mint_scoped_token
Mint a restricted child token from a multi-use credential for offline delegation to sub-agents. Attenuates scope, uses, and spend caps without additional payment.
Instructions
Mint a scoped, capped child credential from a multi-use credential you already hold for an endpoint, to hand to a sub-agent. Attenuates OFFLINE (no payment, no round-trip): the child is a normal L402 token the worker spends with call_api or a plain client, and the gateway enforces every cap. Attenuation is tighten-only — a child can never widen scope or exceed the parent's remaining uses/sats. Give at least one restriction. Requires a held multi-use credential for this endpoint (a single-use payment has nothing to delegate). Revoke the whole tree with revoke_token.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| path | Yes | The endpoint path the held bundle is for (e.g. '/v1/history/candles') | |
| slug | Yes | The API slug the credential is for (e.g. 'btc-intel') | |
| expiry | No | Child expiry as an ISO 8601 timestamp (e.g. '2026-08-01T00:00:00Z') or Unix milliseconds; must be no later than the parent's expiry | |
| n_uses | No | Cap the child to this many requests (must not exceed the parent's remaining n_uses) | |
| path_prefix | No | Restrict the child to request paths at or under this prefix (must be at or under the parent's path scope) | |
| spend_cap_sats | No | Cap the child's cumulative spend in sats (must not exceed the parent's max_sats) |