Macaroon Model

Macaroons are a cryptographic, token-based delegation mechanism that encode authorisations together with constraints, called caveats. Unlike structural models that explicitly trace delegation paths, macaroons provide a way to embed rules directly in the token. Each new party can append additional caveats when delegating rights further, creating a compact but flexible chain of constraints.

For example, the data owner issues a macaroon authorising access to a dataset. When Party A delegates to Party B, it adds caveats such as “only valid until tomorrow” or “only for transport documents”. Party B can then further delegate to Party C, adding new caveats on top of the existing ones. Validation means checking that all caveats are satisfied: if any fail, the macaroon is invalid.

This design offers strong privacy benefits. Since macaroons only contain embedded caveats, downstream parties do not see the full delegation path or identities of all intermediaries. Furthermore, validation is fast: it requires only cryptographic checks on the token itself, without registry lookups.

However, macaroons have significant limitations in flexibility. Once caveats are embedded, they cannot be modified, and revocation is difficult because there is no central registry to consult. Revoking one macaroon typically requires reissuing all tokens. This makes macaroons less suited for ecosystems where revocation propagation is critical. Additionally, while caveats allow for constraints like expiration dates or access scopes, they cannot easily represent complex policies or alternative delegation paths.

The macaroon model is therefore best suited for privacy-sensitive contexts where delegation chains are relatively short-lived, efficiency is critical, and fine-grained constraints are more important than revocation flexibility.