Delego docs
Delego is intent-bound action authorization for AI agents. It sits between an agent and whatever credential broker holds the user’s secrets, and answers the one question brokers can’t: is this specific action the thing the human actually asked for?
The confused-deputy problem
“The agent gets its own scoped credential and never holds the raw secret” is now a crowded, solved space. The harder problem sits one level up — the confused deputy: the agent holds a valid credential, a prompt injection redirects it, and the credential’s scope still covers the action — so the broker happily injects the secret and the action goes through.
The credential is the wrong layer to catch this — it’s valid. OAuth tokens carry no commitment to the original instruction. This is the agent-authorization gap catalogued as OWASP ASI03 (Excessive Agency).
What Delego does
Delego authorizes the action, not just the credential — deterministically, before any credential is used. For each proposed action it returns one of three outcomes:
- Deterministic, no LLM in the decision path. A model can advise upstream, but the decision that gates a credential is made outside the stochastic loop, so an injection can’t talk its way past it.
- Action-bound, single-use approval. A human “yes” is bound to one exact action fingerprint — the confused-deputy guard. Approval for action A can’t be re-pointed at action B, or replayed to run A twice.
- Signed, tamper-evident audit. Every decision leaves an Ed25519-signed, hash-chained receipt. Editing, reordering, or dropping a receipt breaks verification.
- No credential custody. Delego never holds the secret — it rides your existing broker layer instead of replacing it. Apache-2.0.
Three ways to run it
pip install delego, write a policy, and call fw.propose(...) in your tool-call path.
Run delego-mcp over stdio and your agent proposes actions instead of executing them — no code.
One command installs the skills, agents, and MCP server. Then /delego:init.