# Delegation

{% hint style="info" %}
***This page must be considered part of the iSHARE Framework***

*This page is considered normative and is therefore compliant with RFC 2119.*
{% endhint %}

## Obtains delegation evidence

> Used to obtain delegation evidence from an Authorization Registry. The response is a signed JSON Web Token. Please refer to the models ‘jwt\_header’ and ‘jwt\_payload\_delegation\_evidence\_token’ which indicate what the decoded response will look like.

```json
{"openapi":"3.0.0","info":{"title":"generic iSHARE API specifications","version":"2.1.1"},"tags":[{"name":"Authorisation Registry","description":"Endpoints that form the Authorisation Registry API specification."}],"servers":[{"description":"iSHARE UAT network base domain","url":"https://isharetest.net"},{"description":"iSHARE TEST network base domain","url":"https://test.ishareworks.nl"}],"security":[{"BearerAuth":[]}],"components":{"securitySchemes":{"BearerAuth":{"type":"http","scheme":"bearer","description":"OAuth 2.0 authorization based on bearer token. MUST contain “Bearer “ + access token value. Must be provided if restricted endpoints are needed."}},"schemas":{"DelegationRequestBody":{"description":"The model used for request body in /delegation endpoint, for obtaining delegation evidence.","required":["delegationRequest"],"type":"object","properties":{"delegationRequest":{"required":["policyIssuer","target","policySets"],"type":"object","properties":{"policyIssuer":{"type":"string"},"target":{"required":["accessSubject"],"type":"object","properties":{"accessSubject":{"type":"string"}}},"policySets":{"type":"array","items":{"$ref":"#/components/schemas/PolicySet_evidence_request"}},"delegation_path":{"type":"array","items":{"type":"string"}},"previous_steps":{"type":"array","items":{"type":"string"}}}}}},"PolicySet_evidence_request":{"required":["policies"],"type":"object","properties":{"target":{"type":"object","properties":{"environment":{"type":"object","properties":{"licenses":{"type":"array","items":{"type":"string"}}}}}},"policies":{"type":"array","items":{"$ref":"#/components/schemas/Policy_request_evidence"}}}},"Policy_request_evidence":{"required":["target","rules"],"type":"object","properties":{"target":{"required":["resource","actions"],"type":"object","properties":{"resource":{"required":["type","identifiers","attributes"],"type":"object","properties":{"type":{"type":"string"},"identifiers":{"type":"array","items":{"type":"string"}},"attributes":{"type":"array","items":{"type":"string"}}}},"actions":{"type":"array","items":{"type":"string"}}}},"rules":{"type":"array","items":{"required":["effect"],"type":"object","properties":{"effect":{"type":"string"}}}}}},"DelegationResponse":{"title":"DelegationResponse","type":"object","properties":{"delegation_token":{"type":"string","format":"application/jwt"}}}}},"paths":{"/[v2.1.1]/delegation":{"post":{"requestBody":{"description":"Delegation Mask that defines of which delegation the delegation evidence is requested.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/DelegationRequestBody"}}},"required":true},"tags":["Authorisation Registry"],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/DelegationResponse"}}},"description":""}},"operationId":"/delegation","summary":"Obtains delegation evidence","description":"Used to obtain delegation evidence from an Authorization Registry. The response is a signed JSON Web Token. Please refer to the models ‘jwt_header’ and ‘jwt_payload_delegation_evidence_token’ which indicate what the decoded response will look like."}}}}
```

### Request model

#### Headers

* `Authorization`\
  **String**.\
  OAuth 2.0 authorization based on bearer token. MUST contain “Bearer “ + access token value. How to retrieve the access token can be found at [Access Token Endpoint section](https://dev.ishare.eu/version-2.1.1/all-roles-common-endpoints/access-token-m2m).
* `Content-Type`\
  **String**.\
  Defines request body content type. MUST be equal to *application/json*.

#### Parameters

The body of the request MUST contain a JSON with the following structure.

* `delegationRequest`\
  **Object**. Root level.\
  The request for delegation evidence.
  * `policyIssuer`\
    **String**. Contained in `delegationRequest`.\
    Identifier of the delegator (the delegating entity, usually the Entitled Party).
  * `target`\
    **Object**. Contained in `delegationRequest`.\
    MUST for the root level contain an `accessSubject`. No other elements are allowed.
    * `accessSubject`\
      **String**. Contained in `target`.\
      Identifier of the delegate, also known as the entity that receives the delegated rights (usually the Service Consumer).
  * `policySets`\
    **Array of Objects**. Contained in `delegationRequest`.\
    Container for one or more objects containing policy elements with an indication for further delegation. Note that policySet elements within one delegationRequest MUST not restrict each other, but rather offer a mechanism to express additional rights. They will be evaluated by the Authorization Registry in a *permit-override* manner, allowing a *Permit* if only one of the policySet elements evaluates to *Permit*.
    * `policies`

      **Array of Objects**. Contained in `policySets`.

      Used to express the actual rights for which evidence is being requested. Note that policies within one policySets object MUST not restrict each other, but rather offer a mechanism to express additional rights. They will be evaluated in a *permit-override* manner, allowing a *Permit* if only one of the policy elements evaluates to *Permit*.

