Cryptographic credentials that attenuate monotonically. Cascade revocation that kills every descendant instantly. Per-session mandates that scope what an agent can do — like a contractor's statement of work.
Revoke alice-chen's credential and both child agents lose access instantly.
Child credentials are always a strict subset of the parent's permissions. A CRM agent with [search, brain_query, send_email] can delegate [search] to a sub-agent — but never [deploy] or [shell], because the parent doesn't have them.
This is the UCAN (User-Controlled Authorization Network) model: self-contained capability tokens with embedded scope, no server lookup needed for validation.
Revoke the parent credential and every descendant dies instantly. One API call, entire chain terminated. No orphaned permissions lingering in the system.
Credentials are cryptographically bound to the agent's tool list, model name, and config hash. If anything changes after issuance, the credential auto-invalidates.
Configurable delegation depth limit prevents unbounded chains. Most real-world pipelines are 2-3 hops.
When you hire a contractor, you give them a statement of work: which rooms they can enter, what tools they can use, how long they have access, and a spending limit. They don't get the keys to the whole building.
An agent mandate works the same way. Every session gets a scope: which tools, which data tiers, what constraints (amount limits, environment restrictions), and a time bound. The agent physically cannot exceed its mandate.
Mandate for: crm-research-agent Session: loan_evaluation_4821 allowed_tools: search, brain_query, read_db blocked_tools: shell, deploy, delete_record constraints: amount_max: 500 env: ["staging", "development"] ttl: 1 hour Runtime: search("Q1 revenue") ALLOW brain_query("churn rate") ALLOW deploy("production") DENY (blocked_tools) transfer(amount=5000) DENY (exceeds amount_max)
Verify tokens from Okta, Azure AD, Google Workspace. JWKS-based key rotation. Standard claims mapped to agent permissions.
Auto-provision and deprovision agent identities from your IdP. Create, update, delete — all standard SCIM operations.
YAML manifest with 50 agents? Import them all at once. Each gets identity, credential, and owner assignment.
# Register agent with owner
agent = shield.register("crm-bot", owner="alice-chen")
# Issue scoped credential
cred = shield.issue_credential(
agent_id=agent.id,
allowed_tools=["search", "brain_query"],
data_tiers=["gtm", "marketing"],
ttl_seconds=3600
)
# Create session mandate
mandate = shield.mandate(
agent_id=agent.id,
intent="Search for healthcare SaaS companies",
allowed_tools=["search"],
constraints={"amount_max": 0}
)
# Delegate to sub-agent (scope attenuates)
child_cred = shield.delegate(
parent_credential=cred.id,
child_agent="search-worker",
allowed_tools=["search"] # must be subset of parent
)