Stay organized with collections
Save and categorize content based on your preferences.
This call returns a new authentication JSON Web Token (JWT) that allows
an entity to access a specified resource on behalf of the user
authenticated in the original authentication JWT. It is used to delegate
scoped access to wrap or
unwrap to another entity when that
entity needs to act on behalf of the user.
HTTP request
POST https://<base_url>/delegate
Replace <base_url> with the Key Access Control List Service (KACLS) URL.
Path parameters
None.
Request body
The request body contains a JSON representation of the request:
A JWT issued by a third-party asserting who the user is. See the authentication section for details.
authorization
string
A JWT with delegated_to and resource_name claims asserting that the entity identified by delegated_to claim is allowed to access resource_name on behalf of the user. For more information, see Authorization Tokens.
reason
string (UTF-8)
A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB.
Check that authorization and authentication tokens are for the same user.
For more information, see
Encrypt and decrypt data.
Check that the kacls_url claim in the authorization token matches the
current KACLS URL. This allows detection of potential man-in-the-middle
servers configured by insiders or rogue domain admins.
If the kacls_owner_domain claim exists in the authorization token, check
that the value matches the KACLS owner's Google Workspace domain. This helps
prevent unauthorized users from registering your KACLS with Google.
Log the operation, including the user originating it, the delegated_to,
the resource_name, and the reason passed in the request.
Generate, sign, and return a JWT token containing delegated_to and
resource_name claims from the authorization token.
The KACLS is free to perform additional security checks, including JWT claim
based ones.
Response body
If successful, this method returns an authentication JWT containing
delegated_to and resource_name claims. This token can later be used for
authentication in calls to the Wrap and Unwrap methods. In case of an error, a
structured error reply
should be returned.
JSON representation
{"delegated_authentication": string}
Fields
delegated_authentication
string
A delegated authentication JWT valid for accessing resource_name by the user mentioned in the original authentication JWT. For more information, see KACLS authentication token for delegate.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-23 UTC."],[],[],null,["# Method: delegate\n\nThis call returns a new authentication JSON Web Token (JWT) that allows\nan entity to access a specified resource on behalf of the user\nauthenticated in the original authentication JWT. It is used to delegate\nscoped access to [wrap](/workspace/cse/reference/wrap) or\n[unwrap](/workspace/cse/reference/unwrap) to another entity when that\nentity needs to act on behalf of the user.\n\n### HTTP request\n\n`POST https://\u003cbase_url\u003e/delegate`\n\nReplace `\u003cbase_url\u003e` with the Key Access Control List Service (KACLS) URL.\n\n### Path parameters\n\nNone.\n\n### Request body\n\nThe request body contains a JSON representation of the request:\n\n| JSON representation ||\n|---------------------------------------------------------------------------------|---|\n| ``` { \"authentication\": string, \"authorization\": string, \"reason\": string } ``` |\n\n| Fields ||\n|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `authentication` | `string` A JWT issued by a third-party asserting who the user is. See the authentication section for details. |\n| `authorization` | `string` A JWT with `delegated_to` and `resource_name` claims asserting that the entity identified by `delegated_to` claim is allowed to access `resource_name` on behalf of the user. For more information, see [Authorization Tokens](/workspace/cse/reference/authorization-tokens). |\n| `reason` | `string (UTF-8)` A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB. |\n\n### Required processing steps\n\nThe KACLS must perform at least these steps:\n\n- Validate both authorization and authentication tokens. For more information, see [Authorization Tokens](/workspace/cse/reference/authorization-tokens) and [Authentication Tokens](/workspace/cse/reference/authentication-tokens).\n- Check that authorization and authentication tokens are for the same user. For more information, see [Encrypt and decrypt data](/workspace/cse/guides/encrypt-and-decrypt-data).\n- Check that the `kacls_url` claim in the authorization token matches the current KACLS URL. This allows detection of potential man-in-the-middle servers configured by insiders or rogue domain admins.\n- If the `kacls_owner_domain` claim exists in the authorization token, check that the value matches the KACLS owner's Google Workspace domain. This helps prevent unauthorized users from registering your KACLS with Google.\n- Log the operation, including the user originating it, the `delegated_to`, the `resource_name`, and the reason passed in the request.\n- Generate, sign, and return a JWT token containing `delegated_to` and `resource_name` claims from the authorization token.\n\nThe KACLS is free to perform additional security checks, including JWT claim\nbased ones.\n\n### Response body\n\nIf successful, this method returns an authentication JWT containing\n`delegated_to` and `resource_name` claims. This token can later be used for\nauthentication in calls to the Wrap and Unwrap methods. In case of an error, a\n[structured error reply](/workspace/cse/reference/structured-errors)\nshould be returned.\n\n| JSON representation ||\n|------------------------------------------------|---|\n| ``` { \"delegated_authentication\": string } ``` |\n\n| Fields ||\n|----------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `delegated_authentication` | `string` A delegated authentication JWT valid for accessing `resource_name` by the user mentioned in the original authentication JWT. For more information, see [KACLS authentication token for `delegate`](/workspace/cse/reference/authentication-tokens#kacls_authentication_token_for_delegate). |\n\n### Example\n\n#### Request\n\n POST https://mykacls.example.com/v1/delegate\n {\n \"authentication\": \"eyJhbGciOi...\",\n \"authorization\": \"eyJhbGciOi...delegated_to\\\":\\\"other_entity_id\\\",\\\"resource_name\\\":\\\"meeting_id\\\"...}\",\n \"reason\": \"{client:'meet' op:'delegate_access'}\"\n }\n\n#### Response\n\n {\n \"delegated_authentication\": \"eyJhbGciOi...delegated_to_from_authz_token...resource_name_from_authz_token...}\"\n }"]]
