Skip to main content

Cross-Tenant Delegation

Cross-tenant delegation allows an agent owned by one organization to perform actions within another organization’s Truthlocks tenant — with full audit trails and revocable authorization.

Use Cases

  • Managed service providers operating agents on behalf of clients
  • Supply chain partners sharing verification data across organizations
  • Platform integrators running agents that span multiple customer tenants
  • Consulting firms performing compliance checks across client environments
Delegation endpoints have an interactive API playground. Open the Guardrails & Delegation API reference and click Send to try it against the Sandbox.

How it works

┌──────────────┐         ┌──────────────┐
│  Tenant A    │         │  Tenant B    │
│  (Delegator) │         │  (Delegate)  │
│              │  offer  │              │
│  Agent X ────┼────────►│  Agent Y     │
│              │         │  (accepts)   │
│              │ accept  │              │
│              │◄────────┼──            │
└──────────────┘         └──────────────┘
         │                       │
         ▼                       ▼
  delegation_id            scoped_token
  audit_trail              limited_ttl

Delegation Flow

Step 1: Offer Delegation

curl -X POST https://api.truthlocks.com/v1/delegations/offer \
  -H "X-API-Key: $TENANT_A_API_KEY" \
  -d '{
    "from_agent_id": "maip-agent:01JAAAA",
    "to_tenant_id": "tenant_B",
    "scopes": ["receipts:write", "attestations:read"],
    "constraints": {
      "max_actions_per_hour": 100,
      "ip_allowlist": ["10.0.0.0/8"],
      "expires_at": "2026-05-01T00:00:00Z"
    },
    "require_trust_score_above": 70,
    "metadata": {
      "purpose": "Quarterly compliance audit",
      "approved_by": "admin@tenant-a.com"
    }
  }'
Response: 
{
  "id": "maip-delegation:01JDDDD",
  "status": "pending",
  "from_agent_id": "maip-agent:01JAAAA",
  "to_tenant_id": "tenant_B",
  "scopes": ["receipts:write", "attestations:read"],
  "offer_expires_at": "2026-04-13T00:00:00Z"
}

Step 2: Accept Delegation

curl -X POST https://api.truthlocks.com/v1/delegations/maip-delegation:01JDDDD/accept \
  -H "X-API-Key: $TENANT_B_API_KEY" \
  -d '{
    "accepting_agent_id": "maip-agent:01JBBBB",
    "acknowledge_constraints": true
  }'
Response: 
{
  "id": "maip-delegation:01JDDDD",
  "status": "active",
  "delegated_token": "mdt_live_...",
  "effective_scopes": ["receipts:write", "attestations:read"],
  "expires_at": "2026-05-01T00:00:00Z"
}

Step 3: Execute Cross-Tenant Actions

curl -X POST https://api.truthlocks.com/v1/receipts \
  -H "Authorization: Bearer mdt_live_..." \
  -d '{
    "type": "compliance.check.completed",
    "subject_id": "vendor_456",
    "payload": { "result": "pass", "checks_run": 12 }
  }'

Security Model

Constraints

ConstraintDescription
max_actions_per_hourRate limit for delegated actions
ip_allowlistNetwork restrictions
expires_atHard expiration date
require_trust_score_aboveMinimum trust score to maintain delegation
scopesSubset of the delegating agent’s scopes

Audit Trail

All cross-tenant actions generate dual audit entries — one in each tenant’s audit log: 
{
  "event": "delegation.action",
  "delegation_id": "maip-delegation:01JDDDD",
  "acting_agent": "maip-agent:01JBBBB",
  "acting_tenant": "tenant_B",
  "target_tenant": "tenant_A",
  "action": "receipts:write",
  "timestamp": "2026-04-06T14:30:00Z"
}

Revocation

Either party can revoke a delegation at any time: 
curl -X DELETE https://api.truthlocks.com/v1/delegations/maip-delegation:01JDDDD \
  -H "X-API-Key: $API_KEY" \
  -d '{ "reason": "Engagement concluded" }'
Revocation is immediate — all in-flight requests using the delegated token are rejected.

Best Practices

  1. Time-bound all delegations — Never create open-ended delegations
  2. Minimum viable scopes — Only delegate the scopes actually needed
  3. Trust score requirements — Set require_trust_score_above to at least 70
  4. IP restrictions — Always use ip_allowlist for production delegations
  5. Monitor delegation activity — Set up webhooks for delegation.* events
  6. Regular review — Audit active delegations quarterly

Next steps

Agent Authorization

Scope-based authorization and session management.

AI Orchestration

Multi-agent workflow execution with delegation support.