      * `target`\
        **Object**. Contained in `policies`.\
        Describes the target, in terms of resource and action, this request applies to. It is also the scope that is permitted through the default rule.
        * `resource`\
          **Object**. Contained in `target`.\
          Contains `type`, `identifiers` and `attributes`.
          * `type`\
            **String**. Contained in `resource`.\
            String which describes the type of the resource for which delegation evidence is requested.
          * `identifiers`\
            **Array of Strings**. Contained in `resource`.\
            Array of strings containing one or more resource identifiers for which the delegation evidence is requested. Use of wildcards (for example "\*") is allowed.
          * `attributes`\
            **Array of Strings**. Contained in `resource`.\
            Array of attributes of the resources for which the delegation evidence is requested. Use of wildcards (for example "\*") is allowed.
        * `actions`\
          **Array of Strings**. Contained in `target`.\
          Array of actions for which delegation evidence is requested.
      * `rules`\
        **Array of Objects**. Contained in `policies`.
        * `effect`\
          **String**. Contained in `rules`.\
          Value must be equal to *Permit* or *Deny*.
* `delegation_path`\
  **Array of Strings**. Root level. *Optional*.\
  Container for one or more iSHARE identifiers values for a situation where multiple delegation policies need to be linked together.
* `previous_steps`\
  **Array of Strings**. Root level. *Optional*.\
  Container for one or more pieces of evidence such that the client has legitimate reason to request delegation evidence. For example:

  * Client\_assertion
  * Delegation\_evidence in a delegation chain
  * Other evidence or information as determined by the data space (could also be verified post-transaction), specification beyond the scope of this framework

  Privacy considerations: to prevent unallowed access to delegation evidence, a data space or participant can decide to require evidence or information in the previous\_steps attribute, depending on the nature of the data that is being shared.

### Response model

The response contains a `delegation_evidence_token`, containing an [ishare-jwt](https://dev.ishare.eu/version-2.1.1/reference/ishare-jwt "mention"). The decoded `delegation_evidence_token` JWT payload is structured as follows.

* `delegationEvidence`\
  **Object**. Root level.\
  The root of any delegation evidence.
  * `notBefore`\
    **Integer**. Contained in `delegationEvidence`.\
    Unix timestamp in UTC indicating the start of validity period of this delegation evidence. SHOULD equal the time of issuing of the evidence unless historic evidence is requested.
  * `notOnOrAfter`\
    **Integer**. Contained in `delegationEvidence`.\
    Unix timestamp in UTC indicating the end of validity period of this delegation evidence. It is up to the issuer off the evidence to set this time. Note that a reasonable amount of time SHOULD be allowed for processing of longer delegation paths. Also note that evidence cannot be revoked, so setting very long validity periods SHOULD be avoided.
  * `policyIssuer`\
    **String**. Contained in `delegationEvidence`.\
    Identifier of the delegator, also know as the delegating entity (usually the Entitled Party).
  * `target`\
    **Object**. Contained in `delegationEvidence`.\
    MUST for the root level contain an accessSubject. No other elements are allowed. It makes the entire delegation evidence applicable only to this accessSubject.
    * `accessSubject`\
      **Object**. Contained in `target`.\
      Party identifier of the delegate, also known as the entity that receives the delegated rights (usually the Service Consumer). It can be anyone of the id's in id or also known as.
  * `policySets`\
    **Array of Objects**. Contained in `delegationEvidence`.\
    Container for one or more objects containing policy elements with an indication for further delegation. Note that policySet elements within one delegationEvidence MUST not restrict each other, but rather offer a mechanism to express additional rights. They MUST be evaluated in a *permit-override* manner, allowing a *Permit* if only one of the policySet elements evaluates to *Permit*.
    * `maxDelegationDepth`\
      **Integer**. Contained in `policySets`. *Optional*.\
      Optional element that, if present, indicates that further delegation of the rights, conveyed in the policy elements that are part of this PolicySet, is allowed. The value indicates the delegation steps that are allowed after this step in order to evaluate the entire delegation path to *Permit*.
    * `target`

      **Object**. Contained in `policySets`.

      Contains `environment`.

      * `environment`

        **Object**. Contained in `target`.

        Contains `licenses`.

        * `licenses`

          **Array of Strings**. Contained in `environment`.

          Array which describes which iSHARE licenses apply to this policySet.
    * `policies`

      **Array of Objects**. Contained in `policySets`.

      Used to express the actual rights for which evidence is being provided. Note that policies within one policySets object MUST not restrict each other, but rather offer a mechanism to express additional rights. They will be evaluated in a *permit-override* manner, allowing a *Permit* if only one of the policy elements evaluates to *Permit*.

      * `target`\
        **Object**. Contained in `policies`.\
        Describes the target, in terms of resource and action, this request applies to. It is also the scope that is permitted through the default rule.
        * `resource`\
          **Object**. Contained in `target`.\
          Contains `type`, `identifiers` and `attributes`.
          * `type`\
            **String**. Contained in `resource`.\
            String which describes the type of resource to which the rules apply.
          * `identifiers`\
            **Array of Strings**. Contained in `resource`.\
            Array of strings containing one or more resource identifiers to which the rules apply.
          * `attributes`\
            **Array of Strings**. Contained in `resource`.\
            Array of attributes of the resources to which the rules apply.
        * `actions`\
          **Array of Strings**. Contained in `target`.\
          Array of actions that apply to this policy.
        * `environment`\
          **Object**. Contained in `target`.\
          Optional field that contains `serviceProviders`.
          * `serviceProviders`\
            **Array of Strings**. Contained in `environment`. *Optional.*\
            Array which lists the party identifier of Service Providers which are allowed to provide services to the accessSubject as described within this policy.
      * `rules`\
        **Array of Objects**. Contained in `policies`.
        * `effect`\
          **String**. Contained in `rules`.\
          Value must be equal to *Permit* or *Deny*.

