Skip to main content
Delegation tokens prove that an agent is acting on behalf of an entity — and that this authorization was cryptographically granted, not merely claimed. Two endpoints cover different use cases:
  • POST /v1/token-exchange — simplified, intended for most applications
  • POST /v1/token/exchange — full RFC 8693 exchange for multi-hop chains
All endpoints require authentication.

POST /v1/token-exchange

The simplified delegation endpoint. Builds SPIFFE IDs from raw identifiers using the authenticated company’s context and issues a signed delegation JWT. Use this when you want to record “agent X acted on behalf of company Y” without constructing JWT-SVIDs manually.

Request body

Response 201

Error responses

Example


POST /v1/token/exchange

Full RFC 8693 §2 token exchange. Takes two pre-issued JWT-SVIDs and produces a delegation token encoding the full sub/act chain. Both tokens must have been issued by the authenticated company’s key pair. Use this when building multi-hop delegation chains where each level of the hierarchy needs to be represented in the token.

Request body

Response 200

Error responses

Example — agent A acts on behalf of company