<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.8) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>


<rfc ipr="trust200902" docName="draft-li-oauth-delegated-authorization-02" category="info" submissionType="IETF">
  <front>
    <title abbrev="Delegated-Auth">OAuth 2.0 Delegated Authorization</title>

    <author initials="R." surname="Li" fullname="Ruochen Li">
      <organization>Huawei Int. Pte Ltd</organization>
      <address>
        <email>li.ruochen@h-partners.com</email>
      </address>
    </author>
    <author initials="H." surname="Wang" fullname="Haiguang Wang">
      <organization>Huawei Int. Pte Ltd</organization>
      <address>
        <email>wang.haiguang.shieldlab@huawei.com</email>
      </address>
    </author>
    <author initials="C." surname="Liu" fullname="Chunchi Peter Liu">
      <organization>Huawei Technologies</organization>
      <address>
        <email>liuchunchi@huawei.com</email>
      </address>
    </author>
    <author initials="T." surname="Li" fullname="Tieyan Li">
      <organization>Huawei Int. Pte Ltd</organization>
      <address>
        <email>Li.Tieyan@huawei.com</email>
      </address>
    </author>

    <date year="2026" month="July" day="06"/>

    
    <workgroup>oauth</workgroup>
    

    <abstract>


<?line 66?>

<t>Delegated authorization enables a client to delegate a subset of its granted privileges to a subordinate access token (also known as a delegated access token). This mechanism allows the client to securely delegate authorization to another application while maintaining fine-grained control over delegated permissions.</t>



    </abstract>

    <note title="About This Document" removeInRFC="true">
      <t>
        The latest revision of this draft can be found at <eref target="https://liuchunchi.github.io/li-oauth-delegated-authorization/draft-li-oauth-delegated-authorization.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-li-oauth-delegated-authorization/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        WG Working Group mailing list (<eref target="mailto:oauth@ietf.org"/>),
        which is archived at <eref target="https://datatracker.ietf.org/wg/oauth/about/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/oauth/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/liuchunchi/li-oauth-delegated-authorization"/>.</t>
    </note>


  </front>

  <middle>


<?line 70?>

<section anchor="introduction"><name>Introduction</name>

<t>OAuth 2.0 <xref target="RFC6749"/> provides a framework for authorizing third-party applications to access protected resources on behalf of a resource owner. However, in existing implementations, access tokens issued to clients often contain excessive permissions that exceed actual requirements, creating security vulnerabilities and potential data exposure risks.</t>

<t>This specification extends OAuth 2.0 with a delegated authorization framework that enables clients to create subordinate access tokens with restricted permissions. This approach addresses the problem of over-privileged access tokens by implementing a token-chain architecture that decouples the initial authorization from the final resource access, allowing delegated tokens to be created and used flexibly.</t>

</section>
<section anchor="requirements-language"><name>Requirements Language</name>

<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>

<?line -18?>

</section>
<section anchor="terminology"><name>Terminology</name>

<t>This specification uses the following terms defined in OAuth 2.0 <xref target="RFC6749"/>: authorization server, client, resource server, and resource owner. A resource server can also act as a client when it accesses one or more downstream resource servers. This document refers to such an entity as an intermediary resource server: it is downstream from the client that invokes it, and acts as a client when making requests to resource servers that are farther downstream in the call chain. Intermediary resource servers can be chained.</t>

<t>The following additional terms are used throughout this document:</t>

<dl>
  <dt><strong>Intermediary Resource Server</strong>:</dt>
  <dd>
    <t>A resource server that receives a request from a client and, to serve that request, acts as an OAuth client when accessing one or more downstream resource servers. It is downstream from its caller and upstream from the resource servers it invokes. A downstream resource server can itself be an intermediary resource server when it invokes another resource server farther downstream in the call chain.</t>
  </dd>
  <dt><strong>Target Resource Server</strong>:</dt>
  <dd>
    <t>The resource server that receives a delegated access token from an upstream intermediary resource server for a particular downstream request and hosts the protected resource requested in that hop. This role is relative to a particular request: a target resource server for one hop can also act as an intermediary resource server for a subsequent downstream hop. It is downstream from the intermediary resource servers that precede it in that call chain.</t>
  </dd>
  <dt><strong>Delegation Token</strong>:</dt>
  <dd>
    <t>A token issued by the authorization server for the client that enables the client to create delegated access tokens.</t>
  </dd>
  <dt><strong>Delegated Access Token</strong>:</dt>
  <dd>
    <t>A token created by the client using the delegation token, with permissions being a subset of the delegation token's privileges and a more limited lifespan.</t>
  </dd>
  <dt><strong>Delegation Key</strong>:</dt>
  <dd>
    <t>A cryptographic key bound to the delegation token, used by the client to sign delegated access tokens. The delegation key is presented in the token request as the <spanx style="verb">delegation_key</spanx> parameter.</t>
  </dd>
</dl>

</section>
<section anchor="overview"><name>Overview</name>

<t>The delegated authorization framework introduces a hierarchical token structure where a client can obtain a delegation token from an authorization server and use it to issue subordinate access tokens with reduced permissions. This enables fine-grained access control while maintaining the security properties of the original authorization grant.</t>

<figure title="Delegated Authorization Framework Architecture" align="center" anchor="fig-architecture"><artset><artwork  type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="672" width="616" viewBox="0 0 616 672" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 64,368 L 64,496" fill="none" stroke="black"/>
<path d="M 96,32 L 96,288" fill="none" stroke="black"/>
<path d="M 120,288 L 120,368" fill="none" stroke="black"/>
<path d="M 168,288 L 168,368" fill="none" stroke="black"/>
<path d="M 192,32 L 192,112" fill="none" stroke="black"/>
<path d="M 192,144 L 192,256" fill="none" stroke="black"/>
<path d="M 216,368 L 216,464" fill="none" stroke="black"/>
<path d="M 376,32 L 376,48" fill="none" stroke="black"/>
<path d="M 376,80 L 376,144" fill="none" stroke="black"/>
<path d="M 376,176 L 376,192" fill="none" stroke="black"/>
<path d="M 376,224 L 376,288" fill="none" stroke="black"/>
<path d="M 384,368 L 384,496" fill="none" stroke="black"/>
<path d="M 384,576 L 384,656" fill="none" stroke="black"/>
<path d="M 448,496 L 448,568" fill="none" stroke="black"/>
<path d="M 504,32 L 504,144" fill="none" stroke="black"/>
<path d="M 504,176 L 504,288" fill="none" stroke="black"/>
<path d="M 512,368 L 512,496" fill="none" stroke="black"/>
<path d="M 512,576 L 512,656" fill="none" stroke="black"/>
<path d="M 96,32 L 192,32" fill="none" stroke="black"/>
<path d="M 376,32 L 504,32" fill="none" stroke="black"/>
<path d="M 192,64 L 376,64" fill="none" stroke="black"/>
<path d="M 192,128 L 376,128" fill="none" stroke="black"/>
<path d="M 376,144 L 504,144" fill="none" stroke="black"/>
<path d="M 376,176 L 504,176" fill="none" stroke="black"/>
<path d="M 192,208 L 376,208" fill="none" stroke="black"/>
<path d="M 192,272 L 376,272" fill="none" stroke="black"/>
<path d="M 96,288 L 112,288" fill="none" stroke="black"/>
<path d="M 128,288 L 192,288" fill="none" stroke="black"/>
<path d="M 376,288 L 504,288" fill="none" stroke="black"/>
<path d="M 64,368 L 160,368" fill="none" stroke="black"/>
<path d="M 176,368 L 216,368" fill="none" stroke="black"/>
<path d="M 384,368 L 512,368" fill="none" stroke="black"/>
<path d="M 216,400 L 376,400" fill="none" stroke="black"/>
<path d="M 216,480 L 384,480" fill="none" stroke="black"/>
<path d="M 64,496 L 216,496" fill="none" stroke="black"/>
<path d="M 384,496 L 512,496" fill="none" stroke="black"/>
<path d="M 384,576 L 512,576" fill="none" stroke="black"/>
<path d="M 384,656 L 512,656" fill="none" stroke="black"/>
<polygon class="arrowhead" points="456,568 444,562.4 444,573.6" fill="black" transform="rotate(90,448,568)"/>
<polygon class="arrowhead" points="384,400 372,394.4 372,405.6" fill="black" transform="rotate(0,376,400)"/>
<polygon class="arrowhead" points="384,208 372,202.4 372,213.6" fill="black" transform="rotate(0,376,208)"/>
<polygon class="arrowhead" points="384,64 372,58.4 372,69.6" fill="black" transform="rotate(0,376,64)"/>
<polygon class="arrowhead" points="224,480 212,474.4 212,485.6" fill="black" transform="rotate(180,216,480)"/>
<polygon class="arrowhead" points="200,272 188,266.4 188,277.6" fill="black" transform="rotate(180,192,272)"/>
<polygon class="arrowhead" points="200,128 188,122.4 188,133.6" fill="black" transform="rotate(180,192,128)"/>
<polygon class="arrowhead" points="176,368 164,362.4 164,373.6" fill="black" transform="rotate(90,168,368)"/>
<polygon class="arrowhead" points="128,288 116,282.4 116,293.6" fill="black" transform="rotate(270,120,288)"/>
<g class="text">
<text x="212" y="36">1.</text>
<text x="280" y="36">Authorization</text>
<text x="272" y="52">Request</text>
<text x="436" y="84">Resource</text>
<text x="212" y="100">2.</text>
<text x="280" y="100">Authorization</text>
<text x="440" y="100">Owner</text>
<text x="264" y="116">Grant</text>
<text x="140" y="164">Client</text>
<text x="212" y="180">3.</text>
<text x="280" y="180">Authorization</text>
<text x="264" y="196">Grant</text>
<text x="440" y="228">Authorization</text>
<text x="212" y="244">4.</text>
<text x="268" y="244">Delegation</text>
<text x="444" y="244">Server</text>
<text x="264" y="260">Token</text>
<text x="180" y="308">5.</text>
<text x="232" y="308">Delegated</text>
<text x="12" y="324">6.</text>
<text x="64" y="324">Delegated</text>
<text x="236" y="324">Access</text>
<text x="84" y="340">Resource</text>
<text x="232" y="340">Token</text>
<text x="236" y="372">5.</text>
<text x="288" y="372">Delegated</text>
<text x="292" y="388">Access</text>
<text x="344" y="388">Token</text>
<text x="132" y="404">Intermediary</text>
<text x="436" y="404">Downstream</text>
<text x="488" y="404">/</text>
<text x="108" y="420">Resource</text>
<text x="172" y="420">Server</text>
<text x="444" y="420">Target</text>
<text x="236" y="436">6.</text>
<text x="276" y="436">Target</text>
<text x="444" y="436">Resource</text>
<text x="288" y="452">Protected</text>
<text x="456" y="452">Server(s)</text>
<text x="284" y="468">Resource</text>
<text x="492" y="532">Optional</text>
<text x="572" y="532">subsequent</text>
<text x="500" y="548">downstream</text>
<text x="576" y="548">request</text>
<text x="436" y="596">Downstream</text>
<text x="488" y="596">/</text>
<text x="444" y="612">Target</text>
<text x="444" y="628">Resource</text>
<text x="444" y="644">Server</text>
</g>
</svg>
</artwork><artwork  type="ascii-art"><![CDATA[
           +-----------+ 1. Authorization     +---------------+
           |           |      Request         |               |
           |           +---------------------->               |
           |           |                      |   Resource    |
           |           | 2. Authorization     |     Owner     |
           |           |      Grant           |               |
           |           <----------------------+               |
           |           |                      +---------------+
           |  Client   |                                       
           |           | 3. Authorization     +---------------+
           |           |      Grant           |               |
           |           +---------------------->               |
           |           |                      | Authorization |
           |           | 4. Delegation        |     Server    |
           |           |      Token           |               |
           |           <----------------------+               |
           +--^-----+--+                      +---------------+
              |     |5. Delegated                              
6. Delegated  |     |     Access                               
      Resource|     |     Token                                
              |     |                                          
       +------+-----v-----+ 5. Delegated       +---------------+
       |                  |      Access Token  |               |
       |  Intermediary    +------------------->| Downstream /  |
       | Resource Server  |                    |    Target     |
       |                  | 6. Target          |   Resource    |
       |                  |    Protected       |    Server(s)  |
       |                  |    Resource        |               |
       |                  <--------------------+               |
       +------------------+                    +-------+-------+
                                                       |
                                                       | Optional subsequent
                                                       | downstream request
                                                       v
                                               +---------------+
                                               | Downstream /  |
                                               |    Target     |
                                               |   Resource    |
                                               |    Server     |
                                               +---------------+
]]></artwork></artset></figure>

<t><list style="numbers" type="1">
  <t>The client requests authorization from the resource owner. The client indicates in the authorization request that the requested authorization grant is for delegated authorization.</t>
  <t>The client receives an authorization grant.</t>
  <t>The client requests a delegation token by authenticating with the authorization server and presenting the authorization grant and its delegation key as defined in Section 3.</t>
  <t>The authorization server authenticates the client and validates the authorization grant, and if valid, issues a delegation token.</t>
  <t>The client calls an intermediary resource server's API, presenting the delegated access token generated from the delegation token. The delegated access token is issued by the client using the delegation key. The intermediary resource server can request protected resources from one or more downstream resource servers by presenting the delegated access token. A downstream resource server can itself be an intermediary resource server for a subsequent downstream request.</t>
  <t>A target resource server for a downstream request validates the delegated access token, and if valid, serves the resource. Responses propagate back through the intermediary resource servers, each of which can optionally transform a downstream response into a service-specific response, and ultimately return a response to the client.</t>
</list></t>

<t>Both delegation token and delegated access token can be JSON Web Tokens (JWTs) <xref target="RFC7519"/> or CBOR Web Tokens (CWTs) <xref target="RFC8392"/>.</t>

</section>
<section anchor="protected-resource-metadata-discovery"><name>Protected Resource Metadata Discovery</name>

<t>Before the client retrieves a delegation token and generates a delegated access token for an intermediary resource server, the client needs to determine the permissions required by that resource server for its own protected resources, the permissions required when accessing downstream resource servers, and the identity of those downstream resource servers. Such information can be manually configured into the client, or it can be dynamically discovered using OAuth 2.0 Protected Resource Metadata <xref target="RFC9728"/>.</t>

<t>Each resource server publishes its metadata at the standard well-known URI as defined in <xref target="RFC9728"/>. The metadata describes the resource server as a protected resource. A client can determine that a resource server is an intermediary resource server when the metadata contains the <spanx style="verb">delegated_resources</spanx> key. The <spanx style="verb">delegated_resources</spanx> metadata field identifies any downstream resource servers the publishing resource server accesses and the authorization capabilities for each. If a downstream resource server is itself an intermediary resource server, the client can also retrieve that resource server's metadata to discover subsequent downstream requirements.</t>

<t>The <spanx style="verb">authorization_requirements</spanx> metadata field identifies the authorization requirements for specific endpoints or operations. A client can use this field to request a delegation token and create delegated access tokens with the minimum permissions needed for the intended request. Discovery of protected resource metadata, including use of the <spanx style="verb">WWW-Authenticate</spanx> <spanx style="verb">resource_metadata</spanx> parameter, follows <xref target="RFC9728"/>.</t>

<section anchor="the-delegatedresources-metadata-field"><name>The <spanx style="verb">delegated_resources</spanx> Metadata Field</name>

<t>This specification defines a new protected resource metadata field, <spanx style="verb">delegated_resources</spanx>, that indicates the downstream resource servers and the authorization capabilities the publishing resource server needs for each.</t>

<dl>
  <dt><strong>delegated_resources</strong>:</dt>
  <dd>
    <t>JSON object mapping downstream protected resource identifiers (as defined in <xref target="RFC9728"/>) to the authorization capabilities for each. Each downstream resource value is a JSON object containing the following members:
</t>

