# Delegating Access to Subsystems
If your app has multiple subsystems, it may make sense to allow only a minimal list of scopes needed in the subsystem.
All you need is an already generated access token containing all scopes to be delegated and the
Create an access token with the
zaikio.delegations.rw scope and other required scopes (e.g. with the Redirect Flow).
It is important to be aware that this only works for
OAuth confidential apps.
# Request access token for subsystem
POST request to
https://hub.zaikio.com/oauth/delegate with the generated access token provided in the
Authorization header. The following parameters must accompany the request:
| ||The client ID of your subsystem App as generated by the Zaikio Hub.|
| ||A comma-seperated list of the scopes you want authorisation for. You can only request scopes that were granted for the parent access token.|
It is not possible to pass
The response will include a new access token:
When using the delegate flow authentication needs to happen by using the
Authorization: Bearer <your API token> header authentication method. It is required that this access token was created with confidential credentials.