbox-api.truthlocks.com`


    ## Authentication

    - **API Keys**: Use `X-API-Key` header for machine-to-machine operations

    - **Bearer Tokens**: Use `Authorization: Bearer <jwt>` for user-initiated
    operations


    ## Tenant Identity

    In production, tenant identity is derived from the authenticated context
    (API key or JWT).

    The `X-Tenant-ID` header is ignored in production to prevent spoofing.
  version: 1.0.0
  contact:
    name: Truthlocks Support
    url: https://truthlocks.com/support
    email: support@truthlocks.com
servers:
  - url: https://api.truthlocks.com
    description: Production API
  - url: https://sandbox-api.truthlocks.com
    description: Sandbox Environment
security:
  - APIKey: []
tags:
  - name: Authentication
    description: API key and token management
  - name: Issuers
    description: Issuer registration and trust management
  - name: Keys
    description: Cryptographic key management for issuers
  - name: Attestations
    description: Attestation lifecycle (mint, revoke, supersede)
  - name: Verification
    description: Attestation verification and proof bundles
  - name: Governance
    description: Issuer governance workflows (admin only)
  - name: Identity
    description: Organization, user, and role management
  - name: Audit
    description: Audit event queries
  - name: Platform
    description: Platform administration (super admin only)
  - name: Platform Review
    description: Staff review workflows for issuer applications
  - name: Tenant Console
    description: Tenant profile and lifecycle endpoints
  - name: Health
    description: Service health and readiness endpoints
  - name: Risk
    description: Risk signal ingestion and fraud detection
  - name: Risk Enforcement
    description: Risk enforcement actions — block, challenge, quarantine, and configuration
  - name: Billing
    description: Billing, subscription, and addon management
  - name: Machine Identity
    description: >-
      Machine Agent Identity Protocol (MAIP) — agent registration, sessions,
      trust, witness, compliance, orchestration, and observability
externalDocs:
  description: Transparency read-only API (separate service spec)
  url: >-
    https://github.com/truthlocks/truthlock/blob/main/docs/transparency/openapi.yaml
paths:
  /v1/delegations/cross-tenant/offer:
    post:
      tags:
        - Machine Identity
      summary: Offer Delegation
      description: |
        Creates a delegation offer from one agent to another, granting a subset
        of scopes with an optional TTL and conditions. The receiving agent must
        explicitly accept the delegation.
      operationId: maip.delegations.offer
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - from_agent_id
                - to_agent_id
                - scopes
              properties:
                from_agent_id:
                  type: string
                  format: uuid
                  description: Delegating agent
                to_agent_id:
                  type: string
                  format: uuid
                  description: Receiving agent
                scopes:
                  type: array
                  items:
                    type: string
                  description: >-
                    Scopes to delegate (must be subset of delegating agent
                    scopes)
                ttl_seconds:
                  type: integer
                  minimum: 60
                  maximum: 604800
                  description: Delegation time-to-live in seconds (max 7 days)
                conditions:
                  type: object
                  additionalProperties: true
                  description: Conditional constraints on the delegation
            example:
              from_agent_id: 550e8400-e29b-41d4-a716-446655440000
              to_agent_id: 550e8400-e29b-41d4-a716-446655440001
              scopes:
                - datasets:read
                - models:read
              ttl_seconds: 3600
              conditions:
                max_invocations: 100
      responses:
        '201':
          description: Delegation offered
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/MaipDelegation'
        '400':
          description: Validation error or scope escalation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
        '401':
          description: Authentication required
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
        '404':
          description: Agent not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
        '429':
          description: Rate limit exceeded
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
      security:
        - APIKey: []
components:
  schemas:
    MaipDelegation:
      type: object
      properties:
        delegation_id:
          type: string
          format: uuid
        from_agent_id:
          type: string
          format: uuid
        to_agent_id:
          type: string
          format: uuid
        scopes:
          type: array
          items:
            type: string
        ttl_seconds:
          type: integer
        conditions:
          type: object
          additionalProperties: true
        status:
          type: string
          enum:
            - offered
            - active
            - expired
            - revoked
        token:
          type: string
          description: Delegation acceptance token (returned on offer)
        created_at:
          type: string
          format: date-time
        expires_at:
          type: string
          format: date-time
    ErrorEnvelope:
      type: object
      required:
        - code
        - message
        - http_status
      properties:
        code:
          type: string
          description: Machine-readable error code
          enum:
            - AUTH_REQUIRED
            - AUTH_INVALID
            - PERMISSION_DENIED
            - TENANT_IDENTITY_UNVERIFIED
            - NOT_FOUND
            - VALIDATION_ERROR
            - CONFLICT
            - PAYLOAD_TOO_LARGE
            - RATE_LIMIT_EXCEEDED
            - QUOTA_EXCEEDED
            - SERVICE_UNAVAILABLE
            - INTERNAL_ERROR
        message:
          type: string
          description: Human-readable error message
        http_status:
          type: integer
          description: HTTP status code
        retry_after_ms:
          type: integer
          description: Milliseconds to wait before retrying (for rate limits)
        details:
          type: object
          description: Additional error context
      example:
        code: AUTH_REQUIRED
        message: Authentication required
        http_status: 401
  securitySchemes:
    APIKey:
      type: apiKey
      in: header
      name: X-API-Key
      description: API key for machine-to-machine authentication

````