Dekimu · anchored receipts docs

ADR — Anchored Delegation Receipts

Cryptographic proof of a delegation lifecycle event — grant, revoke, narrow, renew, suspend, or resume of agent authority.

← All families

Purpose

An ADR anchors the lifecycle of an authority delegation: when a principal grants a delegate the right to act on their behalf, what scope that authority covers, and how that authority evolves over time — through narrowing, renewal, suspension, or revocation. Delegation chains form a verifiable graph of who may act for whom.

In data-processing contexts, ADR receipts document the controller → processor and controller → sub-processor authority chains required by GDPR Art. 28, where written contracts are complemented by verifiable delegation receipts.

Event types

KindLabelDescription
grantGrantAuthority delegated.
revokeRevokeDelegation withdrawn.
narrowNarrowDelegation scope reduced.
renewRenewDelegation period extended.
suspendSuspendDelegation temporarily paused.
resumeResumeSuspended delegation reactivated.

Key fields

delegator — identity of the principal granting authority: DID, email, or structured entity reference.

delegatee — identity of the agent receiving authority. May be a human, an AI agent, or a system account.

scope — structured list of permitted actions and data categories within the delegation. Narrowing events replace this field with a reduced scope.

authority_constraints — conditions under which the delegated authority may be exercised: time bounds, geographic limits, purpose restrictions, or sub-delegation permissions.

Regulatory context

GDPR Art. 28 requires that processing by a processor is governed by a binding contract setting out the subject matter, duration, nature, and purpose of the processing. Art. 29 restricts processors and persons acting under their authority from processing data except on documented instructions from the controller. ADR receipts provide a cryptographically verifiable complement to these contractual obligations — particularly useful for AI agent deployments where delegation is dynamic and automated rather than static and contractual.

Anchored Receipts are cryptographic provenance and privacy-lifecycle protocols; verify.dekimu.com is a reference implementation, not a qualified trust service under Regulation (EU) No 910/2014 (eIDAS) or successor.