### Example request

<pre class="language-json"><code class="lang-json">> Authorization: Bearer IIeDIrdnYo2ngwDQYJKoZIhvcNAQELBQAwSDEZMBcGA1UEAwwQaVNIQ

POST /delegation

<strong>{
</strong>  "delegationRequest": {
    "policyIssuer": "did:ishare:EU.NL.NTRNL-10000005",
    "target": {
      "accessSubject": "did:ishare:EU.NL.NTRNL-10000001"
    },
    "policySets": [
      {
        "policies": [
          {
            "target": {
              "resource": {
                "type": "GS1.CONTAINER",
                "identifiers": [
                  "180621.CONTAINER-Z"
                ],
                "attributes": [
                  "GS1.CONTAINER.ATTRIBUTE.ETA",
                  "GS1.CONTAINER.ATTRIBUTE.WEIGHT"
                ]
              },
              "actions": [
                "ISHARE.READ",
                "ISHARE.CREATE",
                "ISHARE.UPDATE",
                "ISHARE.DELETE"
              ],
              "environment": {
                "serviceProviders": [
                  "did:ishare:EU.NL.NTRNL-10000003"
                ]
              }
            },
            "rules": [
              {
                "effect": "Permit"
              }
            ]
          }
        ]
      }
    ]
  },
  "delegation_path": [
    "did:ishare:EU.NL.NTRNL-10000007"
  ],
  "previous_steps": [
    "&#x3C;delegation evidence token>"
  ]
}
</code></pre>

