# Delegating Access to Subsystems
If your app has multiple subsystems, it may make sense to allow only a minimal list of scopes needed in the subsystem.
All you need is an already generated access token containing all scopes to be delegated and the zaikio.delegations.rw scope.
Create an access token with the zaikio.delegations.rw scope and other required scopes (e.g. with the Redirect Flow).
It is important to be aware that this only works for OAuth confidential apps.
# Request access token for subsystem
Send a POST request to https://hub.zaikio.com/oauth/delegate with the generated access token provided in the Authorization header. The following parameters must accompany the request:
| Name | Description |
|---|---|
client_id required | The client ID of your subsystem App as generated by the Zaikio Hub. |
delegate_access_scope | A comma-seperated list of the scopes you want authorisation for. You can only request scopes that were granted for the parent access token. It is not possible to pass zaikio.delegations.rw again. A delegate access token cannot be used to create a new delegate access token. |
The response will include a new access token:
# Authentication
When using the delegate flow authentication needs to happen by using the Authorization: Bearer <your API token> header authentication method. It is required that this access token was created with confidential credentials.