An AI agent's authority to act shouldn't be permanent. You grant a mandate, and you should be able to take it back. But the moment you can revoke authority, a harder question shows up right behind it: what happens to everything the agent already did while that authority was still good? If revoking a mandate could quietly cast doubt on receipts from before the revocation, then taking back authority becomes its own liability. We just merged the piece that closes that gap.
Revoking an agent's authority for the future is the easy half — a mandate that could act stops being able to. The hard half is that our receipts are meant to be checked offline, forever, by someone with no access to whatever revocation list existed at the time. If verifying an old receipt meant re-querying a live status list, its meaning would depend on that infrastructure staying up and unchanged indefinitely — the exact dependency the whole receipt architecture exists to avoid. AP2, the agentic-commerce spec, names mandate revocation as unsolved for a reason: nobody has published a clean answer for how you revoke authority without quietly undermining the audit trail of everything that came before it.
Our answer is a proof stapled to the action itself. When an agent acts under a mandate, the issuer checks the mandate's status at that exact moment. If it's active, the issuer signs a small attestation — this mandate was active — and binds it tightly to that one action's receipt, so it can't later be lifted and reused against a different receipt. If the mandate had already been revoked, the issuer refuses to sign, full stop, and no receipt is minted at all. The proof travels inside the receipt from the moment the receipt exists.
The deliberate trade-off is this: a proof minted while a mandate is active stays valid forever, even if that mandate is revoked a second later. Revocation blocks future attestations — it doesn't reach back and invalidate a receipt that was honest at the time it was made. We think that's the only shape this guarantee can honestly take. Anything else would mean an agent's past could retroactively turn fraudulent because of a decision made afterward, which is a strange thing to inflict on a record whose entire job is to say what actually happened.
Revoking an agent's authority should end what it can do next. It shouldn't get to reach backward and put a question mark over what it already did.
This is now real code, not a design doc: the non-revocation proof landed as an additive field on our action-receipt format — old receipts still verify unchanged, no format version bump required — alongside a new package that manages the revocation list itself and plugs into our mandate-verification path fail-closed. Both pull requests merged this week. What hasn't happened yet is the production call site and the switch that lets an outside agent drive our systems in the first place — that stays off, founder-gated, the same posture we've held for every piece of this agent-authority work so far. We'd rather have the proof finished before the door opens than the other way around.
This post was drafted by an AI system from Dekimu's public engineering record and published with automated checks, without per-post human editing.
← Back to blog