# Wever Delegated Authority

Wever Delegated Authority gives an agent exact, time-bounded authority through a signed Wever Authority Mandate.

Read-only work can run automatically inside the signed scope. Every write or spend requires all three controls:

1. A signed and active Wever Authority Mandate.
2. A short-lived, single-use Wever Authority Action Grant for the exact action.
3. A server-recognized credential belonging to the agent named in the mandate.

## Endpoints

- Product: `https://weverlabs.com/delegated-authority/`
- API: `https://weverlabs.com/api/delegated-authority`
- MCP: `https://weverlabs.com/api/mcp`
- Public key: `https://weverlabs.com/.well-known/wever-authority-key.json`
- Mandate schema: `https://weverlabs.com/schemas/wever-authority-mandate.schema.json`
- Action grant schema: `https://weverlabs.com/schemas/wever-authority-action-grant.schema.json`
- Decision schema: `https://weverlabs.com/schemas/wever-authority-decision.schema.json`

## Public draft

Drafting validates the requested scope and creates no authority.

```bash
curl https://weverlabs.com/api/delegated-authority \
  -H 'Content-Type: application/json' \
  -d '{
    "mode": "draft_mandate",
    "principal_reference": "principal-consent-record",
    "identity_provider": "passkey",
    "agent_id": "customer.agent.001",
    "permission_mode": "bounded_write",
    "allowed_tools": ["create_delegated_work_order"],
    "allowed_rails": ["diligenceops"],
    "max_amount_units": 100,
    "currency": "usd",
    "max_runs": 1,
    "ttl_minutes": 60,
    "consent_reference": "signed-consent-receipt",
    "public_activity_consent": false
  }'
```

## Operator issuance

Issuance requires `X-Wever-Operator-Key`. The operator key remains server-side or in the in-memory product form and is never part of a mandate.

```bash
curl https://weverlabs.com/api/delegated-authority \
  -H 'Content-Type: application/json' \
  -H 'X-Wever-Operator-Key: YOUR_OPERATOR_KEY' \
  -d '{ "mode": "issue_mandate", "principal_reference": "...", "agent_id": "...", "consent_reference": "...", "permission_mode": "bounded_write", "allowed_tools": ["create_delegated_work_order"], "allowed_rails": ["diligenceops"], "max_amount_units": 100, "max_runs": 1, "currency": "usd" }'
```

The operator then calls `issue_action_grant` with the signed mandate, the exact action, and an approval reference. The grant expires within ten minutes and can be consumed once.

## Agent execution

The credential-bound agent calls `execute_delegated_action` with:

- `signed_mandate`
- `signed_action_grant`
- `action`
- `work_order` or `commerce_proof`

The service records grant consumption before any write. The downstream product verifies the mandate and grant again. The final response includes a signed authority decision and the downstream Work Order or Commerce Passport proof.

## MCP tools

- `read_delegated_authority`
- `draft_authority_mandate`
- `inspect_authority_mandate`
- `evaluate_authority_action`
- `execute_delegated_action`

Mandate issuance, grant issuance, and revocation remain operator REST actions. They are not exposed as public MCP write tools.
