Skip to main content
Before diving in, here’s what this setup accomplishes: You’ll create a sub-organization where the end-user has full control (root user) and a Delegated Access (DA) user (managed by your backend) can sign only specific transactions, for example, sending to approved recipient addresses. This ensures your backend can perform limited, policy-controlled actions on behalf of the user without ever holding their root privileges. The entire setup is initiated by your backend — no end-user interaction is required. A simple example demonstrating the server-side delegated access setup can be found here.

Step-by-step implementation

Step 1: create a sub-organization with two root users

  • Create your sub-organization with the two root users being:
    • The end-user
    • A user you control (we’ll call it the ‘Delegated Account’)

Step 2: limit the permissions of the Delegated Account user via policies

  • Create a custom policy granting the Delegated Account specific permissions. You might grant that user permissions to:
    • Sign any transaction
    • Sign only transactions to a specific address
    • Create new users in the sub-org
    • Or any other activity you want to be able to take using your Delegated Account
Here’s one example, granting the Delegated Account only the permission to sign ethereum transactions to a specific receiver address:

Step 3: remove the Delegated Account from the root quorum using the Delegated Account’s credentials:

After completing these steps, the sub-organization will have two users: the end-user (the only root-user) and the Delegated Account user, which only has the permissions granted earlier via policies and no longer retains root user privileges.

Delegated Access code example

Below is a code example outlining the implementation of the Delegated Access setup flow described above