Commands and mutations and relegated via capability endowment from the account that initially created the resource (the ”root owner”). This is a form of delegated acess, where an agent (indexed by DID) that has been granted certain capabilities may redelegate a subset to another agent. One of the most common tasks for apps is authorizing users to perform some action, like storing new data to storage, updating records, or fetching a file.
Traditional app architecture has many users share one database ("multi-tenant"), with all user data fully interleaved with each other. Authorization here is primarily focused on keeping users from editing each other's records on this shared infrastructure. The server's rules give fairly coarse-grained control. Due to the inevitable exceptions to these rules, the logic becomes increasingly complex over time.
Typically, in more distributed setups — like a microservice architecture — all requests are funnelled through a central authorization service. Over time this causes several challenges, including complex logic, cost of maintenance, tricky edge cases, and difficulty managing traffic spikes. In short: it doesn't scale well.
Even incumbents like Google are moving away from the traditional auth server model to overcome the above challenges. Fission has different constraints from Google and Amazon, but can adapt a lot of these ideas for our purposes. Essentially they're moving from a central auth server setup to a distributed model where more power is delegated to services.
What if we learn from Google's approach (plus older approaches like SDSI/SPKI and X.509) but took it to its logic conclusion? Meet the UCAN — self-signed tokens are a JWT variant of macaroons and SPKI. These are still bearer credentials, but paired with better public key infrastructure and distribution, and self-signed with no need for specialized certificate authorities (”CA”). You can think of UCANs as essentially a decentralized certificate that can be used to access external services on behalf of yourself or another user that has granted you permission.