Skip to main content
Register the agent on your profile, then grant what it may do. Receipts travel with the agent into gates, APIs, and MCP — any surface can check permission before action. The two steps can be the same account (self-delegation) or two accounts (a person or org delegating to an agent).

Roles

RoleDoesSigns with
AgentRegisters identity (name, type, capabilities)Agent wallet
ControllerGrants scoped authority and limitsController account
Together, identity and delegation give an agent a portable trust context. Any app or runtime can check who the agent is and what it is allowed to do without trusting your infrastructure.
  • Agent wallet — identifies the agent in NEUS and self-signs agent-identity.
  • Controller account — signs agent-delegation. It does not need to own the agent wallet.

Scoped authority

A delegation defines exactly what the agent may do:
ConceptFieldNotes
Allowed actionsallowedActionsEmpty means permissive (unless denied)
Denied actionsdeniedActionsAlways wins over allowed
ScopescopeDefaults to global; use payments:x402 for metered pay
Spend capmaxSpendWhole-number string in token base units (USDC: 6 decimals)
ExpiryexpiresAtUnix milliseconds; set when money or risk is in scope
Capabilities (wallet, signing, spending, publishing, mcp, …) describe what an agent can do; delegation decides what it is allowed to do.

Setup state

FieldMeaning
linkedIdentity and delegation both present
principalSigned-in account from your MCP session

Next

Overview

Start here.

Delegation

Full field reference.

Flow

Setup order.

Cookbook

Recipes.
Last modified on June 20, 2026