    <dl>
      <dt><strong>authorization_target</strong>:</dt>
      <dd>
        <t><bcp14>OPTIONAL</bcp14>. String identifying the protected resource to which the listed <spanx style="verb">scopes_supported</spanx> or <spanx style="verb">authorization_details_types_supported</spanx> apply. The value <spanx style="verb">self</spanx> indicates the downstream protected resource identified by the corresponding <spanx style="verb">delegated_resources</spanx> key. Any other value is a protected resource identifier as defined in <xref target="RFC9728"/>. If omitted, the default value is <spanx style="verb">self</spanx>.</t>
      </dd>
      <dt><strong>scopes_supported</strong>:</dt>
      <dd>
        <t><bcp14>OPTIONAL</bcp14>. JSON array of scope values <xref target="RFC6749"/> that the publishing resource server may need at the <spanx style="verb">authorization_target</spanx>.</t>
      </dd>
      <dt><strong>authorization_details_types_supported</strong>:</dt>
      <dd>
        <t><bcp14>OPTIONAL</bcp14>. JSON array of authorization details types <xref target="RFC9396"/> that the publishing resource server may need at the <spanx style="verb">authorization_target</spanx>.</t>
      </dd>
    </dl>
  </dd>
</dl>

<t>A downstream resource value <bcp14>MUST</bcp14> contain at least one of <spanx style="verb">scopes_supported</spanx> or <spanx style="verb">authorization_details_types_supported</spanx>.</t>

</section>
<section anchor="the-authorizationrequirements-metadata-field"><name>The <spanx style="verb">authorization_requirements</spanx> Metadata Field</name>

<t>This specification defines a new protected resource metadata field, <spanx style="verb">authorization_requirements</spanx>, that indicates the authorization requirements for specific endpoints or operations of the publishing resource server. The requirements can describe permissions needed at the publishing resource server itself, permissions delegated to downstream resource servers, or both.</t>

<dl>
  <dt><strong>authorization_requirements</strong>:</dt>
  <dd>
    <t>JSON array of authorization requirement objects. Each object describes one endpoint or operation and the permissions required to access it. The following members are defined:
</t>

    <dl>
      <dt><strong>methods</strong>:</dt>
      <dd>
        <t><bcp14>OPTIONAL</bcp14>. JSON array of HTTP methods to which this requirement applies. If omitted, the requirement applies independent of HTTP method.</t>
      </dd>
      <dt><strong>path</strong>:</dt>
      <dd>
        <t><bcp14>OPTIONAL</bcp14>. Absolute path or path template identifying the endpoint to which this requirement applies. If omitted, the requirement applies to the operation as otherwise identified by the object.</t>
      </dd>
      <dt><strong>operation</strong>:</dt>
      <dd>
        <t><bcp14>OPTIONAL</bcp14>. String identifying an application-level operation to which this requirement applies. This member is intended for APIs where the authorization requirement is associated with a named action rather than only with an HTTP path. The syntax and semantics of the operation identifier are deployment specific. For HTTP APIs where the method and path uniquely identify the protected action, <spanx style="verb">methods</spanx> and <spanx style="verb">path</spanx> are preferred.</t>
      </dd>
      <dt><strong>scopes</strong>:</dt>
      <dd>
        <t><bcp14>OPTIONAL</bcp14>. JSON array of scope values <xref target="RFC6749"/> required for the identified endpoint or operation at the publishing resource server.</t>
      </dd>
      <dt><strong>authorization_details_types</strong>:</dt>
      <dd>
        <t><bcp14>OPTIONAL</bcp14>. JSON array of authorization details types <xref target="RFC9396"/> required or accepted for the identified endpoint or operation at the publishing resource server.</t>
      </dd>
      <dt><strong>authorization_details</strong>:</dt>
      <dd>
        <t><bcp14>OPTIONAL</bcp14>. JSON array of authorization detail objects <xref target="RFC9396"/> that describe the required permissions for the identified endpoint or operation at the publishing resource server. This member can be used when the authorization details type alone is not sufficient to describe the minimum required permission.</t>
      </dd>
      <dt><strong>delegated_resources</strong>:</dt>
      <dd>
        <t><bcp14>OPTIONAL</bcp14>. JSON object mapping downstream protected resource identifiers to delegated authorization requirement objects. This member describes permissions that the publishing resource server needs to receive in a delegated access token in order to call the specified downstream resource servers while serving the identified local endpoint or operation. Each delegated authorization requirement object <bcp14>MAY</bcp14> contain <spanx style="verb">authorization_target</spanx>, with the same semantics as in the <spanx style="verb">delegated_resources</spanx> metadata field, and identifies required permissions using <spanx style="verb">scopes</spanx>, <spanx style="verb">authorization_details_types</spanx>, or <spanx style="verb">authorization_details</spanx>.</t>
      </dd>
    </dl>
  </dd>
</dl>

<t>A top-level authorization requirement object <bcp14>MUST</bcp14> identify an endpoint or operation using <spanx style="verb">path</spanx>, <spanx style="verb">operation</spanx>, or both. Each top-level authorization requirement object <bcp14>MUST</bcp14> contain at least one of <spanx style="verb">scopes</spanx>, <spanx style="verb">authorization_details_types</spanx>, <spanx style="verb">authorization_details</spanx>, or <spanx style="verb">delegated_resources</spanx>. Each delegated authorization requirement object <bcp14>MUST</bcp14> contain at least one of <spanx style="verb">scopes</spanx>, <spanx style="verb">authorization_details_types</spanx>, or <spanx style="verb">authorization_details</spanx>. The <spanx style="verb">authorization_requirements</spanx> field is optional. Resource servers <bcp14>MAY</bcp14> omit it when authorization requirements are dynamic, confidential, or better conveyed through an authorization challenge.</t>

<t>When both <spanx style="verb">path</spanx> and <spanx style="verb">operation</spanx> are present, <spanx style="verb">path</spanx> identifies the endpoint and <spanx style="verb">operation</spanx> further identifies the action within that endpoint.</t>

<t>The <spanx style="verb">authorization_requirements</spanx> metadata is self-declared discovery information. It does not replace access control enforcement by resource servers, and clients <bcp14>MUST NOT</bcp14> assume that possession of the indicated permissions guarantees access to the identified endpoint or operation.</t>

</section>
<section anchor="metadata-example"><name>Metadata Example</name>

<t>The following is a non-normative example of a resource server publishing protected resource metadata that describes both its downstream resource server capabilities and endpoint-specific authorization requirements:</t>

<figure><sourcecode type="sourcecode"><![CDATA[
{
  "resource": "https://analytics.example.com",
  "scopes_supported": ["openid", "analytics:summary"],
  "authorization_servers": ["https://idp.example.com"],

  "delegated_resources": {
    "https://crm.example.com": {
      "authorization_target": "self",
      "scopes_supported": ["read:contacts", "read:reports"],
      "authorization_details_types_supported": ["data"]
    }
  },

  "authorization_requirements": [
    {
      "methods": ["GET"],
      "path": "/summary",
      "scopes": ["analytics:summary"]
    },
    {
      "methods": ["GET"],
      "path": "/reports/contacts",
      "delegated_resources": {
        "https://crm.example.com": {
          "scopes": ["read:contacts"],
          "authorization_details_types": ["data"]
        }
      }
    },
    {
      "methods": ["GET"],
      "path": "/reports/monthly",
      "delegated_resources": {
        "https://crm.example.com": {
          "authorization_target": "https://reports.example.com",
          "scopes": ["read:reports"]
        }
      }
    }
  ]
}
]]></sourcecode></figure>

<t>In this example the resource server (<spanx style="verb">https://analytics.example.com</spanx>) indicates that it supports its own <spanx style="verb">analytics:summary</spanx> scope and that it may need access to the CRM resource server (<spanx style="verb">https://crm.example.com</spanx>) with the <spanx style="verb">read:contacts</spanx> and <spanx style="verb">read:reports</spanx> scopes. The <spanx style="verb">authorization_requirements</spanx> field further indicates that <spanx style="verb">GET /summary</spanx> requires the local <spanx style="verb">analytics:summary</spanx> scope, <spanx style="verb">GET /reports/contacts</spanx> requires a delegated access token that covers the CRM <spanx style="verb">read:contacts</spanx> scope and <spanx style="verb">data</spanx>-type authorization details, and <spanx style="verb">GET /reports/monthly</spanx> requires a delegated access token presented to CRM that covers the <spanx style="verb">read:reports</spanx> scope at <spanx style="verb">https://reports.example.com</spanx>.</t>

<t>The client uses this information, and optionally the metadata of downstream intermediary resource servers, to:</t>

<t><list style="numbers" type="1">
  <t>Request a delegation token from the authorization server with appropriate permissions (see Section 7).</t>
  <t>Create delegated access tokens with the correct permissions, audience, and downstream resource identifiers (see Section 8).</t>
</list></t>

</section>
</section>
<section anchor="delegation-tokens-and-delegated-access-tokens"><name>Delegation Tokens and Delegated Access Tokens</name>

<t>This section defines the properties of delegation tokens and delegated access tokens. The delegated authorization framework uses a hierarchical token structure where tokens form a chain: a delegation token can be used to create subordinate tokens, which can either be another delegation token (to continue the chain) or a delegated access token (to access protected resources). The top-level token in the chain is issued by the authorization server, while subordinate tokens are created by clients.</t>

<section anchor="delegation-tokens"><name>Delegation Tokens</name>

<t>A delegation token is a token that can be used to create subordinate tokens. It contains a <spanx style="verb">max_delegation_depth</spanx> claim that limits the maximum length of the delegation chain.</t>

<dl>
  <dt><strong>delegation_key</strong>:</dt>
  <dd>
    <t>The cryptographic key bound to the delegation token, used by the client to sign subordinate tokens (either another delegation token or a delegated access token). The value is a JSON object representing the public key, using key format as defined in <xref target="RFC7517"/>. This claim <bcp14>MUST</bcp14> be present in delegation tokens. The corresponding private key is held by the client and used to create subordinate tokens. Subordinate tokens <bcp14>MUST</bcp14> include the parent delegation token in the <spanx style="verb">delegation_token</spanx> claim, creating a verifiable chain from the top-level token to the subordinate token.</t>
  </dd>
  <dt><strong>max_delegation_depth</strong>:</dt>
  <dd>
    <t><bcp14>OPTIONAL</bcp14>. Integer value indicating the maximum depth of the delegation chain. If not present, the delegation chain is unrestricted. When a client creates a subordinate token from a delegation token:</t>
  </dd>
</dl>

<t><list style="symbols">
  <t>If the parent delegation token has a <spanx style="verb">max_delegation_depth</spanx> value, the subordinate delegation token <bcp14>MUST</bcp14> have a <spanx style="verb">max_delegation_depth</spanx> value smaller than the parent's value.</t>
  <t>If the parent delegation token does not have a <spanx style="verb">max_delegation_depth</spanx> value, the subordinate delegation token <bcp14>MAY</bcp14> set any <spanx style="verb">max_delegation_depth</spanx> value.</t>
</list></t>

<t>When <spanx style="verb">max_delegation_depth</spanx> reaches 1, the subordinate token <bcp14>MUST</bcp14> be a delegated access token (no further delegation is allowed).</t>

<t>The <spanx style="verb">scope</spanx> / <spanx style="verb">authorization_details</spanx>, <spanx style="verb">aud</spanx>, <spanx style="verb">exp</spanx>, and <spanx style="verb">nbf</spanx> claims <bcp14>MAY</bcp14> be present in delegation tokens and can be reduced in subordinate tokens.</t>

<dl>
  <dt><strong>scope</strong> / <strong>authorization_details</strong>:</dt>
  <dd>
    <t>The scope (as defined in <xref target="RFC8693"/>) or authorization details (as defined in <xref target="RFC9396"/>) of the delegation token. When creating a subordinate token, the client <bcp14>MAY</bcp14> reduce the scope or authorization_details to a subset of the parent token's permissions.</t>
  </dd>
  <dt><strong>aud</strong>:</dt>
  <dd>
    <t>The audience of the delegation token. When creating a subordinate token, the client <bcp14>MAY</bcp14> narrow the audience to a subset of the parent token's audience.</t>
  </dd>
  <dt><strong>exp</strong>:</dt>
  <dd>
    <t>The expiration time of the delegation token. When creating a subordinate token, the client <bcp14>MUST</bcp14> set an expiration time that is no later than the parent token's expiration time.</t>
  </dd>
  <dt><strong>nbf</strong>:</dt>
  <dd>
    <t>The not-before time of the delegation token. When creating a subordinate token, the client <bcp14>MAY</bcp14> set a not-before time that is later than the parent token's not-before time.</t>
  </dd>
</dl>

<section anchor="top-level-delegation-token"><name>Top Level Delegation Token</name>

<t>The top-level delegation token is issued by the authorization server and <bcp14>MAY</bcp14> contain the <spanx style="verb">iss</spanx>, <spanx style="verb">sub</spanx>, and <spanx style="verb">jti</spanx> claims. If present, these claims apply to the entire token chain. These claims <bcp14>MUST NOT</bcp14> be present in subordinate delegation tokens or delegated access tokens.</t>

<dl>
  <dt><strong>iss</strong>:</dt>
  <dd>
    <t>The issuer of the delegation token. This claim applies to all subordinate tokens in the chain.</t>
  </dd>
  <dt><strong>sub</strong>:</dt>
  <dd>
    <t>The subject of the delegation token, typically representing the resource owner or the client. This claim applies to all subordinate tokens in the chain.</t>
  </dd>
  <dt><strong>jti</strong>:</dt>
  <dd>
    <t>Unique identifier for the delegation token. This claim applies to all subordinate tokens in the chain.</t>
  </dd>
</dl>

<t>Subordinate delegation tokens and delegated access tokens <bcp14>MUST NOT</bcp14> include the <spanx style="verb">iss</spanx>, <spanx style="verb">sub</spanx>, or <spanx style="verb">jti</spanx> claims. Verifiers (resource servers) <bcp14>SHALL</bcp14> consider these claims from the top-level delegation token when validating the entire token chain.</t>

</section>
</section>
<section anchor="delegated-access-tokens"><name>Delegated Access Tokens</name>

<t>A delegated access token is a token used to access protected resources. It cannot be used to create subordinate tokens.</t>

<t>The <spanx style="verb">scope</spanx>, <spanx style="verb">aud</spanx>, <spanx style="verb">exp</spanx>, and <spanx style="verb">nbf</spanx> claims in delegated access tokens follow the same rules as in delegation tokens, as described in Section 6.1.</t>

<dl>
  <dt><strong>max_delegation_depth</strong>:</dt>
  <dd>
    <t>Delegated access tokens do not need to include a <spanx style="verb">max_delegation_depth</spanx> claim, even if the parent delegation token has one. If a delegated access token includes <spanx style="verb">max_delegation_depth</spanx>, its value <bcp14>MUST</bcp14> be 0.</t>
  </dd>
</dl>

</section>
</section>
<section anchor="acquiring-delegation-tokens"><name>Acquiring Delegation Tokens</name>

<t>The client requests a delegation token using standard OAuth 2.0 grant types with additional parameters to distinguish delegation requests from standard token requests.</t>

<section anchor="authorization-code-grant"><name>Authorization Code Grant</name>

<t>For authorization code grant type, the client <bcp14>MUST</bcp14> include a <spanx style="verb">delegation=true</spanx> parameter in the authorization request to indicate that the client is requesting a delegation token instead of an OAuth 2.0 access token.</t>

<t>Additionally, the authorization request <bcp14>MUST</bcp14> include either a <spanx style="verb">scope</spanx> parameter (as defined in <xref target="RFC6749"/> Section 3.3), an <spanx style="verb">authorization_details</spanx> parameter (as defined in "Rich Authorization Requests" <xref target="RFC9396"/>), or both, that define the permissions granted to the requested delegation token.</t>

<t>In the token request, the client <bcp14>MUST</bcp14> include a <spanx style="verb">delegation_key</spanx> parameter with the value of the delegation key. The delegation key is a public key for digital signature.</t>

<t>Additionally, the client <bcp14>MAY</bcp14> include in the token request either a <spanx style="verb">scope</spanx> parameter, an <spanx style="verb">authorization_details</spanx> parameter, or both. The client <bcp14>MAY</bcp14> also include a <spanx style="verb">delegation=true</spanx> parameter in the token request.</t>

<t>In the token response, the authorization server <bcp14>MUST</bcp14> include an <spanx style="verb">access_token</spanx> attribute whose value is the delegation token, and <bcp14>MUST</bcp14> include a <spanx style="verb">token_type</spanx> attribute valued <spanx style="verb">"Delegation"</spanx>, and <bcp14>MAY</bcp14> include a <spanx style="verb">refresh_token</spanx> attribute which is the refresh token for obtaining a new delegation token via the refresh token grant.</t>