### Example response

The response contains an encoded JWT:

```json
{
  "delegation_evidence_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlHbERDQ0JIeWdBd0lCQWdJVWJsT1hOMmpiamVSaWJUcnoxN3FzTWd1Tlk4MHdEUVlKS29aSWh2Y05BUUVMQlFBd1hURWVNQndHQTFVRUF3d1ZaVWxFUVZObFUwVkJURTlKUkY5SmMzTkRRVWMwTVJrd0Z3WURWUVJoRXhCT1ZGSk9UQzFwVTBoQlVrVlVSVk5VTVJNd0VRWURWUVFLRXdwcFUwaEJVa1ZVWlhOME1Rc3dDUVlEVlFRR0V3SllXREFlRncweU5ERXhNRFl4TkRNME16SmFGdzB5TnpFeE1EWXhORE0wTXpGYU1ISXhDekFKQmdOVkJBWVRBazVNTVNRd0lnWURWUVFLREJ0VVpYTjBJRUYxZEdodmNtbHpZWFJwYjI0Z1VtVm5hWE4wY25reEpEQWlCZ05WQkFNTUcxUmxjM1FnUVhWMGFHOXlhWE5oZEdsdmJpQlNaV2RwYzNSeWVURVhNQlVHQTFVRVlRd09UbFJTVGt3dE1UQXdNREF3TURRd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUM4VndPQzIvWXVCNVpXeE5YMzNUYW55WFF6dEUzWWU3TjN0bTZsVGJ1OXEzbDlMYkNJeTlGelZvNHVWTjI1YnpKVDg2MlpQWXp4MFNrVVhvUkVUMFF0MnNMRFpZZ05SdjN0SDFuSkRFM0FKUlM4RUtDVlZ4Rllvc0tiQ2gzNDhadGRwd0tMVUtzUnE1M1VJcTBIaHF1bUptdHhVY2NUYk1OMXYwY1RXaDdXMVdBaVlRY0lqWmQwY0pweFBOYVRmVk5Ha093aHcyRDJTZlA4S0dlL1NicVBxVVUwVjNNNUJlWlRKS21HZDhJUzFlRUk1ZmRrK0ZhUGhRL2ZjbC9NaHRobzhXclJNVW1tNWw2Q21tMkkrbHVxVThSbkVQVjFYUlpJUFlzcmlJc1ZyaUFyb2FjNTdYaTB2SHh3bGUwK2JPdzJWZkpMUmgwM2l3NGFEMTVHKzYxVkFnTUJBQUdqZ2dJMU1JSUNNVEFPQmdOVkhROEJBZjhFQkFNQ0JrQXdEQVlEVlIwVEFRSC9CQUl3QURBZkJnTlZIU01FR0RBV2dCU3pHazlDUU9uWWVKMXIvL3drc0JDeE5EendpVEJYQmdnckJnRUZCUWNCQVFSTE1Fa3dSd1lJS3dZQkJRVUhNQUdHTzJoMGRIQnpPaTh2WTJFM0xtbHphR0Z5WlhSbGMzUXVibVYwT2pnME5ESXZaV3BpWTJFdmNIVmliR2xqZDJWaUwzTjBZWFIxY3k5dlkzTndNQkFHQTFVZElBUUpNQWN3QlFZRFZSMGdNQjhHQTFVZEpRUVlNQllHQ0NzR0FRVUZCd01FQmdvckJnRUVBWUkzQ2dNTU1Gc0dDQ3NHQVFVRkJ3RURCRTh3VFRBVEJnWUVBSTVHQVFZd0NRWUhCQUNPUmdFR0FqQTJCZ2dyQmdFRkJRY0JBd3dxVkdocGN5QnBjeUIwWlhOMElHVnpaV0ZzSUdObGNuUnBabWxqWVhSbElHWnZjaUIwWlhOMGFXNW5NQjRHQldlQkRBTUJCQlV3RXhNRFRsUlNFd0pPVEF3SU1UQXdNREF3TURRd2djY0dBMVVkSHdTQnZ6Q0J2RENCdWFDQnRxQ0JzNGFCc0doMGRIQnpPaTh2WTJFM0xtbHphR0Z5WlhSbGMzUXVibVYwT2pnME5ESXZaV3BpWTJFdmNIVmliR2xqZDJWaUwzZGxZbVJwYzNRdlkyVnlkR1JwYzNRL1kyMWtQV055YkNacGMzTjFaWEk5UTA0bE0wUmxTVVJCVTJWVFJVRk1UMGxFWDBsemMwTkJSelFsTWtOdmNtZGhibWw2WVhScGIyNUpaR1Z1ZEdsbWFXVnlKVE5FVGxSU1Rrd3RhVk5JUVZKRlZFVlRWQ1V5UTA4bE0wUnBVMGhCVWtWVVpYTjBKVEpEUXlVelJGaFlNQjBHQTFVZERnUVdCQlJBdHJ4TFpQQ2JCbnlQYy9ualdYYk9zQy95Q1RBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQVJzTktsVFBnVWRNTGZMU1V3b2ZuKzNSZmM2amVIR2d6bCtxQ29MMlRkbmxOOWZFdHY1TlMweFZyL2x5Ykx1MDFQdUk0Mmd4bmgvZ1BLUDA2ZlV1VXI1WVpySzVNeHczUUhZdzhpdlNDcndvcE1zSUhob1FjN0g2MUtZNlV1WlFJVXRCUitHdmVBVUx4NC9Vd2pKY0MrdTM3aWd3akZ6QkVneUQ1dzJGNHViajh5N0hlNEthVGhBM2xOVmkwVXprdDhUb1NBNnBoSTA2eTMwREYyUGN3UkloT1NkT1NSMzJZVTZxVXgxSXJnRU13K3VYa3NMYmt4eU0rdjQxek9jMkh5alpXZGpJTFZLbDBQYnhXcE9DYmdndm4wdDE0anhzaVVoekRFcHd1RVNFZHJhUnBoaVVrWlMrbHdqeEhEengyRlhVKys0d053ak9yUldhdXlkSHlsaGZtMlMvMWFwTmlvUk0zcXZscXVrUWEyVzhqZWRYR2Y5d0tEcDZBc2VBK3RlNWJVb1VRUGZTYnNzYWFHMllucWRjNTFDbk1WZldmemlZWTJ3RWpKVHpwZ004SXRmRDlrV1VXbWwxYi9wODhiQ3RTZFZLbHFKRUlXazdvK1V5QTZCUFBIVUhsUkRRNlU5aGlCM3dGeHQ3K3FPNXFDd2hPN0xkSmkzNEZtUEE4WHhOdHZCMjB6dFlveS9PcXlDanVUbUxQU0p6Yk9BcVlPSzl0TmozSU5aMWUvZjdYV2Q0ME9JVnRXeFYzdEM4ZUQ4TS9zV0k3ZUt2ajhET0JWcDBjMkNBL1E2ekVRSzNTNWM5U1ZuVGZLQzQ1RFhWaU8zYTV2cGhHakNlSG5EWWN4SmpHTzZ3d0szR1hmNHVGeVZzRjducGVoN1N2NnR4UDE5QjBnWHprWWdFPSIsIk1JSUYyakNDQThLZ0F3SUJBZ0lVUEczK1RBbnhWT0JjZTlOYVB0OXBUQWdtNVI0d0RRWUpLb1pJaHZjTkFRRUxCUUF3UWpFZU1Cd0dBMVVFQXd3VlpVbEVRVk5sVTBWQlRFOUpSRjlUZFdKRFFVY3pNUk13RVFZRFZRUUtFd3BwVTBoQlVrVlVaWE4wTVFzd0NRWURWUVFHRXdKWVdEQWVGdzB5TXpBNE1qVXdPVEF4TXpKYUZ3MDBPREE0TWpVd09UQXdNRFZhTUYweEhqQWNCZ05WQkFNTUZXVkpSRUZUWlZORlFVeFBTVVJmU1hOelEwRkhOREVaTUJjR0ExVUVZUk1RVGxSU1Rrd3RhVk5JUVZKRlZFVlRWREVUTUJFR0ExVUVDaE1LYVZOSVFWSkZWR1Z6ZERFTE1Ba0dBMVVFQmhNQ1dGZ3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUtBb0lDQVFEYW5VZ00xL1BReVhOVFgrVU9MR3JaalM4SGFUV1IvUDR4RDhTTUNSeE9YSEt6SExRcUVRT3VIRC93K3J4OS9iRXd6SDR3VmZKMG02L3I1NktPZzB3TFVsVndPeWlrT1hHb0lURDJ1K1VpOXQyNHRZSWt4OHpqTEc3VkhWY3c0ZFhPdDkyc3ZLWTFMeWJ2bHByb1d6VEhsUndvSU8xWVE0aE8rcnlic3cvS0VERVhVYmtvd2psSEFQY3duc09XNjQzNjdFTitlelQxc1M4ZHpGSXhtRzhxQzJMck0yc1hKV3FxNXZKZUUvODZUZloyTk1PK0NVeGtqajd1UGdiVzJWL01PVWhZeUF0R0FqemQvS3dPckxNUk1ZYVhPSWo2MW04UjcxbmgvTFY5bjhkbmowd1RRT05USGh1TTdtZFpReGhxT2RrTDJja1NyQldpM2F0RVZUMU9oQlJYNEZtbWhJaG1TV3VDdGd5S2lEQ0lvdHlHQXNYMm82ODE3ZmVlNFJkdHdmdzlRNG9OM05BaHRvZDYwaU9BV0FwVnQrQlQ1dHZkZ0dPWVdQY2JNUjVwR3picDM4ZEdVeXV3WVpWNExBbklHU201eWF1Y05FMkUyeHJRQ2JFZVptNFJQc3g1SmxlV3ppcGsrNDJkN3ZxdldEODhJUWNRK2JaTTJYNHJKQlpOczE2NkNseCttNkhtS3hLQUxlYlV0anN6c2d5SDhjcTEwZCtrNEFvOG9DYU9ZanYySWFFYk1kK2ZWL1VmOGtQa3pUdEtsdHRkcWlpeG9JcXljWE1FZ0JhU2drdWI3WG9RNksyNnRSUEowdzVRa3V1aDNNS3RHRVdmVzdFRUdtcG5DcWpPdjYvckFNSmlNV3loMUlnTGdOQlVQUDd6YVZQcERBdEM4OE9TSlFJREFRQUJvNEdzTUlHcE1CSUdBMVVkRXdFQi93UUlNQVlCQWY4Q0FRRXdId1lEVlIwakJCZ3dGb0FVNHViWDBwNkRWak45REt0T1dXTVlBcytIeGRRd0dBWURWUjBnQkJFd0R6QUZCZ05WSFNBd0JnWUVWUjBnQURBcEJnTlZIU1VFSWpBZ0JnZ3JCZ0VGQlFjREFnWUlLd1lCQlFVSEF3UUdDaXNHQVFRQmdqY0tBd3d3SFFZRFZSME9CQllFRkxNYVQwSkE2ZGg0bld2Ly9DU3dFTEUwUFBDSk1BNEdBMVVkRHdFQi93UUVBd0lCQmpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQVp2NUd1a3gwUEV2VlJFSXQ4TVRhUGZDSDRhd3lpaVl5aTE3aDZSNUxMazFyZXJ3UXNTU1NIZlZxZnRkd1JGMG9jTHAyUFhKaGUwNzVxVjQwNkMwNENqYW1OazNlejlaaU5IQ05qUHRmaWQ2b094cXoxWGs4WFBqTllFbGJBRm1QN2VLbC80NDF2WmhHdWsvUmhYR054UWJ0bzBRMTZnOElSY0dEdldnTmh0cnRCMUcyeFNtdEIxUzJ1VXBTYWlaVk5PcmtkelRoaUVKc2VVUkJvWHhVWElxcEx5UFRSbDZNTWdWYUxHUllSYzN2WWlqNEI3TTJoQk43L2NqbkdMc01WdGdiT3Y2Q1YyMWcyU1hvd2JnT3F6QnlINTFVVFI2T2JIaUdqMGtTQ0FMRzE0SVFQa3pRUGlTcGp1Kys5TTJqQWpQTTNvNDIxWk9VRE1QMjQ2Q3NxUFhyVEFiUFhKVlVSL2dpNHU1M2ttekMyMTBqdlZxOWhId2VseFFPVFBGaGxNNkUxQ2g0SmI0UFFSTEtEUEZsKzVOVzRGeTJKQURqeXVweVZIbmNkTEV1UHkwUGdDTDJZbzE0N0hTcFBqNHU3amMxUm1IVTdOTzEyRVYyWkNNZkZsUndkR3Y2aWY4cU83cy82bHBaSmpwUHRMRU9iQTV0RDRhaGMrYVBOQWk5V0NrMHBlUm0xS0U1VkdEV0tGTlNOQWlMSk56UDdtMlE2eThmT3kzOGNOZ0ZCaEdPRi9LZ0VJc1QxMFYrNUs1byt5bFZWdFBWZVJSRU5FdktPOUVMa3plMElIZ3NUQi82Y3dPaWo0cHhNOUp2YXVqMDZHZ2xoSWhpSUE2cTBpRFVxQjFNVVIwSHppWTlCc25XWTlrUjhod1YzT1crbnNtenRRd0dWRXcya2pVPSIsIk1JSUZqakNDQTNhZ0F3SUJBZ0lVRmo5LzNqR09SaHRJcFo5OE9MUnRSSHMwQVlzd0RRWUpLb1pJaHZjTkFRRUxCUUF3UVRFZE1Cc0dBMVVFQXd3VVpVbEVRVk5sVTBWQlRFOUpSRjlTYjI5MFJ6SXhFekFSQmdOVkJBb1RDbWxUU0VGU1JWUmxjM1F4Q3pBSkJnTlZCQVlUQWxoWU1CNFhEVEl6TURneU5UQTVNREEwTkZvWERUUTRNRGd5TlRBNU1EQXdOVm93UWpFZU1Cd0dBMVVFQXd3VlpVbEVRVk