Attenuation

The process of narrowing a capability token to grant fewer permissions than the original. A venue administrator can delegate a read-write token as read-only, or scope a broad token to a single resource. Attenuation is one-directional: permissions can only be reduced, never expanded.