<t>Other procedures of the authorization code grant are as described in <xref target="RFC6749"/>. Use of Proof Key for Code Exchange (PKCE) <xref target="RFC7636"/> is <bcp14>RECOMMENDED</bcp14>.</t>

</section>
<section anchor="other-grant-types"><name>Other Grant Types</name>

<t>Other OAuth 2.0 grant types, such as the refresh token grant or client credentials grant, <bcp14>MAY</bcp14> support delegated authorization by including the <spanx style="verb">delegation</spanx> and <spanx style="verb">delegation_key</spanx> parameters when applicable. The authorization server <bcp14>MUST</bcp14> validate that the client is authorized to request delegation tokens using the given grant type.</t>

</section>
</section>
<section anchor="creating-delegated-access-tokens"><name>Creating Delegated Access Tokens</name>

<t>The client creates delegated access tokens by:</t>

<t><list style="numbers" type="1">
  <t>Validating the delegation token's validity and permissions.</t>
  <t>Generating a subordinate access token with (optionally) reduced privileges.</t>
  <t>Applying cryptographic protection using the delegation key (digital signature).</t>
</list></t>

<t>The client <bcp14>MUST</bcp14> include the delegation token in the <spanx style="verb">delegation_token</spanx> attribute of the delegated access token.</t>

<t>The client <bcp14>MUST</bcp14> ensure that the delegated access token's scope, lifetime, audience, and other claims do not exceed those of the delegation token. The client <bcp14>MAY</bcp14> generate single-use delegated access tokens that the resource server or authorization server only consider valid when validating it for the first time.</t>

<t>The client is <bcp14>RECOMMENDED</bcp14> to "sender-constrain" the delegated access tokens by binding the delegated access tokens with public keys or certificates where the corresponding private keys are held by the resource servers that will present those tokens, via techniques similar to OAuth 2.0 mTLS <xref target="RFC8705"/> or OAuth 2.0 DPoP <xref target="RFC9449"/>.</t>

</section>
<section anchor="using-delegated-access-tokens"><name>Using Delegated Access Tokens</name>

<t>When the client accesses an intermediary resource server endpoint that requires downstream access, the client <bcp14>MUST</bcp14> include the delegated access token as a bearer token <xref target="RFC6750"/> in the <spanx style="verb">Delegated-Authorization</spanx> header. The delegated access token is used by downstream resource servers to verify requests from upstream intermediary resource servers. The <spanx style="verb">Delegated-Authorization</spanx> header <bcp14>MAY</bcp14> be used in combination with an <spanx style="verb">Authorization</spanx> header used by the intermediary resource server to verify the request from the client.</t>

<t>For example:</t>

<figure><artwork><![CDATA[
GET /dp-resource HTTP/1.1
Host: analytics.example.com
Authorization: Bearer mF_9.B5g1234
Delegated-Authorization: Bearer mF_9.B5f-4.1JqM
]]></artwork></figure>

<t>Upon receiving a request with a <spanx style="verb">Delegated-Authorization</spanx> header, the intermediary resource server can send downstream requests to one or more resource servers for the respective protected resources. For each such downstream request, the invoked resource server is the target resource server for that hop and can itself act as an intermediary resource server for subsequent downstream requests. The intermediary resource server <bcp14>MUST</bcp14> include the received delegated access token as a bearer token in the <spanx style="verb">Authorization</spanx> header.</t>

<t>For example:</t>

<figure><artwork><![CDATA[
GET /target-resource HTTP/1.1
Host: resource.example.com
Authorization: Bearer mF_9.B5f-4.1JqM
]]></artwork></figure>

</section>
<section anchor="verification-of-delegated-access-tokens"><name>Verification of Delegated Access Tokens</name>

<t>Resource servers verify delegated access tokens through either local validation using pre-configured public keys or remote validation via token introspection <xref target="RFC7662"/> at the authorization server.</t>

<section anchor="local-verification"><name>Local Verification</name>

<t>The resource server verifies delegated access tokens by:</t>

<t><list style="numbers" type="1">
  <t>The resource server is pre-configured with the authorization server's public key, or it fetches the public key via the authorization server's JWKS endpoint <xref target="RFC7517"/>.</t>
  <t>Checking the digital signature of the delegation token (part of the delegated access token) against the authorization server's public key.</t>
  <t>Checking the digital signature of the delegated access token against the delegation key bound to the delegation token.</t>
  <t>Verifying the delegated access token's permissions and validity are within the scope of the delegation token.</t>
  <t>Verifying the delegated access token is within validity period, and the delegated access token's permissions cover the resource request.</t>
</list></t>

</section>
<section anchor="token-introspection"><name>Token Introspection</name>

<t>The resource server sends the delegated access token to the authorization server via the token introspection endpoint <xref target="RFC7662"/>. The authorization server verifies the delegated access token against its keys.</t>

</section>
</section>
<section anchor="privacy-considerations"><name>Privacy Considerations</name>

<t>This section describes the privacy properties of the local delegation approach defined in this specification.</t>

<section anchor="privacy-benefits"><name>Privacy Benefits</name>

<t>When a client creates delegated access tokens locally using a delegation token, the authorization server only observes the initial delegation token request. After that, the client can independently issue subordinate tokens without further authorization server interaction. This provides the following privacy benefits:</t>

<t><list style="symbols">
  <t><strong>Minimized Authorization Server Visibility</strong>: The authorization server does not learn which intermediary resource servers are authorized to access downstream resource servers, what resources they access, or when they access them.</t>
  <t><strong>No Access Pattern Correlation</strong>: The authorization server cannot track usage patterns or correlate activities across different resource servers.</t>
  <t><strong>Reduced Data Collection</strong>: The authorization server stores only metadata about the initial delegation token, not about each delegated access token.</t>
  <t><strong>Network Traffic Reduction</strong>: Fewer network round-trips to the authorization server reduce exposure to network surveillance.</t>
</list></t>

</section>
<section anchor="relationship-to-token-exchange"><name>Relationship to Token Exchange</name>

<t>Token Exchange <xref target="RFC8693"/> provides a mechanism for delegating access by having the client exchange one token for another at the authorization server. That approach requires authorization server involvement for each delegation event, which necessarily exposes delegation metadata to the authorization server. The local delegation approach in this specification performs delegation entirely on the client side after the initial token issuance, providing an alternative with different privacy characteristics.</t>

</section>
<section anchor="trade-offs"><name>Trade-offs</name>

<t>While local delegation provides significant privacy benefits, implementations should consider:</t>

<t><list style="symbols">
  <t><strong>Client Responsibility</strong>: The client must securely protect the delegation key and properly enforce delegation rules.</t>
  <t><strong>Auditability</strong>: Deployments requiring delegation event audits can implement client-side logging rather than relying on authorization server monitoring.</t>
  <t><strong>Revocation</strong>: If a delegation key is compromised, the authorization server may need to revoke the entire delegation token.</t>
</list></t>

</section>
</section>
<section anchor="security-considerations"><name>Security Considerations</name>

<t>This specification extends OAuth 2.0 to support delegated authorization through hierarchical token issuance. While this enables fine-grained privilege delegation, it also introduces new trust and security considerations.</t>

<t><list style="symbols">
  <t>Delegation tokens <bcp14>MUST NOT</bcp14> be sent to resource servers without subordinate delegated access tokens. Resource servers and authorization servers <bcp14>MUST NOT</bcp14> treat delegation tokens as regular OAuth access tokens.</t>
  <t>Clients <bcp14>MUST</bcp14> protect the delegation key, as compromise allows an attacker to mint valid delegated access tokens within the scope of the delegation token.</t>
  <t>Delegated access tokens <bcp14>SHOULD</bcp14> have short lifetimes and be bound to specific audiences, methods, and sender keys (e.g., via DPoP or mTLS) to mitigate replay and token leakage risks. Resource servers <bcp14>MUST</bcp14> validate both the delegation token and the delegated access token, ensuring the latter does not exceed the former’s permissions.</t>
  <t>Token introspection CAN be used in scenarios where the tokens are kept opaque from the resource servers. If employed, token introspection responses <bcp14>MUST NOT</bcp14> reveal sensitive internal information. Authorization servers <bcp14>SHOULD</bcp14> enforce rate limiting and audit token issuance and validation activities.</t>
  <t>Protected resource metadata published by resource servers is self-declared. Clients and authorization servers <bcp14>SHOULD</bcp14> verify that delegated access tokens remain within the intended scope of delegation. Clients <bcp14>SHOULD</bcp14> not trust <spanx style="verb">delegated_resources</spanx> or <spanx style="verb">authorization_requirements</spanx> metadata from untrusted resource servers without independent verification of the resource server's identity and authorization requirements.</t>
</list></t>

</section>
<section anchor="operational-considerations"><name>Operational Considerations</name>

<t>Deployments of this specification should consider the following operational aspects:</t>

<t><list style="symbols">
  <t><strong>Key Management</strong>: Clients <bcp14>MUST</bcp14> securely store and rotate delegation keys. Authorization servers <bcp14>SHOULD</bcp14> support key rotation for delegation tokens and provide mechanisms to revoke compromised keys.</t>
  <t><strong>Token Lifetimes</strong>: Delegation tokens <bcp14>SHOULD</bcp14> have longer lifetimes than delegated access tokens to reduce authorization server load, and <bcp14>SHOULD</bcp14> be refreshable using refresh tokens.</t>
  <t><strong>Metadata Caching</strong>: Protected resource metadata published by resource servers at <spanx style="verb">/.well-known/oauth-protected-resource</spanx> can be cached by clients; a reasonable default TTL (e.g., 24 hours) is <bcp14>RECOMMENDED</bcp14>.</t>
  <t><strong>Error Handling</strong>: Resource servers <bcp14>SHOULD</bcp14> provide clear error responses (e.g., invalid token, insufficient scope) without exposing implementation details.</t>
  <t><strong>Interoperability</strong>: Implementers <bcp14>SHOULD</bcp14> ensure compatibility with existing OAuth 2.0 features such as PKCE, Rich Authorization Requests, and sender-constrained tokens.</t>
</list></t>

</section>
<section anchor="iana-considerations"><name>IANA Considerations</name>

<section anchor="oauth-parameters-registry"><name>OAuth Parameters Registry</name>

<t>This specification registers the following parameters in the "OAuth Parameters" registry:</t>

<t><strong>Delegation:</strong></t>

<t><list style="symbols">
  <t><strong>Name</strong>: delegation</t>
  <t><strong>Parameter Usage Location</strong>: authorization request, token request</t>
  <t><strong>Change Controller</strong>: IETF</t>
  <t><strong>Reference</strong>: [this document]</t>
</list></t>

<t><strong>Delegation Key:</strong></t>

<t><list style="symbols">
  <t><strong>Name</strong>: delegation_key</t>
  <t><strong>Parameter Usage Location</strong>: token request</t>
  <t><strong>Change Controller</strong>: IETF</t>
  <t><strong>Reference</strong>: [this document]</t>
</list></t>

</section>
<section anchor="oauth-access-token-types-registry"><name>OAuth Access Token Types Registry</name>

<t>This specification registers the following parameters in the "OAuth Access Token Types" registry:</t>

<t><list style="symbols">
  <t><strong>Name</strong>: Delegation</t>
  <t><strong>Additional Token Endpoint Response Parameters</strong>: (none)</t>
  <t><strong>HTTP Authentication Scheme(s)</strong>: Bearer</t>
  <t><strong>Change Controller</strong>: IETF</t>
  <t><strong>Reference</strong>: [this document]</t>
</list></t>

</section>
<section anchor="http-field-name-registry"><name>HTTP Field Name Registry</name>

<t>This specification registers the following parameters in the "Hypertext Transfer Protocol (HTTP) Field Name" registry:</t>

<t><list style="symbols">
  <t><strong>Field Name</strong>: Delegated-Authorization</t>
  <t><strong>Status</strong>: permanent</t>
  <t><strong>Structured Type</strong>: (none)</t>
  <t><strong>Reference</strong>: [this document]</t>
</list></t>

</section>
<section anchor="oauth-protected-resource-metadata-registry"><name>OAuth Protected Resource Metadata Registry</name>

<t>This specification registers the following entry in the "OAuth Protected Resource Metadata" registry defined in <xref target="RFC9728"/>:</t>

<t><list style="symbols">
  <t><strong>Metadata Name</strong>: delegated_resources</t>
  <t><strong>Metadata Description</strong>: JSON object mapping downstream protected resource identifiers to the authorization capabilities for each. Each downstream resource value contains <spanx style="verb">authorization_target</spanx> and either <spanx style="verb">scopes_supported</spanx> or <spanx style="verb">authorization_details_types_supported</spanx>, indicating permissions that may be needed at that authorization target.</t>
  <t><strong>Change Controller</strong>: IETF</t>
  <t><strong>Specification Document(s)</strong>: [this document]</t>
  <t><strong>Metadata Name</strong>: authorization_requirements</t>
  <t><strong>Metadata Description</strong>: JSON array describing authorization requirements for specific endpoints or operations of the protected resource. Each entry can identify local requirements using <spanx style="verb">scopes</spanx>, <spanx style="verb">authorization_details_types</spanx>, or <spanx style="verb">authorization_details</spanx>, and can identify downstream delegated requirements using <spanx style="verb">delegated_resources</spanx>. Within <spanx style="verb">delegated_resources</spanx>, <spanx style="verb">authorization_target</spanx> distinguishes the protected resource to which the listed permissions apply.</t>
  <t><strong>Change Controller</strong>: IETF</t>
  <t><strong>Specification Document(s)</strong>: [this document]</t>
</list></t>