5sVTBWQlRFOUpSRjlUZFdKRFFVY3pNUk13RVFZRFZRUUtFd3BwVTBoQlVrVlVaWE4wTVFzd0NRWURWUVFHRXdKWVdEQ0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQUw3bnpreW9GWFdnMWdoZEc2Zm51enV2QWRNV3NtL0krbVgzRGJ6M0kvS3lxTGRXdDdYRzNPV1ZTbmhvc0FEMlcyU1hubEdYcXh5ZTBoUHRFZ2tRSWRlbDdGbkZvc1dXcnNFT3JhdGdYbG5NNE5XcFlES01XRVZZcm83aHpIZ0NaMTI2WlBRVUxsczUyTmN2cFJNOFMzZFprK1hLMWtmM1ZlUzBKMmhVU0ZFQVpITHlYQ1hraFRuVUk3cW8xdXIxVG1EV1lzTlF3eERHT3U3Q1F5WllkS0l3S3FJOWVHc1JMZ002UFFsZzN2WkNyb3BPb2RNN2xvVHVpckNsM1VLdzRIckdrMmNPaUFmNElkLy9lYVZDYWZ3a2pLc0pUUXVBYWh1Uno0cU1zSFlBM2tEUXorMCtoZ25SNzRyK2lMcis4bHIwNDRnbG5hV0lXdnJFR2NpUlIrUGVjdGZyTE9RUUlXN2hhMTNkeldvemtUMGFnblQxTGsvQ0dyZ05YVnFob3NHQzBydUFRUEk2RGNQTnkySU5NOUpndENtQnNTak1NMTg1RklCWDRDeTE3bTczaDlyS2pYWk14YjZUeFg3Q0laeWVzZ0FTMGJCUmI2eElwS3NacmxyakVhenNqQzJWSFJSV09NSldZcWNYTEQ1Wk56R01aVXI2VHQyeUNVQXRhbWVjREFUS042L0dic3hlMHRBQk4wcGswcng1aWMrNFRYZEJyb045T0FaY2hINHRKQ3NPQ0tvbkN6QXBQeFZUaEROTXhzb295RnE5RG1nWGh5RVVPT29lUytGcjRGZ0gralNBTm0vbDE3OEpoOWVwZlhROWdFLzZhcVB4WWpOU0JnUzYwUzFFVnFDcHh3MnJUMW1VWWVHZndpYlZtNTNpeEdwdFI4a3RlNzBuQWdNQkFBR2pmVEI3TUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SHdZRFZSMGpCQmd3Rm9BVTJMdWJOUzFiUCsvaGE4dk1ETStpTHJwcGVvd3dHQVlEVlIwZ0JCRXdEekFGQmdOVkhTQXdCZ1lFVlIwZ0FEQWRCZ05WSFE0RUZnUVU0dWJYMHA2RFZqTjlES3RPV1dNWUFzK0h4ZFF3RGdZRFZSMFBBUUgvQkFRREFnRUdNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUNBUUI4anFZVXc3VHYrVzRaSDA2UHJhRjZ6ZmRDeFQwM0RoUkNodzRaL1FtMFhWUzJnUnlSd2NNcHRRRkVSaFBOT0EyMjF1OUxxb3paMWFLM0IzNXdrY0dEL2RGSmdKQ0pCOTZTTXR0UWwySHAvRWlRejlQRkYwMmRCU3J1WGhJYXJhUGJNK05JR2RteU4yWnl3R0dYSTFhVTdKRDNYRzI5U2gyQUFkT2t2OGRJNmdFZ3p0L0RIU0lJYmFrYmFMZEVJYzdXQjk1R1VIY0huTmo1OFR6VFN5VmZCbXRiM3ZCSzlKRzBJbzZOQVBXUVl4MlZQOCtmSXlsamEyZDEyOGhnaDBkc0RyWEZBTSs5QVg4aGFlNXZ2eFZpOFRXcy96MmluZytrK2ltbXRTTmZ6ektNaU83cjV3SkFreWp3dFVCbEJTdEtJQTZaZXIyMnBtU1RaWmV1Y0hkRVRoYWJjV1FpZFZabU1QM0lmNml4NVVleVg4VjZPQXcwZ3NJM0lVYjkxUTc2ZDRzTFdiem9HTk9OQVlGQzFJeXoweFdqNDdaZDZQN1oyR2ZoMVZpSWJNeFZpRkRsTm1iRVpmbHBFUzg3Sy95aEJVUS90bkNOR1FvU2R0c3V5dVdnM05mV2J5Sm9OWnpsVTk2Sld4Y3FTYVhrenNlOWo4d2FoYXlLTk02U1dLU1kxWjA1aDhKU2NPQ21GQjVGOFYzYmQ1blAvdUtqYTdIOE80R09BQVBNM090RytlcTM3eFcveE4wb0FzamJ2dDRvam5VYkpzMmtpQXhFZHdYeDBLN21jUGVTN3pXbVZ0OGg0UmRjRG0vUEdURGE5bThPcWhRdWNrODBRbnV4SVVXVnI3R1dhZGgxTHkvdGwwK2J2bWtjbk8yeWJSSitnYnFSRUhEVGUwc3hzdz09IiwiTUlJRmN6Q0NBMXVnQXdJQkFnSVVDdmZTdlFlcmpGRG1NMkx2bWpvVERPSW5MQXd3RFFZSktvWklodmNOQVFFTEJRQXdRVEVkTUJzR0ExVUVBd3dVWlVsRVFWTmxVMFZCVEU5SlJGOVNiMjkwUnpJeEV6QVJCZ05WQkFvVENtbFRTRUZTUlZSbGMzUXhDekFKQmdOVkJBWVRBbGhZTUI0WERUSXpNRGd5TlRBNU1EQXdObG9YRFRRNE1EZ3lOVEE1TURBd05Wb3dRVEVkTUJzR0ExVUVBd3dVWlVsRVFWTmxVMFZCVEU5SlJGOVNiMjkwUnpJeEV6QVJCZ05WQkFvVENtbFRTRUZTUlZSbGMzUXhDekFKQmdOVkJBWVRBbGhZTUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUF4Vk1LSTlSTWhuT1NBMkxvcmdFQzNZRE5kMml0bjcyTE9kZlJSVXU0NWZHNzBJZXYrRTRrUnJ6SjFrMjNXWEg1c0hUYmNzbHBFVGVBWm5qMC94S0JZZEVMdXdlNkhYOGtJd2QxczZXR2xaYzBsN2tpMWZtajRIcVNzdEdKL0JLR2oxYTcyMzZXd1BKRVdFSHFmeDlRTUVldUpLbFVTVkZGeUU0ak1zZllwODdpZklwdXdFOG9MT3c0eWtERE9QNTJUZDA2dkhDSVlycURCcnZ4RmRBdUVuRnhOeGxQWFJFNGdMc3lnZzYySE94T3VHbWhXZnN5NlRjY0lwNVhJT2RqMkN6ZW9YSjgybTUvaW1CUEp2a2VmbnJqRVFYemlTRTJtaTJJQkR0R1AvQXdGV0k3V3BzRXlEWFdJbU1TUjBUM0N1RG1rZVExNHBObWNxTXAvYnFYM2kxYWV0YWRGVFdzdWhsMG5IMmlScUtaREp4WmxTY3U5OXRvcTVHcmRjRlVjeEdSUXlsK3NGaFVoM1hjQldKVjdZMnduRkwydFk3dGh0UThaUG16VE84a1BLQ2JFbDVVNmdDU0lrcFJQTlpCUEc0ZFQwcXUrOEJkNzFQdTduQXkxaUI0VTZ5czM0Y0ZsT2xKcEdNMEZHcjM1TGVmYlBSOGJnejZNOVhOalJiZ01EUWNYRE1uZmlESjdFODFvVkJwQ1hOOXlkSGkxYmxoYWt1RUJhb2E5TS9rYXppcEdQbUF1eHJXQk1tcDJxMHd6UXA5R1MyZThrZUpJRHdKdXl6RUxhUlpDNHlqVnNWWlFNSy8vRCs0SjNib1U1ZHJDbW1tNkMxcndOUmZTWnVGR05jSVlEWmVIdGVHb0NGNEVBNWpjZ2RGYUlZckRlajZWQWFiNDJ2TjVMVUNBd0VBQWFOak1HRXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QWZCZ05WSFNNRUdEQVdnQlRZdTVzMUxWcy83K0ZyeTh3TXo2SXV1bWw2akRBZEJnTlZIUTRFRmdRVTJMdWJOUzFiUCsvaGE4dk1ETStpTHJwcGVvd3dEZ1lEVlIwUEFRSC9CQVFEQWdFR01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQmJjSHlWMmI1bUd3SFd4Q1NiRHdyNVY3UGdTWklKYTFzY3JDbklIRDNaL3l4RzdYcDVjSWxCajRNeTRsUkhqWnRKVnZVZlRqRnBzRURFdi9QQXE3NE9Jb2xOL2tQZE1mVGN6RkJHcHZzWnIweDJ5VVBFSnpRc1RTTHgwZ3daK3d2b0tIV0UwQzdHcWdrQUJOckZXOEZMcVJ6TnFYc21NNW9JNGMzVjVzeXh3QllGRFVZNU1QV2RxSkVEZlJ2ampKUENYbUtPUDFsTytpK0UwN3ZzRnBEekhTMkZLQjVjNnNUSVprdnQrSC9DRzRoVnU2WnZjRlhYenYySksvRW9WWjZ3VWRDbHQ0cExnVFFaL1cwcVFDSjNHakZlL1BaNzRtY2tXMXgvems5ejBWUWpVcFRxejNBalBMSWpqNjBuTUxUTHA1MG9GY01ManVYc3MwdnY0dFVqQ1RwczJRZzluMEd3TGxEUjQyTnl3MlRLY01NQjZ5Y0VvTmlVRXUwbGdhMUpNMFNWU3NGUDdHU1UvVzlWcWF0Szd4cC9YVzkvR0R2Z3AzWi9wUE0wRTNpMXRxcC9uT1U0M1lvZjhXaTRKSjZ6T2dYQnpxUXhPNk1JTFpKNHFFZmVuQXRJN285NVR5NXlrOXZSYm9Vc3R5d3NmQzZDVnN1MDhOTC90dHc0T1NYT3Zia1ErN3pNeENZVDlZeVFENWwvbHRDM2JnZGovbEJaem5zQnVHWU5PQjE2d0ROY0dwdXVhZWtzZlFmQkRQSFQrdlI2Z1BWRlpweVZ3eS90ekg2TlRwVUdEam9IVnNDeFVqWTg3ME9NNEQySmNqOU9JcXFkbGtDb1dPNmk0VmVjN3NUenhpWDM5b05TcjFHN0NvYmMzc1lkaG54Zy92bGcxQmVDSjg3cDBBPT0iXX0.eyJpc3MiOiJkaWQ6aXNoYXJlOkVVLk5MLk5UUk5MLTEwMDAwMDA0Iiwic3ViIjoiZGlkOmlzaGFyZTpFVS5OTC5OVFJOTC0xMDAwMDAwNCIsImp0aSI6IjdmYTFlYzM5YmFjMzRmZmZhMmNhNDgyMDFlNDhmMDNhIiwiaWF0IjoxNzExNDY2OTg1LCJleHAiOjE3MTE0NjcwMTUsImF1ZCI6ImRpZDppc2hhcmU6RVUuTkwuTlRSTkwtMTAwMDAwMDEiLCJkZWxlZ2F0aW9uRXZpZGVuY2UiOnsibm90QmVmb3JlIjoxNTQxMDU4OTM5LCJub3RPbk9yQWZ0ZXIiOjIxNDc0ODM2NDcsInBvbGljeUlzc3VlciI6ImRpZDppc2hhcmU6RVUuTkwuTlRSTkwtMTAwMDAwMDUiLCJ0YXJnZXQiOnsiYWNjZXNzU3ViamVjdCI6ImRpZDppc2hhcmU6RVUuTkwuTlRSTkwtMTAwMDAwMDEifSwicG9saWN5U2V0cyI6W3sibWF4RGVsZWdhdGlvbkRlcHRoIjowLCJ0YXJnZXQiOnsiZW52aXJvbm1lbnQiOnsibGljZW5zZXMiOlsiSVNIQVJFLjAwMDEiXX19LCJwb2xpY2llcyI6W3sidGFyZ2V0Ijp7InJlc291cmNlIjp7InR5cGUiOiJHUzEuQ09OVEFJTkVSIiwiaWRlbnRpZmllcnMiOlsiMTgwNjIxLkFCQzEyMzQiXSwiYXR0cmlidXRlcyI6WyJHUzEuQ09OVEFJTkVSLkFUVFJJQlVURS5FVEEiXX0sImVudmlyb25tZW50Ijp7InNlcnZpY2VQcm92aWRlcnMiOlsiZGlkOmlzaGFyZTpFVS5OTC5OVFJOTC0xMDAwMDAwMyJdfSwiYWN0aW9ucyI6WyJJU0hBUkUuUkVBRCJdfSwicnVsZXMiOlt7ImVmZmVjdCI6IlBlcm1pdCJ9XX1dfV19fQ.dNiITX_uHj3CJagOm54W-_MD2PXIsh1snviAtuoRbc7a7nRkQXZShJJDpldpyQOugsqFFhgLedUXM5z8kST0-5a9BNaaxrW5KAZNqyXtDgudRgB8T2vrohcmgLin39pgvD1gydoHHIXolJxPHCOYdxAamMD-8umvTzCFogjdwFaB9RMVWUHMbDuAZGYup-lSewuIK2pkwKJZft5ZRWxfignBBt2mauB4wot5Z92VLPReNA8EH0R9C_GkykP6pRCu2Km7La3c116WNP0szN02l8P87rqVNwDsjLpzhpH1cs17shDvbis8DbKb3KsHnq_LALAG9nx4GOFrupxuAadhGw"
}
```

