Delegation Layer
Learn how authority is securely delegated in MCP-I using verifiable credentials.
Key Takeaways
- Understand how users delegate authority to agents using Verifiable Credentials (VCs)
- Learn how delegation chains work and how they’re validated
- Discover how revocation and credential rotation affect delegation
- Know which components participate in delegation flows, and where enforcement occurs
Why Delegation Matters
Without delegation, AI agents would need full access to a user's account—posing risks for security, privacy, and compliance.
Delegation in MCP-I solves this by using VCs to:
- Scope authority to only what’s necessary
- Prove user consent cryptographically
- Support revocation and expiration
- Allow audit of each request
Delegation Credential Structure
Delegation is encoded inside a VC that includes:
- The issuer (user/delegator DID)
- The subject (agent/delegatee DID)
- The scope of allowed actions and constraints
- The expiration timestamp
- A cryptographic proof signed by the issuer
→ See Credential Models for the full schema
Delegation Process
The delegation process typically follows these steps:
Delegation Lifecycle Diagram
The following diagram shows how a credential is issued, optionally rotated, and eventually revoked:
- A credential may be valid until expiration or actively revoked
- Rotation means a new VC replaces the old one with updated scope or subject
- Verifiers must reject expired or revoked credentials
Delegation Chain
MCP-I supports chained delegation:
- User → Agent A → Agent B
- Each link in the chain is a separate credential
- The verifier must validate each link on the chain recursively
When verifying a delegation chain:
- Start with the leaf credential (the one presented by the requesting agent)
- Verify each credential in the chain recursively
- Ensure each delegation's scope is a subset of its parent
- Check for circular dependencies
- Verify no credential in the chain is expired or revoked
Each VC must:
- Be valid (not expired or revoked)
- Be signed by the correct issuer
- Match the scope requested
- Link to previous subject DID
Delegation Validation Failures
Delegation fails if:
- A link is missing (e.g., broken chain)
- A VC is revoked or expired
- Signature is invalid
- Scope is insufficient or fails constraint expressions
{
"error": "delegation_chain_invalid",
"reason": "revoked_credential",
"at": 1
}
→ These checks happen inside the Edge Verifier
Scope Definition
Scopes in MCP-I follow a standardized format to ensure clear and consistent authorization:
action:resource[/subresource][#instance]
Examples:
read:email- Permission to read emailswrite:calendar/events- Permission to create calendar eventstransfer:finance#account123- Permission to transfer funds from account123
Scope Best Practices
Define scopes that are specific enough to limit agent authority but not so granular that they become unmanageable. Group related permissions into logical scopes to simplify management.
Revocation
MCP-I requires implementation of credential revocation to enable withdrawal of delegation:
StatusList2021
The recommended revocation method uses the StatusList2021 specification:
{
"credentialStatus": {
"id": "https://example.com/status/123#94",
"type": "StatusList2021Entry",
"statusPurpose": "revocation",
"statusListIndex": "94"
}
}
Revocation services maintain bitstring status lists where each bit represents a credential's status.
Revocation Process
Revocation Latency
Revocation might not take immediate effect across all systems. Consider the security implications of revocation propagation latency in your implementation, especially for high-security contexts.