</section>
</section>


  </middle>

  <back>


<references title='References' anchor="sec-combined-references">

    <references title='Normative References' anchor="sec-normative-references">



<reference anchor="RFC2119">
  <front>
    <title>Key words for use in RFCs to Indicate Requirement Levels</title>
    <author fullname="S. Bradner" initials="S." surname="Bradner"/>
    <date month="March" year="1997"/>
    <abstract>
      <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="2119"/>
  <seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>
<reference anchor="RFC6749">
  <front>
    <title>The OAuth 2.0 Authorization Framework</title>
    <author fullname="D. Hardt" initials="D." role="editor" surname="Hardt"/>
    <date month="October" year="2012"/>
    <abstract>
      <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="6749"/>
  <seriesInfo name="DOI" value="10.17487/RFC6749"/>
</reference>
<reference anchor="RFC6750">
  <front>
    <title>The OAuth 2.0 Authorization Framework: Bearer Token Usage</title>
    <author fullname="M. Jones" initials="M." surname="Jones"/>
    <author fullname="D. Hardt" initials="D." surname="Hardt"/>
    <date month="October" year="2012"/>
    <abstract>
      <t>This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="6750"/>
  <seriesInfo name="DOI" value="10.17487/RFC6750"/>
</reference>
<reference anchor="RFC7515">
  <front>
    <title>JSON Web Signature (JWS)</title>
    <author fullname="M. Jones" initials="M." surname="Jones"/>
    <author fullname="J. Bradley" initials="J." surname="Bradley"/>
    <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
    <date month="May" year="2015"/>
    <abstract>
      <t>JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7515"/>
  <seriesInfo name="DOI" value="10.17487/RFC7515"/>
</reference>
<reference anchor="RFC7516">
  <front>
    <title>JSON Web Encryption (JWE)</title>
    <author fullname="M. Jones" initials="M." surname="Jones"/>
    <author fullname="J. Hildebrand" initials="J." surname="Hildebrand"/>
    <date month="May" year="2015"/>
    <abstract>
      <t>JSON Web Encryption (JWE) represents encrypted content using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries defined by that specification. Related digital signature and Message Authentication Code (MAC) capabilities are described in the separate JSON Web Signature (JWS) specification.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7516"/>
  <seriesInfo name="DOI" value="10.17487/RFC7516"/>
</reference>
<reference anchor="RFC7517">
  <front>
    <title>JSON Web Key (JWK)</title>
    <author fullname="M. Jones" initials="M." surname="Jones"/>
    <date month="May" year="2015"/>
    <abstract>
      <t>A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7517"/>
  <seriesInfo name="DOI" value="10.17487/RFC7517"/>
</reference>
<reference anchor="RFC7519">
  <front>
    <title>JSON Web Token (JWT)</title>
    <author fullname="M. Jones" initials="M." surname="Jones"/>
    <author fullname="J. Bradley" initials="J." surname="Bradley"/>
    <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
    <date month="May" year="2015"/>
    <abstract>
      <t>JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7519"/>
  <seriesInfo name="DOI" value="10.17487/RFC7519"/>
</reference>
<reference anchor="RFC7636">
  <front>
    <title>Proof Key for Code Exchange by OAuth Public Clients</title>
    <author fullname="N. Sakimura" initials="N." role="editor" surname="Sakimura"/>
    <author fullname="J. Bradley" initials="J." surname="Bradley"/>
    <author fullname="N. Agarwal" initials="N." surname="Agarwal"/>
    <date month="September" year="2015"/>
    <abstract>
      <t>OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced "pixy").</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7636"/>
  <seriesInfo name="DOI" value="10.17487/RFC7636"/>
</reference>
<reference anchor="RFC7662">
  <front>
    <title>OAuth 2.0 Token Introspection</title>
    <author fullname="J. Richer" initials="J." role="editor" surname="Richer"/>
    <date month="October" year="2015"/>
    <abstract>
      <t>This specification defines a method for a protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token. OAuth 2.0 deployments can use this method to convey information about the authorization context of the token from the authorization server to the protected resource.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7662"/>
  <seriesInfo name="DOI" value="10.17487/RFC7662"/>
</reference>
<reference anchor="RFC8174">
  <front>
    <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
    <author fullname="B. Leiba" initials="B." surname="Leiba"/>
    <date month="May" year="2017"/>
    <abstract>
      <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="8174"/>
  <seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>
<reference anchor="RFC8259">
  <front>
    <title>The JavaScript Object Notation (JSON) Data Interchange Format</title>
    <author fullname="T. Bray" initials="T." role="editor" surname="Bray"/>
    <date month="December" year="2017"/>
    <abstract>
      <t>JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data.</t>
      <t>This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance.</t>
    </abstract>
  </front>
  <seriesInfo name="STD" value="90"/>
  <seriesInfo name="RFC" value="8259"/>
  <seriesInfo name="DOI" value="10.17487/RFC8259"/>
</reference>
<reference anchor="RFC8392">
  <front>
    <title>CBOR Web Token (CWT)</title>
    <author fullname="M. Jones" initials="M." surname="Jones"/>
    <author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/>
    <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
    <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
    <date month="May" year="2018"/>
    <abstract>
      <t>CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8392"/>
  <seriesInfo name="DOI" value="10.17487/RFC8392"/>
</reference>
<reference anchor="RFC8414">
  <front>
    <title>OAuth 2.0 Authorization Server Metadata</title>
    <author fullname="M. Jones" initials="M." surname="Jones"/>
    <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
    <author fullname="J. Bradley" initials="J." surname="Bradley"/>
    <date month="June" year="2018"/>
    <abstract>
      <t>This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8414"/>
  <seriesInfo name="DOI" value="10.17487/RFC8414"/>
</reference>
<reference anchor="RFC8615">
  <front>
    <title>Well-Known Uniform Resource Identifiers (URIs)</title>
    <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
    <date month="May" year="2019"/>
    <abstract>
      <t>This memo defines a path prefix for "well-known locations", "/.well-known/", in selected Uniform Resource Identifier (URI) schemes.</t>
      <t>In doing so, it obsoletes RFC 5785 and updates the URI schemes defined in RFC 7230 to reserve that space. It also updates RFC 7595 to track URI schemes that support well-known URIs in their registry.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8615"/>
  <seriesInfo name="DOI" value="10.17487/RFC8615"/>
</reference>
<reference anchor="RFC8693">
  <front>
    <title>OAuth 2.0 Token Exchange</title>
    <author fullname="M. Jones" initials="M." surname="Jones"/>
    <author fullname="A. Nadalin" initials="A." surname="Nadalin"/>
    <author fullname="B. Campbell" initials="B." role="editor" surname="Campbell"/>
    <author fullname="J. Bradley" initials="J." surname="Bradley"/>
    <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
    <date month="January" year="2020"/>
    <abstract>
      <t>This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8693"/>
  <seriesInfo name="DOI" value="10.17487/RFC8693"/>
</reference>
<reference anchor="RFC8705">
  <front>
    <title>OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens</title>
    <author fullname="B. Campbell" initials="B." surname="Campbell"/>
    <author fullname="J. Bradley" initials="J." surname="Bradley"/>
    <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
    <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
    <date month="February" year="2020"/>
    <abstract>
      <t>This document describes OAuth client authentication and certificate-bound access and refresh tokens using mutual Transport Layer Security (TLS) authentication with X.509 certificates. OAuth clients are provided a mechanism for authentication to the authorization server using mutual TLS, based on either self-signed certificates or public key infrastructure (PKI). OAuth authorization servers are provided a mechanism for binding access tokens to a client's mutual-TLS certificate, and OAuth protected resources are provided a method for ensuring that such an access token presented to it was issued to the client presenting the token.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8705"/>
  <seriesInfo name="DOI" value="10.17487/RFC8705"/>
</reference>
<reference anchor="RFC9110">
  <front>
    <title>HTTP Semantics</title>
    <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
    <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
    <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
    <date month="June" year="2022"/>
    <abstract>
      <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes.</t>
      <t>This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.</t>
    </abstract>
  </front>
  <seriesInfo name="STD" value="97"/>
  <seriesInfo name="RFC" value="9110"/>
  <seriesInfo name="DOI" value="10.17487/RFC9110"/>
</reference>
<reference anchor="RFC9396">
  <front>
    <title>OAuth 2.0 Rich Authorization Requests</title>
    <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
    <author fullname="J. Richer" initials="J." surname="Richer"/>
    <author fullname="B. Campbell" initials="B." surname="Campbell"/>
    <date month="May" year="2023"/>
    <abstract>
      <t>This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9396"/>
  <seriesInfo name="DOI" value="10.17487/RFC9396"/>
</reference>
<reference anchor="RFC9449">
  <front>
    <title>OAuth 2.0 Demonstrating Proof of Possession (DPoP)</title>
    <author fullname="D. Fett" initials="D." surname="Fett"/>
    <author fullname="B. Campbell" initials="B." surname="Campbell"/>
    <author fullname="J. Bradley" initials="J." surname="Bradley"/>
    <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
    <author fullname="M. Jones" initials="M." surname="Jones"/>
    <author fullname="D. Waite" initials="D." surname="Waite"/>
    <date month="September" year="2023"/>
    <abstract>
      <t>This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9449"/>
  <seriesInfo name="DOI" value="10.17487/RFC9449"/>
</reference>
<reference anchor="RFC9700">
  <front>
    <title>Best Current Practice for OAuth 2.0 Security</title>
    <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
    <author fullname="J. Bradley" initials="J." surname="Bradley"/>
    <author fullname="A. Labunets" initials="A." surname="Labunets"/>
    <author fullname="D. Fett" initials="D." surname="Fett"/>
    <date month="January" year="2025"/>
    <abstract>
      <t>This document describes best current security practice for OAuth 2.0. It updates and extends the threat model and security advice given in RFCs 6749, 6750, and 6819 to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. Further, it deprecates some modes of operation that are deemed less secure or even insecure.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="240"/>
  <seriesInfo name="RFC" value="9700"/>
  <seriesInfo name="DOI" value="10.17487/RFC9700"/>
</reference>
<reference anchor="RFC9728">
  <front>
    <title>OAuth 2.0 Protected Resource Metadata</title>
    <author fullname="M.B. Jones" initials="M.B." surname="Jones"/>
    <author fullname="P. Hunt" initials="P." surname="Hunt"/>
    <author fullname="A. Parecki" initials="A." surname="Parecki"/>
    <date month="April" year="2025"/>
    <abstract>
      <t>This specification defines a metadata format that an OAuth 2.0 client or authorization server can use to obtain the information needed to interact with an OAuth 2.0 protected resource.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9728"/>
  <seriesInfo name="DOI" value="10.17487/RFC9728"/>
</reference>

<reference anchor="I-D.lombardo-oauth-step-up-authz-challenge-proto">
   <front>
      <title>OAuth 2.0 step-up authorization challenge proto</title>
      <author fullname="Jeff Lombardo" initials="J." surname="Lombardo">
         <organization>AWS</organization>
      </author>
      <author fullname="Alexandre Babeanu" initials="A." surname="Babeanu">
         <organization>IndyKite</organization>
      </author>
      <author fullname="Yaron Zehavi" initials="Y." surname="Zehavi">
         <organization>Raiffeisen Bank International</organization>
      </author>
      <author fullname="George Fletcher" initials="G." surname="Fletcher">
         <organization>Practical Identity</organization>
      </author>
      <date day="30" month="June" year="2025"/>
      <abstract>
	 <t>   It is not uncommon for resource servers to require additional
   information like details of delegation authorization, or assurance
   proof of the delegation of authorization mechanism used according to
   the characteristics of a request.  This document introduces a
   mechanism that resource servers can use to signal to a client that
   the data and metadata associated with the access token of the current
   request does not meet its authorization requirements and, further,
   how to meet them.  This document also codifies a taxonomy to guide
   the client into starting a new request towards the authorization
   server in order to get issued, if applicable, a new set of tokens
   matching the requirements.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-lombardo-oauth-step-up-authz-challenge-proto-02"/>
   
</reference>



    </references>

    <references title='Informative References' anchor="sec-informative-references">



<reference anchor="RFC8792">
  <front>
    <title>Handling Long Lines in Content of Internet-Drafts and RFCs</title>
    <author fullname="K. Watsen" initials="K." surname="Watsen"/>
    <author fullname="E. Auerswald" initials="E." surname="Auerswald"/>
    <author fullname="A. Farrel" initials="A." surname="Farrel"/>
    <author fullname="Q. Wu" initials="Q." surname="Wu"/>
    <date month="June" year="2020"/>
    <abstract>
      <t>This document defines two strategies for handling long lines in width-bounded text content. One strategy, called the "single backslash" strategy, is based on the historical use of a single backslash ('\') character to indicate where line-folding has occurred, with the continuation occurring with the first character that is not a space character (' ') on the next line. The second strategy, called the "double backslash" strategy, extends the first strategy by adding a second backslash character to identify where the continuation begins and is thereby able to handle cases not supported by the first strategy. Both strategies use a self-describing header enabling automated reconstitution of the original content.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8792"/>
  <seriesInfo name="DOI" value="10.17487/RFC8792"/>
</reference>



    </references>

</references>


<?line 530?>

<section anchor="token-format"><name>Token Format</name>

<t>The example tokens in this section are shown in Flattened JSON Serialization <xref target="RFC7515"/> <xref target="RFC7516"/>, un-base64url-encoded and with comments for ease of reading. When used as JWTs <xref target="RFC7519"/>, they should be represented in Compact Serialization <xref target="RFC7515"/> <xref target="RFC7516"/>. Similarly, they can be represented as CWTs <xref target="RFC8392"/>.</t>

<section anchor="example-1"><name>Example 1</name>

<t>In this example, the delegation token is a JWS token signed with HS256, and the delegated access token is a JWS token signed with RS256.</t>

<t><strong>Delegation Token</strong>:</t>

<figure><sourcecode type="sourcecode"><![CDATA[
{
  "protected": {
    "_comment": "to be base64url-encoded",
    "alg": "HS256",
    "typ": "JWT",
    "kid": "as-key-1"
  },
  "payload": {
    "_comment": "to be base64url-encoded",
    "iss": "https://as1.example.com",
    "sub": "user@example.com",
    "aud": "https://res1.example.com",
    "iat": 1772177588,
    "exp": 1774769588,
    "scope": "email:read email:send",
    "delegation_key": {
      "kty": "RSA",
      "n": "0Z5t3Rwhfz4MJxdNzg2I6Bsf9H_3kcMKtH6iwJsLV2DKO1MVcHb6wsxHZpqRePjm5Q1-pImr4pT67hCHyAR6kS4QbTrBZcjSe8lsvZIiifiBVWZxz8ZAfdj6EFSOWhFLZ0GVqe9NMslwX1hHOwmhRmMjGjexISPsZk5qN3gwqmD36H1GS-rE-cWlXI9f4pVcCdYqE0rfhZ7hDn5mrpWWY8wJuQa2jFqX-Fhyvt_Zh-qaa5Wp8cLJPS_ceAcLeS5mOYE58beelp51PuCDpq7a9fN4K_EpcSD7Ay0GrJxgN_VcLA7DgOAuU6zYDzk2KnmQ3qz35Tj5hy8jDHgF1AaSTw",
      "e": "AQAB"
    }
  },
  "signature": "SBwdWhy4dissabBRoyyxMxRuVUbsFYv_1HZFeROLh5A"
}
]]></sourcecode></figure>

<t><strong>Delegated Access Token</strong>:</t>

<figure><sourcecode type="sourcecode"><![CDATA[
{
  "protected": {
    "_comment": "to be base64url-encoded",
    "alg": "RS256",
    "typ": "JWT",
    "kid": "delegation-key-1"
  },
  "payload": {
    "_comment": "to be base64url-encoded",
    "sub": "https://dp1.example.com",
    "aud": "https://res1.example.com",
    "iat": 1772181188,
    "exp": 1772184788,
    "scope": "email:read",
    "delegationToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFzLWtleS0xIn0.eyJpc3MiOiJodHRwczovL2FzMS5leGFtcGxlLmNvbSIsInN1YiI6InVzZXJAZXhhbXBsZS5jb20iLCJhdWQiOiJodHRwczovL3JlczEuZXhhbXBsZS5jb20iLCJpYXQiOjE3NzIxNzc1ODgsImV4cCI6MTc3NDc2OTU4OCwic2NvcGUiOiJlbWFpbDpyZWFkIGVtYWlsOnNlbmQiLCJkZWxlZ2F0aW9uX2tleSI6eyJrdHkiOiJSU0EiLCJuIjoiMFo1dDNSd2hmejRNSnhkTnpnMkk2QnNmOUhfM2tjTUt0SDZpd0pzTFYyREtPMU1WY0hiNndzeEhacHFSZVBqbTVRMS1wSW1yNHBUNjdoQ0h5QVI2a1M0UWJUckJaY2pTZThsc3ZaSWlpZmlCVldaeHo4WkFmZGo2RUZTT1doRkxaMEdWcWU5Tk1zbHdYMWhIT3dtaFJtTWpHamV4SVNQc1prNXFOM2d3cW1EMzZIMUdTLXJFLWNXbFhJOWY0cFZjQ2RZcUUwcmZoWjdoRG41bXJwV1dZOHdKdVFhMmpGcVgtRmh5dnRfWmgtcWFhNVdwOGNMSlBTX2NlQWNMZVM1bU9ZRTU4YmVlbHA1MVB1Q0RwcTdhOWZONEtfRXBjU0Q3QXkwR3JKeGdOX1ZjTEE3RGdPQXVVNnpZRHprMktubVEzcXozNVRqNWh5OGpESGdGMUFhU1R3IiwiZSI6IkFRQUIifX0.SBwdWhy4dissabBRoyyxMxRuVUbsFYv_1HZFeROLh5A"
  },
  "signature": "df5sTdp6j-ULv3To3yqYFFZWLrY41wu6jpKfsZdjMNMeRH3TXY5nSc-lhdFfJElVGnyCa5Rf9YGlvacGVy84maFCq0zhNTiLL8xBYieCKTAhmMuWZvIUZFBoE1KBj2YXskpnU6CFTKhALbW5lidZSGXdcEnygxwaumpO_AxlYghU8RQrQgF1wAsoDLcoun1-FROuHUzqKGWqYSbXe1lGJ3dTt5ftod7SjGqM2Quz4BvfQMpw82VVGq7YlvRJMuPe4ITUeikFNQ672bvVrjhwHUlglQ9HuFj5iroHqwr6dLtfKVDBtw33A_lCnsWfk4vPWDJ-1fy3Klj4hT_bhBIVJA"
}
]]></sourcecode></figure>

</section>
<section anchor="example-2"><name>Example 2</name>

<t>In this example, the delegation token chain consists of three tokens: a top-level delegation token issued by the authorization server, a subordinate delegation token created by the client, and a delegated access token created from the subordinate token. The top-level delegation token has <spanx style="verb">max_delegation_depth</spanx> of 3, which allows for two levels of delegation.</t>

