> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Cross-Tenant Delegation

> Enable AI agents to operate across organizational boundaries with cryptographic delegation chains.

# Cross-Tenant Delegation

Cross-tenant delegation allows an agent owned by one organization to perform actions within another organization's Truthlocks tenant — with full audit trails and revocable authorization.

## Use Cases

* **Managed service providers** operating agents on behalf of clients
* **Supply chain partners** sharing verification data across organizations
* **Platform integrators** running agents that span multiple customer tenants
* **Consulting firms** performing compliance checks across client environments

<Tip>
  Delegation endpoints have an interactive API playground. Open the [Guardrails & Delegation](/api-reference/machine-identity/delegations/offer) API reference and click **Send** to try it against the Sandbox.
</Tip>

## How it works

```
┌──────────────┐         ┌──────────────┐
│  Tenant A    │         │  Tenant B    │
│  (Delegator) │         │  (Delegate)  │
│              │  offer  │              │
│  Agent X ────┼────────►│  Agent Y     │
│              │         │  (accepts)   │
│              │ accept  │              │
│              │◄────────┼──            │
└──────────────┘         └──────────────┘
         │                       │
         ▼                       ▼
  delegation_id            scoped_token
  audit_trail              limited_ttl
```

## Delegation Flow

### Step 1: Offer Delegation

```bash theme={null}
curl -X POST https://api.truthlocks.com/v1/delegations/cross-tenant/offer \
  -H "X-API-Key: $TENANT_A_API_KEY" \
  -d '{
    "from_agent_id": "maip-agent:01JAAAA",
    "to_tenant_id": "tenant_B",
    "scopes": ["receipts:write", "attestations:read"],
    "constraints": {
      "max_actions_per_hour": 100,
      "ip_allowlist": ["10.0.0.0/8"],
      "expires_at": "2026-05-01T00:00:00Z"
    },
    "require_trust_score_above": 70,
    "metadata": {
      "purpose": "Quarterly compliance audit",
      "approved_by": "admin@tenant-a.com"
    }
  }'
```

**Response:**

```json theme={null}
{
  "id": "maip-delegation:01JDDDD",
  "status": "pending",
  "from_agent_id": "maip-agent:01JAAAA",
  "to_tenant_id": "tenant_B",
  "scopes": ["receipts:write", "attestations:read"],
  "offer_expires_at": "2026-04-13T00:00:00Z"
}
```

### Step 2: Accept Delegation

```bash theme={null}
curl -X POST https://api.truthlocks.com/v1/delegations/cross-tenant/accept \
  -H "X-API-Key: $TENANT_B_API_KEY" \
  -d '{
    "accepting_agent_id": "maip-agent:01JBBBB",
    "acknowledge_constraints": true
  }'
```

**Response:**

```json theme={null}
{
  "id": "maip-delegation:01JDDDD",
  "status": "active",
  "delegated_token": "mdt_live_...",
  "effective_scopes": ["receipts:write", "attestations:read"],
  "expires_at": "2026-05-01T00:00:00Z"
}
```

### Step 3: Execute Cross-Tenant Actions

```bash theme={null}
curl -X POST https://api.truthlocks.com/v1/receipts \
  -H "Authorization: Bearer mdt_live_..." \
  -d '{
    "type": "compliance.check.completed",
    "subject_id": "vendor_456",
    "payload": { "result": "pass", "checks_run": 12 }
  }'
```

## Security Model

### Constraints

| Constraint                  | Description                                |
| --------------------------- | ------------------------------------------ |
| `max_actions_per_hour`      | Rate limit for delegated actions           |
| `ip_allowlist`              | Network restrictions                       |
| `expires_at`                | Hard expiration date                       |
| `require_trust_score_above` | Minimum trust score to maintain delegation |
| `scopes`                    | Subset of the delegating agent's scopes    |

### Audit Trail

All cross-tenant actions generate dual audit entries — one in each tenant's audit log:

```json theme={null}
{
  "event": "delegation.action",
  "delegation_id": "maip-delegation:01JDDDD",
  "acting_agent": "maip-agent:01JBBBB",
  "acting_tenant": "tenant_B",
  "target_tenant": "tenant_A",
  "action": "receipts:write",
  "timestamp": "2026-04-06T14:30:00Z"
}
```

### Revocation

Either party can revoke a delegation at any time:

```bash theme={null}
curl -X DELETE https://api.truthlocks.com/v1/delegations/maip-delegation:01JDDDD \
  -H "X-API-Key: $API_KEY" \
  -d '{ "reason": "Engagement concluded" }'
```

Revocation is **immediate** — all in-flight requests using the delegated token are rejected.

## Best Practices

1. **Time-bound all delegations** — Never create open-ended delegations
2. **Minimum viable scopes** — Only delegate the scopes actually needed
3. **Trust score requirements** — Set `require_trust_score_above` to at least 70
4. **IP restrictions** — Always use `ip_allowlist` for production delegations
5. **Monitor delegation activity** — Set up webhooks for `delegation.*` events
6. **Regular review** — Audit active delegations quarterly

## Next steps

<CardGroup cols={2}>
  <Card title="Agent Authorization" href="/guides/agent-authorization" icon="key">
    Scope-based authorization and session management.
  </Card>

  <Card title="AI Orchestration" href="/guides/ai-orchestration" icon="diagram-project">
    Multi-agent workflow execution with delegation support.
  </Card>
</CardGroup>
