Delegation Mask

This section describes the iSHARE delegation request data model used in a valid request for delegation evidence response. The Delegation Evidence section describes the response data model to delegation request. To see full delegation request example please visit Delegation Endpoint response example section.


Visit delegation endpoint section to read API documentation that specifies how the /delegation endpoint should look like since delegation mask is not enough for full flow to work.

Object. Root level.
The request for any delegation evidence.
String. Contained in delegationRequest.
iSHARE identifier of the delegator (the delegating entity).
Object. Contained in delegationRequest.
MUST for the root level contain an accessSubject. No other elements are allowed. It makes the entire delegation evidence applicable only to this accessSubject.
String. Contained in target.
iSHARE identifier of the delegate, also known as the entity that receives the delegated rights.
Array of Objects. Contained in delegationRequest.
Container for one or more objects containing policy elements with an indication for further delegation. Note that policySet elements within one delegationRequest MUST not restrict each other, but rather offer a mechanism to express additional rights. They will be evaluated by the Authorization Registry in a permit-override manner, allowing a Permit if only one of the policySet elements evaluates to Permit.
Array of Strings. Root level. Optional.
Container for one or more iSHARE identifiers values for a situation where multiple delegation policies need to be linked together.
Array of Strings. Root level. Optional.
Container for one or more pieces of evidence such that the client has legitimate reason to request delegation evidence. A single step contains either a previous delegationEvidence statement or a client_assertion. The minimum is a client_assertion value of the accessSubject, for example if the Service Provider requests delegationEvidence for an authorization in which he is neither the policyIssuer or the accessSubject.


  "delegationRequest": {
    "policyIssuer": "EU.EORI.NL123456789",
    "target": {
      "accessSubject": "EU.EORI.NL987654321"
    "policySets": [ "object" ]
  "delegation_path": [ "string" ],
  "previous_steps": [ "string" ]