<t><strong>Top-Level Delegation Token</strong>:</t>

<figure><sourcecode type="sourcecode"><![CDATA[
{
  "protected": {
    "_comment": "to be base64url-encoded",
    "alg": "RS256",
    "typ": "JWT",
    "kid": "as-key-2"
  },
  "payload": {
    "_comment": "to be base64url-encoded",
    "iss": "https://as1.example.com",
    "sub": "user@example.com",
    "aud": "https://res1.example.com",
    "iat": 1772177588,
    "exp": 1774769588,
    "scope": "email:read email:write email:send",
    "delegation_key": {
      "kty": "RSA",
      "n": "3O1EVa-_zsENOhylq99puKjF6NBq8S8Ntw9sufyCB9LrTSs-xRoDQ7X6rYbPEOn5E-6ASZyUW2vFxLacj0Wir05hznlnfRLRTmJhud4im5COfAhuiPeL0Mbs3WFLdBfWVGXSP2O5UNkd7dJ2KqudqxNF81Nrt51RpmPR59pUZS3REfAYgtqhQ07WuCTzd2VpFttPFurDSiWcriyELNdgsT9wap0nyceSVLQgY9ZgR0VvsmHj_LUKie1t5RCjTsaMHJH6x3QI0tjKG9Psbil0ORlhA9WEgOO6E6KOC_StEBnK_Ntb2ArGPDjlNPzTqWOeeev84MM8VXdRzpTLOrRmHQ",
      "e": "AQAB"
    },
    "max_delegation_depth": 3
  },
  "signature": "p1OjJQ2tASuFPPCXzdbuSHaZiPTF2jM1Z_My2_qPx0IAAJJ5RVo9Km2hFeXjqqGcjkG5wEFxMw_q8JO48O9bVaKNBa1k_-UoBxf5KlMpldMFIUyV4D8Sugshh73iqVii5HW2MY4uS5Gj46GDUcX1NQRg8LW6Wa4zso0SPfIfunXF0dvBG24cCUoIFOr1NzryZ7OcVt9kdC4_uXGoSmjtGl1XsRvgb216fZFuZV0F88zWFsDcBZn4i8qGcBS2XAHjW4jbH7Y1O8dvl2h0afftmNkG2ZgHPl3phj_i-unQsAxhCUI_8MjtfF5iwe586uQw_1iED2IUlEXOgX-Ld5GgTw"
}
]]></sourcecode></figure>

<t><strong>Subordinate Delegation Token</strong>:</t>

<figure><sourcecode type="sourcecode"><![CDATA[
{
  "protected": {
    "_comment": "to be base64url-encoded",
    "alg": "RS256",
    "typ": "JWT",
    "kid": "delegation-key-2"
  },
  "payload": {
    "_comment": "to be base64url-encoded",
    "aud": "https://res1.example.com",
    "iat": 1772181188,
    "exp": 1772782388,
    "max_delegation_depth": 1,
    "scope": "email:read email:write",
    "delegationToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFzLWtleS0yIn0.eyJpc3MiOiJodHRwczovL2FzMS5leGFtcGxlLmNvbSIsInN1YiI6InVzZXJAZXhhbXBsZS5jb20iLCJhdWQiOiJodHRwczovL3JlczEuZXhhbXBsZS5jb20iLCJpYXQiOjE3NzIxNzc1ODgsImV4cCI6MTc3NDc2OTU4OCwic2NvcGUiOiJlbWFpbDpyZWFkIGVtYWlsOndyaXRlIGVtYWlsOnNlbmQiLCJkZWxlZ2F0aW9uX2tleSI6eyJrdHkiOiJSU0EiLCJuIjoiM08xRVZhLV96c0VOT2h5bHE5OXB1S2pGNk5CcThTOE50dzlzdWZ5Q0I5THJUU3MteFJvRFE3WDZyWWJQRU9uNUUtNkFTWnlVVzJ2RnhMYWNqMFdpcjA1aHpubG5mUkxSVG1KaHVkNGltNUNPZkFodWlQZUwwTWJzM1dGTGRCZldWR1hTUDJPNVVOa2Q3ZEoyS3F1ZHF4TkY4MU5ydDUxUnBtUFI1OXBVWlMzUkVmQVlndHFoUTA3V3VDVHpkMlZwRnR0UEZ1ckRTaVdjcml5RUxOZGdzVDl3YXAwbnljZVNWTFFnWTlaZ1IwVnZzbUhqX0xVS2llMXQ1UkNqVHNhTUhKSDZ4M1FJMHRqS0c5UHNiaWwwT1JsaEE5V0VnT082RTZLT0NfU3RFQm5LX050YjJBckdQRGpsTlB6VHFXT2VlZXY4NE1NOFZYZFJ6cFRMT3JSbUhRIiwiZSI6IkFRQUIifSwibWF4X2RlbGVnYXRpb25fZGVwdGgiOjN9.p1OjJQ2tASuFPPCXzdbuSHaZiPTF2jM1Z_My2_qPx0IAAJJ5RVo9Km2hFeXjqqGcjkG5wEFxMw_q8JO48O9bVaKNBa1k_-UoBxf5KlMpldMFIUyV4D8Sugshh73iqVii5HW2MY4uS5Gj46GDUcX1NQRg8LW6Wa4zso0SPfIfunXF0dvBG24cCUoIFOr1NzryZ7OcVt9kdC4_uXGoSmjtGl1XsRvgb216fZFuZV0F88zWFsDcBZn4i8qGcBS2XAHjW4jbH7Y1O8dvl2h0afftmNkG2ZgHPl3phj_i-unQsAxhCUI_8MjtfF5iwe586uQw_1iED2IUlEXOgX-Ld5GgTw"
  },
  "signature": "lnf8Wz5M_B4dVTOOjT0aQa0ZSqEbTZVGb1HU_dk1tJ4eCbkCB8lmO0wJXc07Ys8gKqqb3TS4tKUbnwwKo3_Dw3FGYjbDqDE7rBtdc0lqi6fKSecff2ujVCi2U2dLjX78_h7U0LP1XbJuhkjdBYa-_mwiygAXf0j8cilXTigbTWJfgqcziVmkJzl9a_5HJ8HYF5ohdGmVBhOfyRrwGikYoHEQB6Ye_6jwTD_IQsUJe0eYdD4xAdA7C2awZAvhdYduKXit7WSyGuEhbyKopsm6WVZz4BkjWDjcJ2S7Xjb6RxPCGc_nNiAMsGT1nG9MIj-oGYy8gIWPSLEyF_6sk8hiaQ"
}
]]></sourcecode></figure>

<t><strong>Delegated Access Token</strong>:</t>

<figure><sourcecode type="sourcecode"><![CDATA[
{
  "protected": {
    "_comment": "to be base64url-encoded",
    "alg": "RS256",
    "typ": "JWT",
    "kid": "delegation-key-2-sub"
  },
  "payload": {
    "_comment": "to be base64url-encoded",
    "sub": "https://dp1.example.com",
    "aud": "https://res1.example.com",
    "iat": 1772184788,
    "exp": 1772188388,
    "scope": "email:read",
    "delegationToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImRlbGVnYXRpb24ta2V5LTIifQ.eyJhdWQiOiJodHRwczovL3JlczEuZXhhbXBsZS5jb20iLCJpYXQiOjE3NzIxODExODgsImV4cCI6MTc3Mjc4MjM4OCwibWF4X2RlbGVnYXRpb25fZGVwdGgiOjEsInNjb3BlIjoiZW1haWw6cmVhZCBlbWFpbDp3cml0ZSIsImRlbGVnYXRpb25Ub2tlbiI6ImV5SmhiR2NpT2lKU1V6STFOaUlzSW5SNWNDSTZJa3BYVkNJc0ltdHBaQ0k2SW1GekxXdGxlUzB5SW4wLmV5SnBjM01pT2lKb2RIUndjem92TDJGek1TNWxlR0Z0Y0d4bExtTnZiU0lzSW5OMVlpSTZJblZ6WlhKQVpYaGhiWEJzWlM1amIyMGlMQ0poZFdRaU9pSm9kSFJ3Y3pvdkwzSmxjekV1WlhoaGJYQnNaUzVqYjIwaUxDSnBZWFFpT2pFM056SXhOemMxT0Rnc0ltVjRjQ0k2TVRjM05EYzJPVFU0T0N3aWMyTnZjR1VpT2lKbGJXRnBiRHB5WldGa0lHVnRZV2xzT25keWFYUmxJR1Z0WVdsc09uTmxibVFpTENKa1pXeGxaMkYwYVc5dVgydGxlU0k2ZXlKcmRIa2lPaUpTVTBFaUxDSnVJam9pTTA4eFJWWmhMVjk2YzBWT1QyaDViSEU1T1hCMVMycEdOazVDY1RoVE9FNTBkemx6ZFdaNVEwSTVUSEpVVTNNdGVGSnZSRkUzV0RaeVdXSlFSVTl1TlVVdE5rRlRXbmxWVnpKMlJuaE1ZV05xTUZkcGNqQTFhSHB1Ykc1bVVreFNWRzFLYUhWa05HbHROVU5QWmtGb2RXbFFaVXd3VFdKek0xZEdUR1JDWmxkV1IxaFRVREpQTlZWT2EyUTNaRW95UzNGMVpIRjRUa1k0TVU1eWREVXhVbkJ0VUZJMU9YQlZXbE16VWtWbVFWbG5kSEZvVVRBM1YzVkRWSHBrTWxad1JuUjBVRVoxY2tSVGFWZGpjbWw1UlV4T1pHZHpWRGwzWVhBd2JubGpaVk5XVEZGbldUbGFaMUl3Vm5aemJVaHFYMHhWUzJsbE1YUTFVa05xVkhOaFRVaEtTRFo0TTFGSk1IUnFTMGM1VUhOaWFXd3dUMUpzYUVFNVYwVm5UMDgyUlRaTFQwTmZVM1JGUW01TFgwNTBZakpCY2tkUVJHcHNUbEI2VkhGWFQyVmxaWFk0TkUxTk9GWllaRko2Y0ZSTVQzSlNiVWhSSWl3aVpTSTZJa0ZSUVVJaWZTd2liV0Y0WDJSbGJHVm5ZWFJwYjI1ZlpHVndkR2dpT2pOOS5wMU9qSlEydEFTdUZQUENYemRidVNIYVppUFRGMmpNMVpfTXkyX3FQeDBJQUFKSjVSVm85S20yaEZlWGpxcUdjamtHNXdFRnhNd19xOEpPNDhPOWJWYUtOQmExa18tVW9CeGY1S2xNcGxkTUZJVXlWNEQ4U3Vnc2hoNzNpcVZpaTVIVzJNWTR1UzVHajQ2R0RVY1gxTlFSZzhMVzZXYTR6c28wU1BmSWZ1blhGMGR2QkcyNGNDVW9JRk9yMU56cnlaN09jVnQ5a2RDNF91WEdvU21qdEdsMVhzUnZnYjIxNmZaRnVaVjBGODh6V0ZzRGNCWm40aThxR2NCUzJYQUhqVzRqYkg3WTFPOGR2bDJoMGFmZnRtTmtHMlpnSFBsM3Boal9pLXVuUXNBeGhDVUlfOE1qdGZGNWl3ZTU4NnVRd18xaUVEMklVbEVYT2dYLUxkNUdnVHcifQ.lnf8Wz5M_B4dVTOOjT0aQa0ZSqEbTZVGb1HU_dk1tJ4eCbkCB8lmO0wJXc07Ys8gKqqb3TS4tKUbnwwKo3_Dw3FGYjbDqDE7rBtdc0lqi6fKSecff2ujVCi2U2dLjX78_h7U0LP1XbJuhkjdBYa-_mwiygAXf0j8cilXTigbTWJfgqcziVmkJzl9a_5HJ8HYF5ohdGmVBhOfyRrwGikYoHEQB6Ye_6jwTD_IQsUJe0eYdD4xAdA7C2awZAvhdYduKXit7WSyGuEhbyKopsm6WVZz4BkjWDjcJ2S7Xjb6RxPCGc_nNiAMsGT1nG9MIj-oGYy8gIWPSLEyF_6sk8hiaQ"
  },
  "signature": "mn-0y0F3lx0IM-60UsBp1_M7uRhdT28dPqxt6-s1OnjM-obyF-p5XbQV9jI5Q56X4cb3jLl6RkM789ODTGt5y4QNdOA2WhlS0WldSOzYkV1Xj2yrC0mZakYCHTpzzgvfeUjeNj-fDWmtgRb2Lfm6Z6dguT071WQkaIyH4IW5xVxroqbn1tFM07uX3huIV9tC_iS926rWaDW7eQDm1nhhjS_QSgUcTF1eJy7hOjEtzs70iij5bQU-B9nn6OfXdpb1jO5vx3lCSnZfL2h2EaQYK3CbjrflbDnIYKtJ0NMx5D03KRcv_uPlG5HHRL5cuMz8eToKc08rc0Qs5PxDbeqV4A"
}
]]></sourcecode></figure>

</section>
</section>
<section anchor="integration-with-step-up-authorization"><name>Integration with Step-Up Authorization</name>

<t>This specification can be used together with step-up authorization <xref target="I-D.lombardo-oauth-step-up-authz-challenge-proto"/>. When a resource server returns an <spanx style="verb">insufficient_authorization</spanx> error, the client can create a new delegated access token with the required permissions from its existing delegation token.</t>

<t>This is particularly useful for AI agents that hold a delegation token. Upon receiving a step-up authorization challenge, the agent can automatically create a new delegated access token with the additional authorization_details required by the resource server, without requiring the user to re-authenticate.</t>

<t>Resource servers that support both delegated authorization and step-up challenges <bcp14>SHOULD</bcp14> use the <spanx style="verb">body_instructions</spanx> parameter to specify the exact authorization_details or scope required.</t>

</section>
<section anchor="use-cases"><name>Use Cases</name>

<section anchor="delegating-subset-of-access-rights-to-specialized-ai-agents"><name>Delegating Subset of Access Rights to Specialized AI Agents</name>

<t>Enterprise Identity and Access Management systems often employ Role Based Access Control (RBAC) or Attribute Based Access Control (ABAC), assigning a set of minimal permissions to the employee based on their role, department, or other attributes. AI Agent can be an employee's personal assistant, or a virtual employee of a certain department in general. The permissions delegated to an AI agent CAN be long-term, but an AI agent <bcp14>MUST NOT</bcp14> directly inherit all its owner's access rights. Rather, they <bcp14>SHOULD</bcp14> be a subset of its owner, bound to specific service/API/database/codebase according to its specialty and dedicated workflow.</t>

<texttable title="AI Agents" align="center">
      <ttcol align='left'>Role</ttcol>
      <ttcol align='left'>Service / Component</ttcol>
      <c>Resource Owner</c>
      <c>an enterprise, individual or a department</c>
      <c>Client</c>
      <c>agent's client application</c>
      <c>Intermediary Resource Server</c>
      <c>CI-CD agent, test agent, DEV agent, research agent</c>
      <c>Authorization Server</c>
      <c>enterprise IAM system</c>
      <c>Downstream / Target Resource Server(s)</c>
      <c>enterprise IT systems</c>
      <c>Downstream / Target Protected Resource(s)</c>
      <c>DEV/STAGE/PROD environments, internal knowledge database</c>
</texttable>

</section>
<section anchor="thirdparty-analytics-platform-integrated-in-an-enterprise-saas"><name>Third‑Party Analytics Platform Integrated in an Enterprise SaaS</name>

<t>In this scenario, a corporate customer uses a Software-as-a-Service (SaaS) Customer Relationship Management (CRM) application. The customer wishes to gain business insights by granting a specialized third-party analytics platform limited access to its CRM data.</t>

<t>The CRM application obtains a delegation token from the enterprise's identity provider. It then creates a narrowly scoped delegated access token for the analytics service. This token only permits read access to a predefined, non-sensitive subset of customer data (e.g., names and identifiers, but not personal email addresses). The analytics platform uses this token to pull data, generates an aggregated business intelligence report, and delivers it back to the CRM application for the corporate customer to view.</t>

<texttable title="Enterprise-SaaS" align="center">
      <ttcol align='left'>Role</ttcol>
      <ttcol align='left'>Service / Component</ttcol>
      <c>Resource Owner</c>
      <c>company A (the tenant)</c>
      <c>Client</c>
      <c>SaaS CRM application</c>
      <c>Intermediary Resource Server</c>
      <c>analytics service</c>
      <c>Authorization Server</c>
      <c>enterprise IdP</c>
      <c>Downstream / Target Resource Server(s)</c>
      <c>CRM application server</c>
      <c>Downstream / Target Protected Resource(s)</c>
      <c>CRM application's data retrieval API</c>
</texttable>

