Chained Credential
Supports delegation flows through multiple entities for complex workflows with intermediary agents
Chained Delegation Credential
The Chained Delegation Credential model supports scenarios where delegation flows through multiple entities. This model is essential for complex workflows where intermediary agents need to further delegate authority.
Structure
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://mcp-i.org/credentials/v1"
],
"id": "urn:uuid:9b37c28d-a7c2-4e5f-8d9a-1b2c3d4e5f6a",
"type": ["VerifiableCredential", "ChainedDelegationCredential"],
"issuer": "did:example:agentA",
"issuanceDate": "2025-02-15T10:15:30Z",
"expirationDate": "2025-06-30T23:59:59Z",
"credentialSubject": {
"id": "did:example:agentB",
"scope": ["read:data"],
"constraints": {
"environment": "testing"
}
},
"credentialStatus": {
"id": "https://example.com/status/456",
"type": "StatusList2021Entry",
"statusPurpose": "revocation",
"statusListIndex": "42"
},
"parentCredential": {
"id": "urn:uuid:3978344f-8596-4c3a-a978-8fcaba3903c5",
"type": ["VerifiableCredential", "DelegationCredential"],
"issuer": "did:example:principal123",
"issuanceDate": "2025-01-01T19:23:24Z",
"expirationDate": "2025-12-31T23:59:59Z",
"credentialSubject": {
"id": "did:example:agentA",
"scope": ["read:data", "write:calendar"]
},
"proof": {
"type": "Ed25519Signature2020",
"verificationMethod": "did:example:principal123#key-1",
"proofValue": "z43BsK5Fu9Sdw7tF1JwPnBtYu..."
}
},
"proof": {
"type": "Ed25519Signature2020",
"created": "2025-02-15T10:15:30Z",
"verificationMethod": "did:example:agentA#key-1",
"proofPurpose": "assertionMethod",
"proofValue": "z82Kn2d7a9FjHnPoQ5..."
}
}
Key Properties
- type: Includes "ChainedDelegationCredential" to indicate delegation chain
- parentCredential: The credential that authorizes the issuer to delegate
- scope: Must be a subset of the parent credential's scope
Validation Requirements
When verifying a chained delegation, the entire chain must be validated recursively, ensuring each delegation's scope is a proper subset of its parent and no credential in the chain is expired or revoked.