Delegation Chain
A cryptographic record of who authorized an AI agent to act, what scopes were granted, and who any sub-agents inherit from. Severing the root revokes everything below it.
What is a delegation chain?
A delegation chain is the sequence of authorizations that connects an agent's actions back to a human principal. When a human creates an agent, the agent inherits a scoped subset of the human's authority. When that agent spawns a sub-agent, the sub-agent inherits a further-scoped subset. Each step is recorded with the principal, the scopes granted, and a cryptographic signature.
If the chain breaks at any link — the human's account is disabled, an intermediate agent is revoked, scopes are tightened — every agent below that point loses the corresponding authority. This is the property that makes delegation chains the foundation of safe agent autonomy: the human always retains the ability to pull the plug.
Why agents need a delegation chain
Without a delegation chain, agent autonomy becomes a liability. An agent that can spawn sub-agents and grant them credentials is an agent that can leak access in ways no audit log will ever explain. When something goes wrong — wrong email sent, wrong file deleted, wrong refund issued — there is no way to answer the only question that matters: who authorized this?
A delegation chain answers that question by construction. Every action the agent took carries a verifiable trail back to a human. For regulated workflows (healthcare, finance, legal) this is not optional; auditors require attribution. For unregulated workflows it still matters, because revocation without attribution is a blunt instrument.
How revocation cascades
Cascading revocation is the practical payoff. If you revoke a human, every agent that human authorized stops. If you revoke an agent, every sub-agent it spawned stops. If you tighten a scope on a parent, the children inherit the tighter scope on their next operation. This eliminates the orphaned access problem — credentials and grants do not outlive their authorizer.
Compare this to the alternative: a service account shared between five engineers and three agents. When an engineer leaves, you cannot revoke the account without breaking the agents. When an agent misbehaves, you cannot revoke it without breaking the engineers. Delegation chains avoid this by making each principal-to-agent grant independent and separately revocable.
How Loomal implements delegation chains
In Loomal, every agent identity records its parent — the human user or parent agent that created it — at provisioning time. Sub-agent creation is a first-class API: an agent can mint a child identity with a strict subset of its own scopes, and the child's API key is bound to the parent's chain. Revoking the parent invalidates every child key without further action.
The chain is exposed via identity.whoami, which returns the full ancestry of the calling agent. Audit logs record the principal that authorized each action, so post-incident review can answer who, what, and on whose behalf — without stitching together logs from five different systems.
Loomal primitives
identity.whoamiidentity.signidentity.verifySee it in production
More from the glossary
Agent 2FA (TOTP)
Time-based one-time password generation that lets an AI agent complete two-factor authentication on services that require it — without borrowing a human's phone or authenticator app.
Agent Email
A routable email address that belongs to an AI agent — not a forwarding alias, not a shared team inbox, but a first-class mailbox the agent sends from and receives into on its own.
Agent Vault
An encrypted credential store scoped to a single AI agent identity, holding API keys, OAuth tokens, and secrets the agent uses to authenticate with other services.
Agent-to-Agent Email
Using standard SMTP email as the transport between AI agents — one agent sends a message to another agent's mailbox, and the recipient reads and acts on it. The simplest interoperable A2A protocol that already exists.
Build agents with their own identity.
Email, vault, and TOTP — provisioned in 30 seconds.
Get API Key — FreeLast updated: 2026-04-14