Controlled sharing is fundamental to distributed systems; yet, on the Web, and in the Cloud, sharing is still based on rudimentary mechanisms. Macaroons are flexible authorization credentials that support decentralized delegation between principals, that can easily enable more fine-grained authorization for Cloud services, e.g., by strengthening mechanisms like OAuth2. Macaroons are based on a construction that uses nested, chained MACs (e.g., HMACs) in a manner that is highly efficient, easy to deploy, and widely applicable. Although macaroons are bearer credentials, like Web cookies, macaroons embed caveats that attenuate and contextually confine when, where, by who, and for what purpose a target service should authorize requests. Macaroons can be formalized in authorization logic and shown to equal the expressiveness of earlier, flexible certificate-based authorization systems, like SPKI/SDSI.