We propose a programming language, called $\PCML$, for building distributed
applications with distributed access control. Target applications include
web-based systems in which programs must compute with stipulated
resources at different sites.
In such a setting, access control policies are \emph{decentralized} (each site 
may impose restrictions on access to its resources without the knowledge of or cooperation
with other sites) and \emph{spatially distributed}
(each site may store its policies locally). To enforce such policies $\PCML$ 
employs a distributed proof-carrying authorization framework in which sensitive
resources are governed by reference monitors that authenticate principals and 
demand logical proofs of compliance with site-specific 
access control policies. The language provides primitive operations for \emph{authentication},
and \emph{acquisition} of proofs from local policies.
The type system of $\PCML$ enforces locality restrictions 
on resources, ensuring that they can only be accessed from the site at which they 
reside, and enforces the authentication and authorization obligations required to 
comply with local access control policies. This ensures that a well-typed $\PCML$ 
program cannot incur a runtime access control violation at a reference monitor for 
a controlled resource.