# Delegating Access to Subsystems

If your app has multiple subsystems, it may make sense to allow only a minimal list of scopes needed in the subsystem.

All you need is an already generated access token containing all scopes to be delegated and the directory.delegations.rw scope.

Create an access token with the directory.delegations.rw scope and other required scopes (e.g. with the Redirect Flow).

It is important to be aware that this only works for OAuth confidential apps.

# Request access token for subsystem

Send a POST request to https://hub.zaikio.com/oauth/delegate with the generated access token provided in the Authorization header. The following parameters must accompany the request:

Name Description
client_id required The client ID of your subsystem App as generated by the Zaikio Hub.
delegate_access_scope A comma-seperated list of the scopes you want authorisation for. You can only request scopes that were granted for the parent access token.

It is not possible to pass directory.delegations.rw again. A delegate access token cannot be used to create a new delegate access token.

The response will include a new access token:

    # Authentication

    When using the delegate flow authentication needs to happen by using the Authorization: Bearer <your API token> header authentication method. It is required that this access token was created with confidential credentials.