π€Account Delegation
Introduction to Account Delegation
Account Delegation enables a user (the βownerβ) to grant another account permission to access and decrypt all of their encrypted files stored in Lighthouse. This feature is ideal for shared workspaces, recovery workflows, or any scenario where secure file access must be temporarily or permanently delegated without re-encrypting data or re-uploading assets.
How Account Delegation Works in Lighthouse
The delegation flow involves three core steps:
Authenticate as Owner The owner signs an authentication message with their private key to obtain a JWT or signed bearer token from Lighthouse Kavach service.
Set Delegation Permissions The owner calls the
setAllFilesAccess
endpoint, passing the delegateβs address and the token. Lighthouse updates its access-control registry, allowing the delegate to retrieve shared encryption keys for CID belonging to the owner.Delegate Decrypts Files The delegate signs their own auth message, then calls the
retrieveSharedKey
endpoint with the ownerβs address, the target CID, and their token. Lighthouse returns the shard of the master encryption key, which the delegate combines using Lighthouse Kavach and uses to decrypt the file.
Demo
Last updated
Was this helpful?