</section>
</section>


  </back>

<!-- ##markdown-source:
H4sIAAAAAAAAA+192XbqyJbgO1+hdj7kOVmGg5g8dN2qAoMYbMAIDUCt23ZI
CpBAkzWYIfPcVb/Qj/3Wf9D/0J9SX9IrBk0gsDPz3F7Vw3nIxBDjjr137DmK
xWKhEBiBCe+Zn8fNMNCZSqnMtKEJVyCAGoO+cjzjAALDsX8uAEXx4Ps983Pc
ooha/FzQHNUGFhpF88AyKJpG0QFhoBe1uCFID1U0QQD94OdCwQ+Arb0A07Hh
PRN4ISxsV/cM7lwwXA9/5weVcvmuXCn4oWIZvm84drB34T3T7whcQQXBPWPY
S6dQeId2CO8LDLPynNC9Z+RugWFIU9nxNoa9YrrolwLDWMAw6Tz/YsBgWXK8
VYFhgKfq94weBK5//+2bBgIQeEDdQK8UNfq2XX3D3b4BxQmDb2g2I9BD5Z4x
jVDVQ1vVjW8fAaDAMAQEyWRJ7xIZsGQ4H47z7XPwLumBZRYK5Lv7QpExbP+e
4UvMk1FgGHJ0fOioOrTJV463umd6IdhCg+nbQYl5DiDzFGgFhoEEdKZR8kiP
f9GLLvACG3p+SXWsaPReiZGBvYrH7wFjFQJ7FX378RRbYK9KOu1W8nUDmpoJ
lH/Rcaf0XA9oJ2E81QOBI/MMA+jRX9LTCVDVbcd0Vgb00zuKDiBnBiEDK8GA
e/BpUD0ZJdIhPW7BdjwLBMY7Rliee6iw7B392LipJR/rZfrxps7Wk4+N5ONN
8jHqdtOoxg0ajQr9eMve1KKPlXrU9rZ6FzeosXGDRjzbbeOuGn28KUff3rFs
tLK76l00210tXvrdTTlucFO5RR/7xXbJdCwFeJpDMdYPoFsMXYyvh6KqA9OE
9goWXc8JnPtCAVF2FlC3N2i9hWKxyADFR/QZFAoJz8ogPgNtoJjQZwCjmga0
AyZwmIhIGMD4oeLDgHGWjBH4zMoDNhrC9Yx3w4Qr6KPmuJXjaYaN+6gq9NH3
G2gzX4DpO8zGdrY2A9AkWrKMVLuvJUbQDZ+xoKoD2/AtBpims/WZQIepdflQ
DT1o7lMLzOwFrcV2Ah16DHBd01DJ11vdMCFiaHYADBsxuaVhw+LKA4YNNUZ1
7MBzTMZ5h15qfS70KC/1SwSYlqFpJiwUfkJo7DlaqGJOVUguhl9/pcj5/Tvj
es67oWHILj1gwa3jbZil48VrRgsJdMPTMHfYp5dMwEoAhM4ZqmhFHvSd0FOh
zzg2o0AdmEt0MCD+gXG2NvRKTM/ZwnfoXTOGzcCd4QdoKsNyTWhBOyAzXGcO
wGcM3w+hhuYl8PYZZxlAG0MH4HFQa+MdpgHDBDoI8E/4QIMQmIwH30LDwzP5
14zqQYCnx2dnBHvmPTRt6AHFMI3AQOCxNcZ1AmgHBjAZdKMwcOc6fuhBxjP8
DYI+Rg7fhaqxjA4V7gJoaz6TAH9rBHoWwzLIkRwCWTTF+2i3aONorfAsMvtk
Bg/6gWeoxyhCEBi4rucAVWeApnnQ9yFBYddzFBNa6LQQlhVj+tGOZlD2yTkh
qAHyAyJ7w8aXr4GQAcEG70KDqhO6Jp3GsA0MxOONOxb+eWnY+HwospCZrwmp
ockSyNHVBA6jQAoWDR9U6EONWZpwZyjmvoRIgU8dN/ME7FUIVhCdGGQ2cM9s
HU/zmauhOBWursn/mdEYf+Y7E7HPd9ro87TXfHqKPxRoi2lvLD61k09Jz4fx
cNgZtUnn0VhgMl8VrobN+dU1XvHV+Fnoj0fNpytEDQE6JM1RQ7ReBiAw4j0a
dgA914N4n35Bg77qGQrUUJ/Ww/P//O9sjfn11/9Eb6Hv3+kf6L74/p3Z6tAm
szm2uad/BjrcF4DrQuChUYBpMipwjQCYCOY+4+uIKerQg6VC4Zd/RZD56z3z
j4rqsrV/ol+gDWe+jGCW+RLD7PSbk84EiDlf5UwTQzPz/RGks+ttzjN/R3BP
ffmP/2waNmSK7O0//1MBIY+ACAgLGvtcIg8jAlo6EZIG0LN8RoNLzLsNm8nl
vvdHNOBDDzNEQu3XCRFEP6DDO2ajzeNmjArQQfqINwfkPqOXEzpyxggoTWEO
DRnHYyzHg4zmbG0/8CCwjgeM2EaMkR5cQg8Tnh8iLoLu5wBxTTSZTdDUgpoB
vP3xWPdofjxWPFtM+dEViliGYb87G+gzRkB2DdTAP92LBbA2gJg59Al7PF47
GQ7R0BJ4+NJNTY1pDTIqRnvEvEro0jy7eB+DFjEbHV/KJcJBkmMHmmagkwQm
xQA0L+ZGge454Up3wiBL3feFwi+/ZObkozmneM5ffrkv3OccMt6WB1VovOPb
m8KAQDOGErC1ayKTeO8w6oMbXicgjbAzDVmCImhPn8aRfu7BIoEMwRdJO4g1
u8enfgJjIz59hNznp8SHYQQ+NJfoTD5AvBj5I8yKZLDjdp9CE3RqAvBWMMg/
L+F0Yycnli9k0gO0E0hd3BUW1RgkmhlqaAIvCy+CEgjuuoPpg9zyR5Ja1JBw
KrxM3XEp0XuOCdG5etDE0jsRpVMT0s73SAogEMlbI8Ii3XFPedMHp0b2h+X7
txBhZ2p/eJH5WEfkjEuUjLfpouPQIEEL8tXRIVOFBHFnAR1PRI7krKg4quzx
hHnMHG/gmLlFUl1Wb6CCXT5a+OnVIJMO+S1nTZEgRBdFxw99IsjH4xNNZINk
ACwwpuVlBRKpLlGr8jr+7Kc1LMykCZcwDctAKzCNJfRdcALIR7iPlqx6ezdw
Vh5wdUPFopjihDYW8PPXiplpdmuIvRkr+yzgMDGmRkKzGGjt0Id2jPSQgi8m
GnI8r0nHlw3cvyLMBxYySGC5cvwOvXcDbslF8LFQb1CVDDMA3YAeFpZVdF/g
2f3AC4ngvEUyV8LIEd04CtZxwAlYYp6Ri4FUIkZIHjgEZT/WHtAa81SHCHUz
uikdIVJRTzVZBMlYtXI9x4Ue1qooZjmescJSf3b9WI8vFQp/+9vfAPDfkbUp
/vcPxeTfPzBsKWvjPGmCm6X7/3b6macnn9cE/32u//FE9N8/fbb/8USpr+PL
5XL/St7+SZMxkhI/NX8XgfvCss72/8f8/f/Dn9z/R+f3QCjjbP+Tf+fnr/4I
/PnD8Pu74U92Txf610pMij9nmhCp5jPz47voj+z/j+DPPxSL/4W0Om2YNDl/
fvESfquXUp6Si/8KjUzT31Kj0Ov4g/7kfxFNp/sfw+5S/6P1f9TrtD8FDPnf
O4V1DhjOAjBnTvpVWiy5gAG/MVk96wwR/NNvTDsR7L5lBjgSu88AAn9JBfXj
FZy2bZTSbeN2uUz4HAyeY/E69SVZ4xf/6ycGSM+W1+7SALmUdJaOckCeS0pR
u/j/hbxWn/j32x/uyIxdqlcnqsAfH+xUR/qjY73/3o4fMaUP/50lic8PcIYk
fs8AZ+WST68guVd+/wCnQPzb3/5W+PWe+WlprIpZ+zNyi//l6owvnOFiybyZ
6nXFANNY2X+5UpGC4F19LxRYokZQaTw2OJ2xYR/b6FJdDVtDdkNk2rJztMZI
/cB6Ihkq0s1zhGOkxyAF84ziUSoUKkfrjqwPx7pCJGtXz+zzVOdQ9ngIZPlT
ifMEqw5nFWHsQSE6V6QS5O0INUM2oyOFDWSsqVOInVpMtVQo1MiK8+dMFphV
t9Es78A0tPiHnLUQy6OxJC2vieqUB4tSoVDPwA0ZET60bfzsM83n/vUxUM6Y
hVYQ+aPQ1zGWnSyDEc73N/wja8Ulw8AG7slgF20zSCeN8DXP/4cX+knzIVrV
pwDxQ22Cl6xLdGelAhL7mpdsWyDP6JbFrvy9HCMYHtPPcJASYrWuYyNrPVKc
AXYoK0DdRCblj21d1wxEzj5niTRzVSe2BHqfmnsm8IDtI+/88UbIvGhs7D1H
lg4VFiPfR9yA7CI0A8MCAfJ7ezAIPZt4fMkQ1JxDUK5UKLScQD/lKGiYM9hL
7e6D6XjEyFAhAqbPfBnIgv+VuFRQ2MT37wjXHlpjPtPqIWmFoiS+f8e2m0RS
i2+zIQwA9u22DV9FPtB9odCCSwc7MlNcMfAM+J7LCvAmIlq9ZOVFeHMZO6/T
c9oQaj6JegiwO4qsKG21oy5tSuAgH1cRa0UevRx6vT4/4pFL4AIdE2TAKKlR
pxA28jj+B96DKfIkxVEiTnzkFrBDjKaqYy+NVejhGyCDUNcM3ljUQ9vbwEI2
NRSCQc8RapTRJX64S8ePUQVFu2BU6SDqOQamGyqm4evYRYVCQmhPemvjeDjg
acwWmmaRRJaIfP/oGktPg9ltPEzk2s0yg/haQ4h1eoKITaXMhWlMQS6wk2GM
j83v+OCD9MpopEXWOgq1lxiNXpPbI//neKgligSjeLIkQRb7i3cExk8Cd+L2
OwJL5NaMUDB7p6vATeI5EC0grlhi+ssTvncMJXqh/B56jf0cEbPIJcmfU5iD
aJti64UbKQpioK7H18wWX9ItLgE6X+6MAyQQcGI2D23NdQwcauMxyHJLInOO
kA0ZmLFjk8yFHbHUkJ7PIy97OxJZ0jJswwqtDF9CzBAJQtS1gg7F1jAhkCs7
Yd+I+eQ4vCLIoNgj1Qw1hE1oB9Qe/SrLMg6JjWTHV+Y16vsS9U25Aq6pC9g/
Yhw//XSBDGJmwyGI5QYWEFaBiN2G20v7IFC/zp/pOvKoayk5+BKZfYJ8PqBE
clvFNIb8PzkrI04gfKc7yhqqAWMB1z26YHJ2HSOy5zNfznLUr5HU8SkugHl8
HlDegRliByjIrJSywUhWTUIALGgp0PPvCwWG+eWXLHkSGRJtm2HumSj0pMRM
Aw/HvpF97aNBc7YeOFSGQ7+bBtYLX33VcaH/4oeu63gB1F4RpR5xBg0GwDD9
FxRGnWmK4vkouyZbfUW87vU8ulw6kES5cDwi/GHSunBNNO09Q/zwKUBfPPNL
d2h/yTiWEQRQu6Zi9xKEZpCMTTZXIodzDLfTg8EnDjwPYEaC25Ox/EwQZays
XyAJC+wxWUQSwmseakQr+9TZfbTcLN7TQXAcfcSnqneNH736fOWMwB/HikWR
miBgTAj8gCiIyz+HxSlee+lC/Luw3AsT5nLeP3nvRnfU+cMq0eiT1MBEHCQi
Zd5N+jECEBHoOtM5HYl5WSdwPEZxAnIRnIdX6j44g8Sp1pQR+5R1U7acyM0I
rSIQZiAYX2+5mk4S0WwEBJAnrB0HdVEORNm8BQPd0fyPKLInCM8MbZtm5Yaf
2RkOsUbRT8fsLKcRQi7oIvHHDo6moLzEBYF+urCm4jtmGEAG/Yzgg/8fQMtF
CS0nV1EMyR+0ano1pw7FJ9fA1vDz7hNyvHRHca9P3aRIEE9i1osmfIdmauJP
bIgG/aPDx9pAJG4icm0+930aq3GRuPHF5vuOamCCoVHgKA0Fxzbi1gDfg4GO
zDM4Qhc3ssmZovMhCOnv7QDsMBr70AJIRE0iKeJ9pS9MjK+u6ezxSiIOU2I4
xyODH+2C4A+x2CK0CG3jLUSWnQiuR+IJ2cA180px+xV3fUV9X/HsLo4Y9aCW
uXn/8H0bU2usASQIc4bmP2JwH1+8P+q6jRfvEI3VDf63beSPbCHis6ciQ3yh
pIg8EzL0I3eVIUJq6MGxYLGF4jz8GZyXiCjQdgLGD5dLQ02SiFKbiHTNnM1Q
sJ7RYnKA+oc1mlRm07HPJ/f6SwMmuf5O0l8+pbFhtR27iJh0oNmJL8FmHE9D
vMoh8ZLY5EXYCtQu6pYkNgzbkunVkkIO00GRcLkoEmlon4YMM2zOY2EzX1y9
TqwMPrBgipuC2Dv3GRMWNeMn5pVcYiD2Ryrmvp4Ijhle83p9XvglUnbguPQq
+xgQSOyOOTcO1s+jQbo+zLSvmdf4h9dEfCNn8Hun/kDi/xgUZ+BAYJR3Pn8A
WX7IQi+c2cfKCTXS+bFrppQYpiPqQTiNZCtk7SY2+fPKBL71iSn8mhjPNZK9
Rs4TBiipVnXsd7hP8hNOHcNxKmepUJDRlAgT4rsdXfMJpkR3vY+N8rTNkdkx
Rr7jvsuQxN0fmymJcIQoNQrRjob4XTZQpOlBc1nUoGoCRJtabCNMeR1wPLnm
QHJVeNA1QZyDFse3QtReJfij5LnbsH2TZuxFCVJI+gstagZ2HWSnRnwhEtwi
HTHLM1YhwLmsSCGNGPCnblSiEMf6bmcHUL7ecboKNrbYjl2Mk5gZSFoeZWxm
fR6o6yXNOCMd+ARhsEv/ktvWzeZaRrtK3I3nUf0ehwiTAVVHg4VfCwxzFU1x
dc9cRcn5wAbmHnH4Et0nyuG+ukbNj80PV/fMv145LrQNDWXvxT3v/dCygLe/
+ivulsU9igG4bzSnobmZ2f56jUSJqxy+dXXP/IpDYeK+qmdl+kYNTiYmNxra
KkJyvCPcKndXHgTaPWZ2auCjzeEvPIia+GRfOVOcsb3gEdGxX/0V9/teYJjv
ZIvn6RJ1wq3j7VDNAY/W7QipVSAugjb2LQL80eZwl5zjIau5/t3TUDh8SwAU
Nbl0ZJ88tuN1Z48iXs1H4D8GegT45P9/YuOWYwe6uf/x+z6HslF3uoAT2jwL
uBhlzwGhwDB/LXzH0WGFPs2rjThcnmP1y+tFTvH6NWPLA/geppTgx6711xNk
fKWqLLE8kW6JRTXD2B/44YVVHQH49Wsiwb5mUIlezWko0UX4nxZF4gs5u+XX
bkdgvsU7oz3JZU0E+LMAuKadj0ksNcpZnYMkZzmxHxgB6njPCZRfsYeuSLS/
PMWQXNLZ5VDE/8xqkuShwMFLOV5eHuiRYPl6AdlfqUATR2ZhqGKLUyyg0ATu
VPRO2jnvLLNpixeDgnBdDrYU572cyys6G9FH7FOoloDrIbNWRnT54kMYx+nd
fC2hSMSHT/p8sfdIDdLjXTMg1AxoqzTcKE+WyPgF09PffsUBP8e5fETSyM+p
