Developer · 5 min read

How delegation tokens work

Q: What is the runtime cost?

Single-digit milliseconds per tool call when the verification cache is warm. Cold verification is 1–2 ms. Both numbers are small relative to the LLM round-trip the agent is already paying.

Q: Does it work with our existing agent framework?

Yes. The protocol is host-agnostic. SDKs ship for Python, Go, Node, Rust, and TypeScript; integrations exist for LangChain, CrewAI, AutoGen, and the Claude Agent SDK. Anything that calls a tool can present a delegation.

Q: What happens to delegations when an engineer leaves?

They die at the human's offboarding. The IdP de-provisions the human; the device key is rotated; every active delegation that human signed is invalidated within 200 ms. No service-account graveyard for the new owner to clean up six months later.

A delegation token is OAuth for AI agents — but designed from the start for the human-agent-tool topology. Signed by a human, scoped to a task, time-bound, revocable in milliseconds. Here's the primer.

The mental model

OAuth answered the question: "Can this app access this user's data?" Delegation tokens answer the question: "Can this agent take this action on this user's behalf?" Same lineage, different shape.

An agent without a delegation token is a service account: long-lived, broad, hard to revoke per-action. An agent with a delegation token is a narrowly-empowered intermediary: every call carries proof of who authorized it, what was permitted, and how long the permission lasts.

What's inside the token

A Manav delegation token is a JWT-shaped object with one extension. Decoded, the payload looks like:

{
 "iss": "did:manav:0x9a3f7e1d...", // human DID
 "sub": "agent:claude:opus-4-7:run-7d2e", // the delegated agent
 "aud": ["mcp:filesystem", "mcp:stripe"], // accepted MCP audiences
 "scope": [
 "files:read:project-acme",
 "stripe:invoice:write:<=USD-500"
 ],
 "iat": 1714742523,
 "exp": 1714771323, // 8h TTL
 "nbf": 1714742523,
 "jti": "delegation-7d2e-001",
 "revocation_endpoint": "https://manav.id/r/7d2e",
 "manav_chain": [ // the new bit
 {
 "from": "did:manav:0x9a3f7e1d...",
 "method": "biometric+device",
 "proof": "ed25519:0xd1...",
 "timestamp": "2026-05-03T08:42:03Z"
 }
 ]
}

Standard JWT fields cover issuance, audience, scope, and expiry. The extension — manav_chain — is what makes it a delegation token rather than an authorization token. It carries a verifiable chain of human authorization, including how the human's identity was established at the moment of signing.

The five fields that matter most

Scope. Use the most narrow string that does the job. files:read:* is broad. files:read:project-acme is narrow. files:read:project-acme:repo/2026-Q2-launch is narrower still. Granularity costs nothing at issuance and saves you in incident response.

Audience. Limit which MCP servers (or other relying parties) can accept the token. A token good at every MCP server is a token that has bigger blast radius than necessary.

TTL. Match TTL to your team's mean time to detect and respond. 8 hours is a reasonable default. 24 hours is risky for high-magnitude scopes. 5 minutes is appropriate for one-shot actions.

Magnitude caps. Encoded inline in scopes (stripe:invoice:write:<=USD-500) or in a separate spend-cap field. Caps are enforced by the relying party, but Manav SDKs validate them defensively to fail closed.

Revocation endpoint. The token references where to check for live revocation. MCP servers re-fetch the active set every 60 seconds; a forced check happens on every signature failure. End-to-end revocation latency: under 200ms in production.

How the chain works

Each delegation token can carry multiple links. A common case: a human delegates to an orchestrator agent, which delegates to a sub-agent. The sub-agent's token carries the full chain back to the human.

Human (Maria Chen)
 └─ delegation #7d2e to orchestrator-agent
 └─ delegation #7d2e/a to file-reader sub-agent
 └─ delegation #7d2e/b to invoice-writer sub-agent

Sub-agent tokens cannot exceed parent scope. If the parent has 8h TTL, sub-agents have ≤8h. If the parent has $500 cap, sub-agents share that cap (atomic decrement at the relying party). The chain is verifiable at any depth.

Verification on the receiving side

When an MCP server (or any relying party) receives a token, it runs four checks in order:

Signature — verify the JWT against the human's published Manav DID document.
Chain — walk the manav_chain backwards; verify each delegation link is signed and unexpired.
Scope — ensure the requested action falls within the most narrowly-scoped token in the chain.
Revocation — check the live revocation set; reject on hit.

Each check is local. The relying party does not phone home to Manav for every call. Only revocation requires periodic refresh, and that refresh is push-based when subscribed via webhook.

Performance

Decoding, verification, scope check, and revocation lookup add 4–8 ms per call in our reference implementation. The Ed25519 signature is the dominant cost. Caching the DID document (typically valid for hours) is essential for hot paths.

Common mistakes

One token for a whole agent run. Issue at least one per tool category. A single token covering reads and writes is a single revocation that takes everything down.
Skipping the audience field. A token without aud is a bearer token in the bad sense — anyone who steals it can replay it anywhere.
Caps in TTLs longer than incident response. $50K, 8 hours, and a compromised laptop is a 3 a.m. wire transfer.
Trusting the chain only at the top. Verify every link. Sub-agents can present truncated chains.

What this enables

Delegation tokens turn "the agent did it" into "this human authorized this action, with this scope, at this time, and here is the cryptographic proof." That single shift unlocks Article 14 compliance, agent-fleet insurance, cross-platform audit trails, and verifiable-work-history records that survive employer changes.

Common objections

Engineers push back on three things. Latency — the cache makes verification 18 µs hot-path, fine for any production system. Vendor lock-in — the protocol is open, the spec is published, the reference implementation is forkable. Adding another auth dance — the integration is twelve lines and middleware, not a new platform to manage.

Frequently asked questions

What is the runtime cost? Single-digit milliseconds per tool call when the verification cache is warm. Cold verification is 1–2 ms. Both numbers are small relative to the LLM round-trip the agent is already paying.

Does it work with our existing agent framework? Yes. The protocol is host-agnostic. SDKs ship for Python, Go, Node, Rust, and TypeScript; integrations exist for LangChain, CrewAI, AutoGen, and the Claude Agent SDK. Anything that calls a tool can present a delegation.

What happens to delegations when an engineer leaves? They die at the human's offboarding. The IdP de-provisions the human; the device key is rotated; every active delegation that human signed is invalidated within 200 ms. No service-account graveyard for the new owner to clean up six months later.

Where to start

Hands-on next: mcp identity 12 lines ships in twelve lines; ai act article 14 playbook adds the operational layer once you have the basics. Both link to working repos; clone, integrate, run the bench.

OAuth made the multi-tenant web possible. Delegation tokens make the agentic enterprise auditable.