Delegate OAuth access tokens to subsystems

Some app architectures are split across multiple subsystems, with each one running on its own servers.

In these cases, it's best to avoid sharing a single access token between all the subsystems, and make sure each subsystem has access to only the minimal scopes it needs to function properly. You can do this by creating delegate access tokens that are based on a parent access token. This approach can improve your app's security and make it easier to rotate your access tokens.