8yPvAB0i8gtQw1cqgekYaP6FOCb/JETvTJ4YPvtPZYjROWn8Fk5cvM87yrTN
JL+KBBnpOhUkBg3MAHAgHXHSnQz7BY3loKC9kMZIoRV8ZUhYXD7xfLlYNuQr
gVGiZcY2h3j402DG/Dx6amw42SPWU1J5klRWJ0LzCZZgp9bxvrHonOZMnwQv
VjDiGBrAvFpg95LKMdSgi5Qm1QSGRUbG2ZQE8Syww/YppI8Fek5eZpK3mk1b
TJKSf2TCZQ5gv1CUOYsvF/Dia9oLfeJw9+BReChWRvAWrqntAu2GMMo8HzGq
sETirAyfwhfrZkqssqKmJ9RM43oz/myU9oo2TTNJdXRbZkEUVyG5jAvTUwgS
aw2OSqEhfsDDcUAnGJg1UGGRCv1AkSdV1AYw79AzlgbK3KQEFDP2YzKjeHCy
WIxUebhKUCsxfqK8nlXizieyQ3RmEQLjnmfxF3mQkPodWxLyWiHAh3ZS5qbE
YOtEkjCLoe4flX1Kp8uegBRVo0JzX4K6Di5QLd7z9QkATwbBZ6yDd/jBUIxv
kcoJ2CeULOtnn/xe+ni9sS3jE9N9ZuXNOYNSwlGk3qWhImPRmTYeCrqBPsOe
TpmCELp3zt4hthMLqKlVIraBrBtQ+xpZh7Do9cp8O29GfAWhhv4Hd+4rlQtt
ZUnpiBjdPmASxOJDroAod9rIY5CYjPCKfvmF+XbJT0PYNZEb84KcUDU3FOSU
KtWV9XzkRkZh983Xcxn9lIZSjONkB5kgRwQZsl1yjHixxwt6iV0xzklJAYq1
cTmBTDEzBBwtAUUk//3IxdvA85wtlSDo8B8vM2qK1wh3brJGuHONyK9sWD9u
qYgaCNmdTEH0SUTjuBTlCa+IV33UES/eVpbJ4m0nKCo02P1HLj5iGScTREu/
vO6jXlhI+4kRHJd5wvfWsbxGyD651/JEt0/U7UAUnXYh4bvW8DG/8EMlYhTr
wIgYBb630neWDyMWgoPsorsVyTCR4B7deEK6dWwyznKdS4wZBwldqhxi+Cmu
grfvnT/glIiUCthAjr4ckS8tmBP2FiopBhYS8e3MXNfIQUtj9U8kvGwWHZMp
pPJnF7kODLJIEcc2pMMlIq/1j4XL9OLpXVAZE3RIS4VZVESOpwwmSljgw4rw
seL/lSF111TH9g3sxE3jXo5geEJA2PNE85uSAKETpE5rU6fadfPczZ7SrCIJ
+ryySNQpYCMJ51PqV0Yo+PDqN85WlaFelMR57IW4PqmfKx9cE4UkVa4vMk00
SuwHonX7zAI0B8t12IaI6rpQ5LisUl4z8B3B+GMh17FhlBtxLggAT+ifme8a
20NTgZ8KZMrYDNNUkXUNIU6Oqv3J5FOi8MVZNklWD0kiJVE3xD6VlGSL4/V9
mmyBsDc0/EwqWjwrpoR4hkxxIGopyKYSPzgaJDVACgXuRCpDfqnU4k6v99T5
Jav5CyqlnUo0+CBn2IlttUnMR5R27EfNyJ2do076AQQadvylyxVmci8LhWYM
TnN/fWEtmT1FRoFYGE82lCel0iivJMm3+hXR5jkB/vxoVzyyZGWPiVo7/auM
RBzHOFxH3stlXopdVFmY3uRJbnZORnA/p6rUJ4/9qNJUYhgl5HR6l8YZV6dl
rkDKUEJyxY0VKu+JTTgAGRJzTzUlvEVLzC2Tdf5oP3dkqeASITstzp76XVSR
WdnpCUTZqmdFvuyBoMVj3I/MKiAIPENBMbNbnM4YG6ryBRssQB4dMf4Ju/DS
w+GBNOb1KuGHV/Q2SsMfIKfC0oO+nrcihOlGlC6IW6UyTUnlMEL5KK79hPrf
DZDTNSoKMMZn7HqOCrXQS+p2nWVxyL56fOOlSLvEiCTZ6tlznCWqB4dXiTlo
Z4eKa68g8+X58aET5fY2qijs0PDTdV0JEyZrI7WXBMT2o+Xm3gnXtGJpHqBI
M8dLWZBoxIwf1QPAugzx95014qPiyHFS2ZGFjrrlzlK6T6N6SLyyYsILtQ0w
bkVZ5nn8PuoFM+l4p7JnUgFgZbzHcEDgwtf1Q6ToXXCUwGOr2zmpSdkTn5OU
lR5zSgvineGasvZRlfNKiemSBOtT9TMjoWC2+SXxlX1N6trFdQtLqOJFE6ln
aLCsdZzKm0lw3CnXZb6csNOvWS/eiT33dxhyE/rOsvzjkginE0Lbj6tvn+/4
sx/5ZVGpRqRdH7vZiBWfSsNU4qSF1ElO9wUdMsPNo5R4BgHShEWUbXkOSVK1
T7KO8BOpKvreJvnhRJ/BmHOipBhBrNgtDQ9JS8SYIGRoJsVeENFc+SjS3yui
sQNU7PDqAjRxDQvFsDXjYgELKpcmtzLW3VXkUFxSP3sSiX/W70B8WGnPQ36F
061hmrERgRxZpJJgno+e0EAKsM/4hmWgeq6Bk2KdlvA0pfbGm3KdlFdIvTDz
7DxTMaqG+TriF6J/kVnIUbx25ClJkrYvp6InKShRFWPsok85gqNS8edkrPNn
QjLqFQg8HNSMvqHXVb2M7h1Kodn3cmI0fGV0CLQo8eq8Whu50i6muDvEWbM/
UkQ+VQ04iu34YJ2RRRuvx0AXt6Ug9hnFWWLZJ79n2ht48bSSfaQE5eNS3yWi
KdEQCBLGV8AhGZpbjEdEGSrf2BJb6Dm4zHBeZE4hs9x7pkWO0uJe7kqt+oqt
VGuFM1A5brws1krs4G1IooZEFys1KCae3DbRVmgGz0ewvv4YVMhvgPhMThUZ
jA/pCjon+BLxNMQl0F31npc27JNUH1wFBss/pzNF60S1sbXT7D8iL12ogRNV
jY49IVHNhM+Xeb5Yhsf/RD2iE2KnuQxnq8qcUn1E6fn0fRZdCWDOomxcoOPT
GJtFwp+oPY/mqDrL8+z1JGScUuH5u5bEfVM9jgRwRddmLPi4Hiym6q8c3V0e
tByixkS98NVCARp4DkFNJ3LENxqV79+jnJ+8C51I9k94Lemdk9v6+NiJc/sT
QmdeZ1IIOr25i1XMkJMqFXdA6s4sYYC9mdmohFinOjPOQH6cJpdaOkQBh0rp
UN3EgsSxjHlO7GK+oMLsl6XFrwxYoeCT8+DPbBILyL9rNSdUlpruSHq+GHtS
QqXd8PHvL0tUWc9hUtsNaw8oUCrKHYhdlGeEVlTF7TMTIqyhg8YTudAzHC0p
f/SppZJqLxnpLTFfYC8Xmq2fpqF8GvDxK0MXVpxbCyMiIIqoeRR7hKCYdC8o
pTEtfgIfkH0YsRBajMt4B+qeeaBSPB71NAgvXRXJpV1O64kTLpY63vjBo5Rx
MDhJ/icwj1bSgjZcGkEksp4ElpzjNnhyc08556ml9YIBCusxjpIqAxe9lXRC
6HGpm+aSOk+Dk/pDqdRwlLt7Uvg9pY6gd0micIrcpeGLl+TiUD9Y/HJYkMkp
iU5FoeDDQTW//DJEqZXYFpE1x9IyoJLhGzj/A4WqnUevOJrFhMCzI6vXxXce
sCkqYwmhx3WxYME2XawJb3EfqxdOUhZrH5+9Dq0S3ujIia7kZ4BSrJBjwCOP
Z+CE9fObo24s/FIlE/pghZPz0RBEQ6TDkJSod5oqo3oO2ouxXEKPOE2ONAK8
KJ7aPdooSPjBMU1CUBeX4wcONvUhnEzKmynkBZvzmHmNz4e0g0dZeBmbBQYW
DHC4q+ABlJTL4HVGK+PgFiemkiYeuiqKgWe4/kVmRuNR4sfZAicewg+9d2iY
JiCxGz+hZ8HIufi64aKWhN9GJshCIft3OvAm/XBe8h5gqhYrJn6yYWWPoq+i
K4USKIwGReJ9YqmNXwa8IB0xAq7nFvG0JFo9n3DfHfOdJKtF5Y7Sh4b8gUEU
9GtDtGDgGeaeQBBmCrGma5VdWt0lDpzLedGliCI3M7MRlzLiiBmDAboeGEC5
XoKH0cXshwBbr8j5RAUgTERGJMMNy3cJwUT8StUB4m/QQ25BlXr4BA9osOgs
l/gWQMHEJxuL8QCJQ3hDqUEjJnh9/K4helctNLXYaEW5JH3SgJb8POKIdP9W
6AfJG5NU2csTrkjBXXQ3otMkOYsZTyfyWBM6bIaaEYBkunZcLSJKZk69vBdj
DbYV0uoy8f7oMov4mExntcLZ5qnSFmjZ5F2pfIS1HNsIHDRhxLveHTXmnmmP
dMrLpTqW6zmW4UdFR/KHjnJusD0cqbrp2IUcH95PyAlJXi3JF0w+eOwRv5B2
2V0QKWA5of4RMqOIK8Ok9fVyH2CJ7dmpTVzjl96IEy1+dAY5f/BTzLR8CN2c
mtkcekg07Zs/jkNR0O1C4sBP8/upMJETrHSaC3GirOJHhHJOLjU5urHzvBgA
YeoKv0hF4H8UA1Wk74XQoc7TDY7VSPApeuMVcZEgwI9Io41bSCYmluZLZt7P
qR3Fs0Ee9OVDHLzr6wiPIks9AZYCEx0qlSlLTPj+dVRs6JoeNzJmE7X9Cyyt
SsQGjK24yMAkPE2/kr0FBi4zjPOfCSMhGGlCsEFyCXnxNCc/PeOTwom/uWrq
ZSXpmrgvogvTxEJQIvvF/geIo/2h9+//9t+OYkeL9CbP6jIPzVHa7Omr0Aae
4aTt7an8kA10A8ZxAYoOO/tYHQ6RQUWTnD3mPDmzenH95hiHPfgOkQINbd8I
SLENfD+Z2VT0Zi4lUJSIGDp2quAcEXLXaYQrH7GQdMFzfB3HIiQC1vOFZO6o
zq2Wl+p+klVfiqnsPCnTDcTmYRCcJSEPPb1tpykpLr4Uk1SCXMnkdAoiTiNu
l1/G47Rew7kCqtgEb+OxTs2jCddLF+N6PzLZ5aDPz35SJfkUXkflXn9ixlF2
PzBPrqP0jY0nO7mdjiSOI7XNSY0NMO5Gmhvyzg+BDVZ4JegOzjDSWBLB+gJ5
odQJjqIcsZp/GZ+jexJd6HgAnBDnnKYQ+ZFgg8SuRPb2U5d6ShqgFga0EcIS
niL+SeSc47HTDNd0bJTJknBcLL+ctaQ6ke6RK3uYDqDWITqFEscf4LwcYi7I
RCTQdcdVHB6AimovoIX/cYpFOajfSklZ6m/k/fbYaRAbsV/jx05RrkY6T+4/
YzcI8B0sisRFNgXhKbpWKjVGd0IUa3ocsoE21PE8VHgM2JpJt3NykVAYRaes
In2fgbhfwk/pZIZN7mF6dxh2qsIT5hJfY/rEOs3pM+NRzgRZHn6ZCNNDIhD3
o/YZDowVTIRsIKCyOtEu4tfME0lwCbGp1I/jT1B0yzVzIUAtfWcnDuj42WvM
EfrNUfOEFaCgGDzvcxJWwsOV4Qde/vvFHv4xylxOmXKS/pT7Xh0PfEU7e/v7
7COP97/8QtjHCFgQQTAhY/x1PAQjYkvHU0rGz40ovM4avoi6RDToB1KXxcSP
rzL9jsBRxQGreCqe/l8zr+7+9fRFygsLRkE6Hy76x64uPsPMg1o4vukHn+Xp
BJkzTUOknT3CJGgwsptEtuLoyYoUoqD+X2zHhl9xX1J1MPV8DDIFqjq04Bf/
K2pL3GE/Ao54KlzwlUEb+WHg6+2R1RnuAmQlsP0l9DBXdlTHZL6gSb+mZj2B
afJTCrLHTmTcchqAIMTwQyIusNHLV+R7mgiu4WM7AvAn0evSIwh/CFDQDnBF
pQy7OD9JApczNZ0j83G0qCPqTMtz2YZt7CtwI/L80zX5cuId/1Al8Tj3O78m
HSl+RJyxf6ok8nU69/akGiCyhCgwU/4XmRSzlgm8otInaHCaQY02xTNKySfI
l3ue58Xwj4+V1K+kziGsBf2gEss5L2zg0yVIjs1eUVk9YhfMTPXDCv5dJ0EV
0XQp/Erk0bzZ8/SeEiMTherMcwFnMDOVMJEUwvhMgfqMcxaXm//xOFUs4keR
kFBELiMO69HEWxqX/EllZqXcikjb93VUusewGQ6bGxAjwrg1hZ4BzAiVIi89
ioSLPje+f79mQruoAB82aqFnFqGNQqFJ/VwsD6qOlWAfBCRsEhWIQUZOkk6J
jRIARQUIfvo9o2viZqLKG9YZMg9XPyDpUw0+t84SMyVBfjTKf5/kLCeDAp95
iBeRPJf0U1REjmFPaimdZOinMrkG8pT+iQzkUXxFb1qpNz5yll8agEcDnH2h
Pa8eXIysSZm1F3owqAhV4GBj2vEh0gJUV8BcoVZ43dF3wd5F3w1kIfpmY6DR
r4Bf3MB9kb0q0EJcVy7YIwXwD01t+H6mhp3P5lTIuvJDBbUKfej9S87PINSy
pbbyRzEAWhF7c1Nhb27qt7f0a7hzyde1m8Zd8jVmbWhYZKYx7xFGM+QjUlui
MbOCdLqG3SZAf17x02ZSbMxG35QX9aDKb/XloTYc7LTRYVXpN1r+8q73Ut2o
w8eg1zC2A/9JqrQfx+xQUntKY+vvegv3jYfPa6s+YYtu3/JqrtC40R96+ybf
2ExrE0XwWgt1PYW3pv++6BvG0mhJ8mJ3uF00l9q60eGmY1nnnhblrvQG70ZD
39zOWL033lo6bw3X3TXc9afP/mJTfxtVV9s3q11t9NjutOh1iqpszvp3y5or
qQ/a/K1T9pb64kZv23XLc2V5frsdhBNQWXNvsyKn79+Dl4VefAOgLru36tPg
efqiwqb6BKd1azzv1G8VCE23zj6HD2337QbcLUe1x5eOq07bN819uesNdqvR
i6Q+NW/aq3EzFBuHefuwqTza1qT6dqjWhXVd39+u270VxzbBVNgmQMaH1pw0
W1fpmn3oRKOYHtRg2tpqsr6vaYbvA6XFO/v9brjjQ0lUfG7+/sL2Fhzkx096
vXkVVVmL6fEoNO3vSpX8p6gywcMfSZ2U7iLC0txcuvr95HfLsqfkV2FvazeX
yO+U5jD0caP9QFe6qjE2Bn3x0GdHRt/v23xdfeg3+ht3Jj30/b4VuAv0t8Ud
nuTAhNPyrm+XS3A/cNXqEPV1tB6/VQ/O+1OFOwyndRN2uUDt7swna/SuTNGY
