Sunday, July 19, 2026

Delegation chains, the confused deputy, and the protocols you truly deploy


Brokers hardly ever act alone. A person asks an agent to do one thing. The agent calls a software. The software calls one other agent. By the point work will get completed, three or 4 actors have touched the request, every performing on behalf of the one earlier than it.

Identification has to outlive that chain. At each hop, it’s good to reply two questions, not one. Who initially requested this? And which actor is making this particular name? Lose both reply and also you lose the flexibility to authorize the decision appropriately or clarify it afterward.

Two claims carry the entire chain

The requirements already mannequin this. RFC 8693 defines token change: an actor trades the token it obtained for a brand new one to make the following name, with out discarding who got here earlier than. The token carries two claims that matter right here.

The sub declare is the topic, the unique principal. It’s the person who began the entire thing, and it doesn’t change because the request strikes down the chain.

The act declare is the actor, the get together making the present name. It does change. And when one agent calls one other, act nests: Agent B performing on behalf of Agent A performing on behalf of the person. Nested act is the one sincere solution to characterize a multi-hop chain, as a result of it retains each hyperlink as an alternative of collapsing them.

Determine 1. High: the chain preserved. sub stays the person, act nests at every hop, and you may examine each hyperlink. Backside: the chain flattened right into a re-minted token. The unique principal is gone and downstream over-grants.

The failure mode has a reputation

The shortcut is to flatten the chain. As an alternative of exchanging tokens and nesting act, an agent re-mints a recent token that claims, in impact, “that is me, calling alone behalf.” It’s less complicated. It additionally destroys the chain.

Now sub factors on the agent, not the person. The unique principal is gone. Attribution is gone with it: the downstream software sees the agent and has no concept whose request set this in movement. And since the software solely sees the agent’s identification, it authorizes in opposition to the agent’s permissions, that are broader than what this particular job ought to permit. You over-grant on each downstream name.

That is the confused deputy: a course of performing with authority that was granted to another person, used for a goal the grantor by no means meant. The flattened token is how the confused deputy will get created in an agent system. The preserved chain is the way you keep away from it. The distinction is whether or not you’ll be able to nonetheless examine, on the software, who requested and who’s performing.

The place the chain lives or dies in apply

This isn’t solely a requirements story. The chain is preserved or destroyed at two protocol surfaces the first viewers is deploying proper now.

Agent to software runs over the Mannequin Context Protocol (MCP). The mid-2025 MCP spec adopted OAuth 2.1 and RFC 9728 protected-resource metadata. That issues as a result of it lets an agent uncover what authorization a software requires as an alternative of hardcoding it. The agent reads the useful resource’s metadata, learns the place to get a token and what scope it wants, and asks for precisely that. Discovery is what makes scoped, per-tool authorization sensible at runtime.

Now the deployed actuality, as a result of the spec is just not the identical as what’s working. A big share of MCP servers within the wild ship with weak or absent authorization. The protocol helps doing this appropriately. Many deployments don’t. That hole is all the topic of this sequence: the requirements exist, and the techniques constructed on high of them skip the elements that shield the chain.

Agent to agent runs over A2A and its Agent Playing cards. An Agent Card is a discoverable declaration of what an agent is, what it might probably do, and which authentication schemes it accepts. It’s how one agent learns easy methods to name one other with no human wiring the 2 collectively upfront. The cardboard can also be the place an agent advertises whether or not it expects a delegated token or will fortunately take something. Learn the playing cards in your ecosystem. They let you know the place the chain is revered and the place it’s about to be flattened.

These two surfaces, MCP and A2A, are the concrete locations the delegation chain is both inspectable finish to finish or quietly collapsed right into a token that lies about who’s performing.

MCP carries agent-to-tool calls and A2A carries agent-to-agent calls. These are the two surfaces where the delegation chain is preserved or destroyed.
Determine 2. MCP carries agent-to-tool calls and A2A carries agent-to-agent calls. These are the 2 surfaces the place the delegation chain is preserved or destroyed in apply.

The take-away

Delegation is just not a token handed down the road. It’s a chain, and a wholesome chain is one you’ll be able to examine at each hop: sub mounted on the unique principal, act nested by means of each actor that touched the request. Flatten it and you’ve got constructed a confused deputy that over-grants and can’t be audited.

In your personal techniques, the chain is preserved or misplaced at MCP and A2A. Test two issues. Do your brokers change and nest tokens, or re-mint flat ones? And do the MCP servers and Agent Playing cards in your ecosystem truly require delegated authorization, or do they settle for no matter exhibits up?

Now you can describe an agent, give it an identification, and carry that identification by means of a sequence of calls. The subsequent query is the place the foundations for all of this dwell. Who decides what an agent is allowed to do, and what occurs the second an agent has to behave someplace its personal platform doesn’t attain? That’s the subsequent submit.

Related Articles

Latest Articles