Skip to main content

Overview

Delegates are addresses that can perform specific operations on your vault. As a vault owner, you can grant granular permissions to delegates for different protocols and operations without transferring vault ownership. This is useful for:
  • Allowing trading bots to execute swaps
  • Enabling portfolio managers to manage DeFi positions
  • Granting limited access to team members
  • Automating specific vault operations

Understanding Delegate Permissions

Permissions are organized by:
  1. Integration Program: The protocol integration (e.g., Jupiter, Kamino, Drift)
  2. Protocol: Specific protocol within the integration
  3. Permission Names: Specific operations allowed (e.g., swap, deposit, borrow)

Permission Scope

Each delegate can have different permissions for different protocols: 
Delegate: 5mQ2...3nLw
  Integration: JupiterProgram
    Protocol: JupiterSwap
      Permissions: swap, limitOrder
  Integration: KaminoProgram  
    Protocol: KaminoLend
      Permissions: deposit, withdraw

Listing Delegates

View all delegates and their current permissions: 
glam delegate list
Example output: 
My Vault (8x7F...9zKp) has 2 delegates:
[0] 5mQ2...3nLw
  Integration: JUpiterixyz...
    JupiterSwap: swap, limitOrder
  Integration: KAmino123...
    KaminoLend: deposit, withdraw, borrow, repay
    
[1] 7xR3...2kPm  
  Integration: DRiFt123...
    DriftProtocol: deposit, withdraw
Delegates are identified by their public key (wallet address). Make sure you have the correct address before granting permissions.

Granting Permissions

Grant specific permissions to a delegate for a protocol: 
glam delegate grant <pubkey> --protocol <protocol-name> <permission1> <permission2> ...

Examples

# Grant swap permissions for Jupiter
glam delegate grant 5mQ2...3nLw --protocol JupiterSwap swap
Terminal output: 
Confirm granting 5mQ2...3nLw "swap" permissions for protocol "JupiterSwap"? (y/n): y
Granted 5mQ2...3nLw "swap" permissions to JUpiterixyz... for protocol "JupiterSwap": 2Tx9...4kPq

Skip Confirmation

Use the -y flag to skip the confirmation prompt: 
glam delegate grant 5mQ2...3nLw --protocol JupiterSwap swap -y

Common Protocol Names

Here are commonly used protocol names:
Protocol NameOperationsDescription
JupiterSwapswap, limitOrderToken swaps via Jupiter
KaminoLenddeposit, withdraw, borrow, repayKamino lending operations
KaminoVaultsdeposit, withdrawKamino liquidity vaults
DriftProtocoldeposit, withdraw, swap, borrowDrift perpetuals and trading
SplTokentransfer, burnSPL token operations
Marinadestake, unstakeMarinade liquid staking
Protocol and permission names are case-insensitive. JupiterSwap, jupiterswap, and JUPITERSWAP all work.

Revoking Permissions

Revoke specific permissions from a delegate: 
glam delegate revoke <pubkey> --protocol <protocol-name> <permission1> <permission2> ...

Examples

# Revoke swap permission from Jupiter
glam delegate revoke 5mQ2...3nLw --protocol JupiterSwap swap
Terminal output: 
Confirm revoking 5mQ2...3nLw "swap" permissions for protocol "JupiterSwap"? (y/n): y
Revoked 5mQ2...3nLw "swap" permissions from JUpiterixyz... for protocol "JupiterSwap": 3Yz8...5mNq
Revoking permissions immediately prevents the delegate from performing those operations. This cannot be undone without re-granting.

Revoking All Access

Completely remove all permissions for a delegate: 
glam delegate revoke-all <pubkey>
Example: 
glam delegate revoke-all 5mQ2...3nLw
Terminal output: 
Confirm revoking all 5mQ2...3nLw permissions to the vault? (y/n): y
Revoked 5mQ2...3nLw access: 4Bx7...6pQr
This is an emergency access update that immediately removes the delegate from the vault’s ACL (Access Control List). Use this when you need to quickly revoke all access.