I3Zu9Bt9WzosZoPmYqbryqzlL6b1tVIpG08PA12TJ9mxqgNTPXTCnLbufDYx
xutOdXTo70YHlR23V37fkmpo3UNBrY7aamUsiLXxw9ZQK6N3tSuisU1F5lyl
7e4XMrfpd6VgLpv+2B6ZijVB424W8s5cVLgykO/CWQXttd+A+4Gn9Tao/1Qs
d1C7sL92jCHnsFp7NNUqugXX/Ghq6xvBdu3hZlOZ2CNrLOrLYSVYC2JQnrYX
rlZ2DwI33/Od4HkosvK8rBsjWzvAjg7UHjddSK03RZD44ZTdTmV2P+q1xNFa
cyZlvT6R+hXADsuiPBDVzQDMK66wEHRfrS7AVDbdhWU+SKYGYM+pyRvOWnSd
Ci8uBIHVHH6zA8OOJquyWBc27EHpafOhrPeFqhYAbhAIstsDllSbSqOJyrre
aMaNhxWtqspsZ3hY9IeiJjzNBtyTPJopnD4Yy/Oyyi3Wkwq/UEVxq1oLR15r
Dt+tscpssJVYbTHuaY+axOlDy+2q0irgLb2u2fxStlaBKnP6SNK24+5oODVb
wqwyMifyaLiQhqwi3i14QazNLclUek12KLXYSZnfqoKmj+XFeNQJlvystRbL
k+pkttny1cEj7GrjGbtYC51Ole9qz5OZJI1sd8H3XG+4CUJF6hzUmXMYSfzb
SNbr467bmXa17lDkdJHlq31jayymCN85fiL2jeWsXPpdXC6XT2rLui9obmNd
FJ/eq4JT3b/NOW4hP3nzGrsNG2v3cekvtPVwNIR8ryrM5nV7qhZNXeOWg44p
de39A6jzy7t513wHalfa39YswD28lQ/6SDCenm53rbkBHx6Fpm4NQ3nx3hcX
XMvpsI+tdWU+8zeuLTYeOOFRbz4pct00tMW0O9PUjr1f7bYgtNzxS3Nnzle6
eMtPvMmKY7dN32k/qU5os0WOH4c98fD22JXf5lNlBlmzO6hqQlBfBo52M113
34aVSXiotd6Xk6G7va1IUvftZm6+84Nh+AxrfUGExoYbTRo3FeVd8tb6tiea
K3Ny1wu5dd3wnN7b1mtoT8HyUWq3gm212nwxH2xfXm5q789ye1Bkl/vqo7mu
6cKLorf60iC5UlKiZ+WzoicpEYV9HX7kEfFgpAHc4woDFwqEfFxaDlyuk5Qq
LpeErhB592xCfdQndjaeFuFiPihtghL3z6T/O0umGoX5UJc2jtvfOgwe7KiW
IRatBcct5hdZ+Q9wnVMhu/L/rpC99YwA/hiBuzpmOxIovhz8zmis7823uzs3
fFxzjVHr7XZ6Owq2d3643D+07p48YeoXd7zTntzMGt5cee6M7Xqn2GhOF3tR
rrxzuyegrsuy4ZXr+sE27SX/xAvWQA+1mmHVH8bLph4az/CpPFT8qsw9aa2l
LHVn0+fKuC6ONtqNNqg8voXa227E3bIjL6izvGs98/U7V1xMq3xn2Zyvgjd9
Ur6RwwfhoFUklwuCZy702lNDVj1j33kaaStfuNsCt2zvVTiVniar+d1ixZel
d9/qrV+exEcDskGdf1gLPhj2Br3Grjrpl4P1Y/fu2VcMszzmTb15J3dW43Gj
03gcP7xMg07LfnwZBUql6XWf22tz9HwQ3uQxhPD9tjYc3kozjT+4wtPY463e
5LzATU8qj1Sv7plq/j3jsuP1YFIJmtOQe35+mB00JZz2wMJ4FrjKesguXob7
ysvb867cbzYHgzovOXePVkXn4Gz99tZV15tufdvhdsPty9vtYFy7Hd8pEngc
tQC7eSmKTmu3rD+aQ9fUhlxf3Eu19u00XPm6flM13iTDqPfkynBeC6f17rrW
6LZFdcaOJvzq9kluyKB28J3y9HnZX4b2jCtr761upaY+iE6fG3vs6ODtFzdj
VQruNtpD7SWcdZ2ptQ66Jjvz+feVUmEbywUXLqQyd3t7kDm/rbYWds24feuq
rWll1uyt5dpa6d3M2fGt9m5W9DJYLgNrtOlWFqves1l19fWLUQztid/c6Q9i
/+V2uA6WXN3YwvptI5xsX1ij0670RbMzG69mxSet3l0J25Tqkq7R8x+Q4x0p
MD+I8/0o1eTmtlKNvz6D2OzneNrntJjp79Bi9v93aTHaHsx4809rNeXbHS8t
9CfprqGWpbFQ0etKr1Mfz1rstOJ2R5v6gyrowrhTL2sH86DJi/qk3K8LvYEo
VocB5AbvPNepyu3FXpYHE168C0eiGIw2nCDbpiQdBhXe1odzefQ25DRXXTdZ
0HNDpVu3xM1uKnXZR9CTNqOuGYzE0fNiwzmabE4W4nYryIPDkNW6Qpd/WJia
zLO6ILYHzyNJGoPKpLroOPtplWMXPa4mbOa1oVjfa21xJ9qtQOT67HjWkmRz
eBA3kjWRTFvrcY4oNKtSVWpLPXczNBdb3ubLYmfBqhteAJK2Vi2zzou78aKr
HaS2WZ3PmlvFNtcLaSQLHGfLggkWbH8r2YuDIupvs/JOmlZMczibsOJm9Cb1
Rrog6o/T9qI2ZLnBsMe/TctqXeyNDCBvtwI78EGnU5fKki2Ubyu8sHgSyqOl
WOW5iVV/mpXr5fl60FI32oTvur5gthpSj5sJFclczOa1UYcdjbnFfMENGirH
D4XqYKqIOn+i1Uy3hiJztVmFN5WuZM9nvKtU6stFV9pq3ZUxXo/uSv//Mvn7
XCa5N7dpL2/lQ3340qppkjAer4UymIDyYvrWUYSF1FXYnviibdhgUIMPyuah
dWta4/J2MFPLN3P/dvX49qZUhWkteBQVe7t9dKov7W2V687XSvut3bnxWoGm
ls03o7F8nEJ1uayEa+nBqIgV7Wk9u7l90W/E8tMzO1MGob5Za605KL5YW2O/
as6W5fWtapgzwVgpgjxYrt7UgyFZm8HBvAMv9d7gtjfn6o6udS2ppY+Xe97b
do3N3Ol1Jq3GHL401luh/dKf+OIAluFca9d2Ta1581AB20XzXdfmWvg4M4Ib
ebrvhh1d2T86rm81ZGlxqLU2a7m9VgeV6c1srTT43fNDV32xR0Zz6HcF1u7e
DfvrotOd729Xffl5+tTZcy8Nf3OrG2Dyf6DRsVJEKsR/bMNjysKYNjzeVv+8
4fETV3aaZdUCUJHqT0LfWE7Q7f2Hb9xxu7M7vnGHa7U2XA/xjXuZW3aQNLBW
qi0T3ZoLmdWBvG2olqQvHlrRDV1VLbO8QJJDZgt1UakEpoIkCUuqTy3d4Csj
V6iYjyIrNaYCNwaieZjK9elIHrWnwmIAqq25tBkN1LIZaL0WmJQ3lanMduFm
N9O6O1M8tOpTubZ9QuPZrfWwzOLxlArfF21tDa27itAedOGGFUbyzuTLi/K8
rNWUzi4Q7IUhlvF846Fkumg+xVw0ZFN/nEjuHHR1Q+4MDrI5ZIHV3w+75nBS
dp0Fp/FAvHOn1t1myg2q86r7rm22h6m1W8ONxMqm7oDuYD6xR0A8SG/zdX8L
xF17arcWMse5QsXlhuV6YzrTx9Aa7oQyb6P9SWt+jfYnSPx6WK535ofBs8SJ
ZaE8qgJ5uBfsxZpnJbK/7mDG2y2D77Xqsql1QdnsSTa/kCq7g1Cpb6DMzUVr
N+DZRVmWNF8t34WCtTMUiXOFzugRsO4MdndguJlv55Ja16TVHsOzvKksZuaj
avF9UDGfgegKktDiyPqlAbDuXEFo1iA3kGVLH0rrTWV+aMkCO9mDtmRMOyIr
sPrDUBru1Y42BgepPWd5R+rccSOhtYHWrrHgNDCSOtupIInTjitJwmikdaXu
1F5M+Y14kMo8gJI2m5rcVBJMVjAlSevUPd7kZ4q1kyXbfRyagxB02IVUru8E
cbFRu6O3icDp016LnW9UVpEkD3IjmT9wT3NRl0G53lN6/FgS6xPZCrpKhZ8p
HAekmVaVOO0Rbsq7RUcTeXbQlq3dRmL7O8DxEt9xJ4K5kIVKZy8KI8DLd3Xx
MOoOJbfPr3kRsJuyIIkslPmONNMlZTMoS+JiMBTv5hNzMVM6bEOSA1mROFnp
1jfTzuJdkvjWkJ0fpA0vT3stT5B3QGMHobhuSbzk7OaVYCp1OXnRddeKvGVF
U6oJrNtb9FyZ724PsqS3tMogVLoukDb1mdRZdBVTE5UuB4aiWZWsOoDWQAI9
bj7s6bJ4GPhKh52LAieBcn0nbfQx2hvoBALPOWVB4LrTDdsXbU4YdoesJOpj
IHMzraqJQ9E9zEWJG0nzrWTVxWF7tRdNHgjcZCtYyHI96IpymRW41XYktBZg
4z7MK8FGlAY9tTcSlU6/Im30rsxN9pK1AzK3KQsbcSds7rqyaQJ+41Tm5cVU
kCaHqTkyJFmfTmWzCiRXwPRfXkxFSRoAeSFoFdOQyvOy3B5Mle6gJ1n1hcwN
tvN1n12Ybk+ytQ1f0RB9jcfT+nYo3r1Nzc5e63CCJi4mYmc0hxZvaNKoP5dc
V+T47tByR0PJXQqzzX5W5Saw3RpMRO5xupamknVbn1bKe9BZmHLX3amitgZW
0BvNNI639ZHG3u3GHfd51Nafx/JAnovBeGJ1doC9DST57gF25+y0shup3d1G
EBcDaWbKo86kJlYlW63ozugwclVp4QJB6kuHwUgWeFY8SD2APAxlXpqzq51g
ctPFQR8ivWsu8A21crsV2ZY1lResYurdYZevTDbqftQdtSX5bsBv7vZDsd5Q
bROMyndryZ7UQYVvj7g7Vu5o72KFfdM6mj+U9INoL+z5ur8bWQvA2xKQ1q3u
uK03pPLiwHdHD7JVKwNB3/GV0YN4GMwnov4mHfi3+WZVlQXuedzlK0p74Ay7
nLWw+UCwgt7QdO0p1/KH1ZYDzDv3aSaF4mzUgl29LYnmctxh37TuojuSzepC
EGsjW+I19nYHRKkz3JiS0pHmQkWbP4m7zUjUbKmnouvu/4uMfx+RMVc+t+xi
eV/mquau3B8WG2XRb7nsy/Am5HVNqNxqz2+7oFH02bG9HhYdZc8V3fpMmUh3
6359Um/MaqpSXT+ZDX4zvLm9G7eFblDf1yYjbdysyLo5LcumNh0f5huJna0r
e++hbC3AZv7QE9zDYfW+hOIajtbFZVu2ghWvVJ6WVmPR0FahUL5h5ckG9Pe9
Wl+u76Sd57wpNhtww/JNOKvqYV+6Cx5ejOldpeHJoC3fwEnbYm1dX09fJtOV
qAocCwf7G3287gQH/6ZsGOu6MhGLrTvbboyXM81V2PW4/r6rmg9Te7F8quiV
DpjMH6sPytpbmkrb7s8fg0F5NNzV2+XqI6++v4TPZrfe6/FPdTUcHm6h4Dyq
5VtPLU/8+vOurcA3qZby4JBXQWj1eRy/Mw2gWxTdbOx7bqRp9mWdFcShkXgM
H40Rukceml9/7RfbJdOxFOBpTpGkN9CmRfTHoRi/aYrTHhwUGEVrPBzX1fBg
EHo45YR5TScWvGTmfCWpCScFGGgZ6kzNzWOvT1xuJv8FbeQLQjm2cUpBTpYq
BhqqyAC8wFBDHN+F4LUMTfJGfZ8BKxx/Rqs0mVpOXYoSc1LrKh/AMfRopu0q
2i4IAwflrpH6F79r86kqzfmPR8TQya92dx2neCTpyqgZ8tSQzBx89DTaHGX/
n6ScYNhEWUg4dfFcyi7Oy6CgiYERp4Wgyoa4hpTiaPsXVOnEIzUNMpWK43xN
sh24w4WycreOIlZxslsEA1pmDzIPwId+5tEqe4XeFKJPV1BVmDdWOqkkhmMq
UZQg0pP7TBMjRaHQQWktroeSXfvpdDTaP0n+Yvy9H0ALuQoDaNO8R4Z3TMi0
gJ8o3zSkk/nCt5oP+ImSZlzJMr9hEzVEmbc4i54gH9kEfpMdFe9OhzDThxRI
3iXRkTVaJsDwGM9BfmENInqwsN8VhffSsgp0HSgdjUIg4jDAjkckZXp8mg2H
fMiADgOYd8MLQvRMeTQ7fioX1W8EuPR7NCuKziRVL03it03vIEEtVJDEjkk0
ylFFqWdFVNbkmlHCINMiziLVDPRIHqrsYuvQw8neZvQIJc4tpKTm4fMvMTxO
wqeBn0kSWvqxk7j3dU5aMX60XYXfms/9bygWG0H9GzJJoA9oMuw7WeEy5AHl
4sCkuKTB6H1jVIpjaTrbUqHwG8Gd33AVGEOFzDccz+qgHAfmt8JvDArrpf9F
jSOSHeP3IH4jb5lHuEsC3t8NDR0OfWYsPgvUnRZX+I3A8Wc/rkBJqu1i0kbt
+ul6MvGctFDNb8xDv/jQJmNcMwF+OJF8bnek6CMKpkXJ/PTI0Ki5ZW9+S62f
6TeHlMBwh3YS4v2NEUjlvaPVfPG/Hg0hxCR6bojTZAwySrsjfZsKzW7n2zM/
Rslt74bn2Dhs+TrJT0YpgybUUKEBigHMb4Vf75nACEz4l6uYqVwxwDRW9l+u
VLy6q++knIZueNq//9t/fQZesGeaUSFH5tkEAX7AMBITSGwzQClF8d6mAEyT
8I8oeRtFYqiO5zo4D1oN/cCxSJ1KFDs8dZbBFiDm7xdBMcKyL2ior8xD1DhT
BSbF7b488MOvafSgVW2jflsaCe8wqKIVo6CQe0Rwhu0TlqvsSTFlytBS3DdA
kCi6GA5xQUvGjeCA87kzb8MiikLvjCKw06q16M807pIi37nPJcQhJQmupHOP
aZqlh1/TCOLXfTAIyRNJKL8X3UFnSylGdSiTzVB2QatFkVa4mBDmg7iwCEjv
EKBCfDQJ6Bq/Sp7kxyccKgY+zgahGaA2iOohpJJ2COfE78hFrBybK5Gs4eGS
s/TBwRz4J0+vxtXT3NA08aTXcS1jUhRitfIoQFIIEEDTNFb4PSny0Ot19MSL
QfLmA5yukH71N32UETRzMBsVVjXgj+CeOHHV3v/7v/2PJvMFFz+ANrCDr1lm
iWjlZH2fYJMniPBZLqg9/z72d7w2Krn/Xv53NMzPPsEwDwaeAd+ByTSf+4TX
Rcwu4U1FBKRTlve/AMdgcb2YvwAA

-->

</rfc>