After decoding, the example content of the JWT looks like this:

```json
{
  "iss": "did:ishare:EU.NL.NTRNL-10000004",
  "sub": "did:ishare:EU.NL.NTRNL-10000004",
  "jti": "7fa1ec39bac34fffa2ca48201e48f03a",
  "iat": 1711466985,
  "exp": 1711467015,
  "aud": "did:ishare:EU.NL.NTRNL-10000001",
  "delegationEvidence": {
    "notBefore": 1541058939,
    "notOnOrAfter": 2147483647,
    "policyIssuer": "did:ishare:EU.NL.NTRNL-10000005",
    "target": {
      "accessSubject": "did:ishare:EU.NL.NTRNL-10000001"
    },
    "policySets": [
      {
        "maxDelegationDepth": 0,
        "target": {
          "environment": {
            "licenses": [
              "ISHARE.0001"
            ]
          }
        },
        "policies": [
          {
            "target": {
              "resource": {
                "type": "GS1.CONTAINER",
                "identifiers": [
                  "180621.ABC1234"
                ],
                "attributes": [
                  "GS1.CONTAINER.ATTRIBUTE.ETA"
                ]
              },
              "environment": {
                "serviceProviders": [
                  "did:ishare:EU.NL.NTRNL-10000003"
                ]
              },
              "actions": [
                "ISHARE.READ"
              ]
            },
            "rules": [
              {
                "effect": "Permit"
              }
            ]
          }
        ]
      }
    ]
  }
}
```