Delegated access is a permission model where an application acts on behalf of a user after the user grants consent. In OAuth-based systems, the app receives scoped tokens or grants that let it read mail, access files, or call APIs without ever learning the user’s password. The access is limited by what the user approved, and it can usually be revoked by the user or an administrator.
This matters because it is a common target for abuse. In phishing attacks, criminals may trick users into approving a malicious app or a broad consent prompt, creating legitimate-looking access that bypasses password theft. Defenders should monitor new app consents, review token scopes, restrict high-risk permissions, and alert on unusual API activity. Good identity controls turn delegated access into a useful enterprise feature instead of an invisible backdoor.



