Documentation Index Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt
Use this file to discover all available pages before exploring further.
Cross-Tenant Delegation Cross-tenant delegation allows an agent owned by one organization to perform actions within another organization’s Truthlocks tenant — with full audit trails and revocable authorization.
Use Cases
Managed service providers operating agents on behalf of clientsSupply chain partners sharing verification data across organizationsPlatform integrators running agents that span multiple customer tenantsConsulting firms performing compliance checks across client environments
Delegation endpoints have an interactive API playground. Open the Guardrails & Delegation API reference and click Send to try it against the Sandbox. How it works ┌──────────────┐ ┌──────────────┐ │ Tenant A │ │ Tenant B │ │ (Delegator) │ │ (Delegate) │ │ │ offer │ │ │ Agent X ────┼────────►│ Agent Y │ │ │ │ (accepts) │ │ │ accept │ │ │ │◄────────┼── │ └──────────────┘ └──────────────┘ │ │ ▼ ▼ delegation_id scoped_token audit_trail limited_ttl
Delegation Flow Step 1: Offer Delegation curl -X POST https://api.truthlocks.com/v1/delegations/cross-tenant/offer \ -H "X-API-Key: $TENANT_A_API_KEY " \ -d '{ "from_agent_id": "maip-agent:01JAAAA", "to_tenant_id": "tenant_B", "scopes": ["receipts:write", "attestations:read"], "constraints": { "max_actions_per_hour": 100, "ip_allowlist": ["10.0.0.0/8"], "expires_at": "2026-05-01T00:00:00Z" }, "require_trust_score_above": 70, "metadata": { "purpose": "Quarterly compliance audit", "approved_by": "admin@tenant-a.com" } }'
Response: { "id" : "maip-delegation:01JDDDD" , "status" : "pending" , "from_agent_id" : "maip-agent:01JAAAA" , "to_tenant_id" : "tenant_B" , "scopes" : [ "receipts:write" , "attestations:read" ], "offer_expires_at" : "2026-04-13T00:00:00Z" }
Step 2: Accept Delegation curl -X POST https://api.truthlocks.com/v1/delegations/cross-tenant/accept \ -H "X-API-Key: $TENANT_B_API_KEY " \ -d '{ "accepting_agent_id": "maip-agent:01JBBBB", "acknowledge_constraints": true }'
Response: { "id" : "maip-delegation:01JDDDD" , "status" : "active" , "delegated_token" : "mdt_live_..." , "effective_scopes" : [ "receipts:write" , "attestations:read" ], "expires_at" : "2026-05-01T00:00:00Z" }
Step 3: Execute Cross-Tenant Actions curl -X POST https://api.truthlocks.com/v1/receipts \ -H "Authorization: Bearer mdt_live_..." \ -d '{ "type": "compliance.check.completed", "subject_id": "vendor_456", "payload": { "result": "pass", "checks_run": 12 } }'
Security Model Constraints Constraint Description max_actions_per_hourRate limit for delegated actions ip_allowlistNetwork restrictions expires_atHard expiration date require_trust_score_aboveMinimum trust score to maintain delegation scopesSubset of the delegating agent’s scopes
Audit Trail All cross-tenant actions generate dual audit entries — one in each tenant’s audit log:
{ "event" : "delegation.action" , "delegation_id" : "maip-delegation:01JDDDD" , "acting_agent" : "maip-agent:01JBBBB" , "acting_tenant" : "tenant_B" , "target_tenant" : "tenant_A" , "action" : "receipts:write" , "timestamp" : "2026-04-06T14:30:00Z" }
Revocation Either party can revoke a delegation at any time:
curl -X DELETE https://api.truthlocks.com/v1/delegations/maip-delegation:01JDDDD \ -H "X-API-Key: $API_KEY " \ -d '{ "reason": "Engagement concluded" }'
Revocation is immediate — all in-flight requests using the delegated token are rejected.
Best Practices
Time-bound all delegations — Never create open-ended delegationsMinimum viable scopes — Only delegate the scopes actually neededTrust score requirements — Set require_trust_score_above to at least 70IP restrictions — Always use ip_allowlist for production delegationsMonitor delegation activity — Set up webhooks for delegation.* eventsRegular review — Audit active delegations quarterly
Next steps
Agent Authorization Scope-based authorization and session management.
AI Orchestration Multi-agent workflow execution with delegation support.