Permission Management Workflows

Setting Up a Trading Bot

1

Generate bot wallet

Create a dedicated wallet for the trading bot:
solana-keygen new -o trading-bot.json
2

Grant swap permissions

glam delegate grant <bot-pubkey> --protocol JupiterSwap swap
3

Verify permissions

glam delegate list
4

Test bot access

Have the bot execute a small test swap to verify permissions.

Onboarding a Portfolio Manager

1

Identify required protocols

Determine which protocols the manager needs access to.
2

Grant protocol-specific permissions

# Jupiter for swaps
glam delegate grant <manager-pubkey> --protocol JupiterSwap swap

# Kamino for yield farming
glam delegate grant <manager-pubkey> --protocol KaminoVaults deposit withdraw

# Drift for trading
glam delegate grant <manager-pubkey> --protocol DriftProtocol deposit withdraw
3

Document permissions

Keep a record of granted permissions for audit purposes.
4

Review regularly

glam delegate list

Emergency Access Revocation

1

Identify compromised delegate

Determine which delegate address needs to be revoked.
2

Revoke all access immediately

glam delegate revoke-all <delegate-pubkey> -y
3

Verify revocation

glam delegate list
4

Generate new delegate if needed

Create a new wallet and grant appropriate permissions.

Rotating Delegate Access

1

Create new delegate wallet

solana-keygen new -o new-delegate.json
2

Grant permissions to new delegate

glam delegate grant <new-pubkey> --protocol JupiterSwap swap
3

Verify new delegate works

Test operations with the new delegate.
4

Revoke old delegate

glam delegate revoke-all <old-pubkey> -y

Security Best Practices

Only grant the minimum permissions required for each delegate to perform their tasks.Bad:
# Granting all possible permissions
glam delegate grant <bot> --protocol KaminoLend deposit withdraw borrow repay
Good:
# Only granting what's needed
glam delegate grant <bot> --protocol KaminoLend deposit withdraw
Create separate wallets for different delegates instead of sharing access:
# Trading bot
solana-keygen new -o trading-bot.json

# Yield optimizer
solana-keygen new -o yield-bot.json

# Emergency manager
solana-keygen new -o emergency-wallet.json
Review delegate permissions regularly:
# Weekly review
glam delegate list
Remove delegates that are no longer needed.
Track transactions performed by delegates using Solana explorers or monitoring tools.
Have a documented process for emergency access revocation:
# Emergency revocation (no confirmation)
glam delegate revoke-all <suspicious-delegate> -y

Troubleshooting

Error: Protocol not found or Invalid permission nameSolution:
  • Verify the protocol name is spelled correctly (case-insensitive)
  • Check available protocols using glam delegate list
  • Ensure you’re using the correct permission names for the protocol
Issue: Delegate receives permission denied errorSolution:
# Verify delegate has required permissions
glam delegate list

# Grant missing permissions
glam delegate grant <pubkey> --protocol <protocol> <missing-permission>
Error: Permission not found or already revokedSolution:
# Check current permissions
glam delegate list

# If delegate has no permissions, use revoke-all to clean up
glam delegate revoke-all <pubkey>

Command Reference

CommandDescriptionRequired Options
delegate listList all delegates and permissionsNone
delegate grant <pubkey>Grant permissions to delegate--protocol <name>
<permissions...>
delegate revoke <pubkey>Revoke specific permissions--protocol <name>
<permissions...>
delegate revoke-all <pubkey>Revoke all delegate accessNone

Common Options

  • -y, --yes - Skip confirmation prompt
  • --protocol <name> - Protocol name (required for grant/revoke)

Next Steps

Managing Assets

Learn how to manage vault assets and balances

Jupiter Commands

Execute swaps with delegate permissions

Kamino Commands

Manage DeFi positions with delegates

Drift Commands

Trade perpetuals using delegate accounts

Build docs developers (and LLMs) love

Get started for freeTalk to us