Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Delegation

Lock funds so that:

  • Owner can spend at any time.
  • Delegate can spend only before a chosen expiry height.

The owner retains full control. The delegate gets a time-bounded right to spend — useful when you want to grant a subordinate, a service, or an agent the ability to transact on your behalf, but bounded in time so that mistakes or compromises self-correct.

Lock

exfer script delegation-lock \
    --wallet    ~/owner.key \
    --delegate  <DELEGATE_PUBKEY_HEX> \
    --expiry    <BLOCK_HEIGHT> \
    --amount    "10 EXFER" \
    --rpc       "$RPC" \
    --json

Pick --expiry based on how long you want the delegate's authority to last. See the locktime conversion table in Vault.

Owner spend (any time)

exfer script delegation-owner-spend \
    --wallet    ~/owner.key \
    --tx-id     <LOCK_TX_ID> \
    --delegate  <DELEGATE_PUBKEY_HEX> \
    --expiry    <BLOCK_HEIGHT> \
    --rpc       "$RPC" \
    --json

The owner can always recall the funds, even before expiry. This is the "emergency revoke" path.

Delegate spend (before expiry only)

exfer script delegation-delegate-spend \
    --wallet    ~/delegate.key \
    --tx-id     <LOCK_TX_ID> \
    --owner     <OWNER_PUBKEY_HEX> \
    --expiry    <BLOCK_HEIGHT> \
    --rpc       "$RPC" \
    --json

The CLI refuses to submit once current_height >= expiry. On chain, the script enforces the same — any block-publishing miner will reject a delegate spend at or after the expiry height.

When this fits

  • Agent / bot operating an account. Give the agent a delegate key with a 1-week expiry; renew the lock weekly. If the agent's key leaks, the blast radius is bounded to the remaining time on the lock.
  • Subordinate spending allowance. A finance assistant can pay invoices up to a budget, time-bounded.
  • Service that auto-trades for you. Funds are restricted to a short window; you renew rather than handing over indefinite custody.

When this does not fit

  • You want the delegate to be unable to spend at all once expired. Delegation gives that: post-expiry, only the owner can sign.
  • You want the owner to be unable to override the delegate. This pattern is owner-first; the owner can always spend. If you need an irrevocable grant, use a different script (e.g. multisig where the owner is not a signer).

Common pitfalls

  • Forgetting to renew before expiry. Funds get stuck (well — not stuck, but only owner-spendable). If you ran a long-running agent off a delegation, automate the renewal cycle.
  • Setting --expiry too far out. A compromised delegate key with a year of life is nearly as bad as a permanent grant. Short and renewed beats long and forgotten.
  • Re-locking with the wrong --owner / --delegate on spend. Both flags bind into the script witness — values must match the lock-time configuration exactly.