Protocol / Authorization

Authorization

The capability model — delegation, invocation, revocation, attenuation, and validation.

Authorization

The capability model — delegation, invocation, revocation, attenuation, and validation.

Concepts

  • Capabilities — Capability = resource × ability × caveats, the unit of authorization across the protocol.
  • Cap-String Grammar — Capability string form service:space:path:actions and the {namespace}.{service}/{action} ability wire form.
  • CACAO Chain Validation — The node’s algorithm for validating a CACAO/UCAN delegation chain back to root authority.
  • Delegation — Root SIWE→CACAO (ReCap) delegations and child UCAN delegations attenuating parent scope.
  • Invocation — UCAN invocations executing an ability against a resource, verified against the delegation chain.
  • Revocation — Revocation events that retract previously granted delegations.
  • Attenuation — Subset-check enforcing that child capabilities are strictly contained within their parent (ResourceId::extends).
  • Authorization Consistency Model — Hybrid strong/eventual consistency for authorization state; general /invoke has no nonce-dedup table.