Cross App Access (XAA)

Cross App Access (XAA) is an OAuth-based protocol that solves the agent authorization problem — how to let AI agents act on a user's behalf across enterprise applications without storing long-lived tokens, bypassing consent, or losing IT governance. Now integrated into MCP as "Enterprise-Managed Authorization."

Why It Matters for Security

AI agents that interact with multiple SaaS tools create a new class of authorization risk:

• Token sprawl: Agents accumulate long-lived tokens for multiple services — one compromised agent means access to everything
• Consent fatigue: Per-app OAuth consent prompts train users to click "Allow" reflexively
• Shadow integrations: Agents connecting to apps without IT visibility or governance

XAA addresses all three by introducing an identity provider-mediated trust model. The agent never sees user credentials, tokens are scoped and short-lived, and IT administrators control which app-to-app trust relationships exist.

How It Works

The protocol uses a two-step token exchange based on a new OAuth grant type called ID-JAG (Identity Assertion JWT Authorization Grant):

1. The requesting app obtains a signed identity assertion (ID-JAG) from the IdP
2. The requesting app presents the ID-JAG to the resource app's authorization server, which validates the trust chain and issues a scoped access token

This keeps the identity provider in the loop for every cross-app access, enabling centralized policy enforcement, audit trails, and revocation.

MCP Security Integration

XAA is now the "Enterprise-Managed Authorization" extension in the MCP specification. This is significant because MCP security has been a known weak spot — the protocol initially launched without robust auth. XAA fills that gap for enterprise deployments where agents call MCP servers that access protected resources.

xaa.dev Playground

xaa.dev provides a free, no-signup sandbox for testing the full XAA flow. Developers can walk through authentication, ID-JAG issuance, and token exchange without deploying infrastructure. The playground is IdP-agnostic and currently in beta.

Why Assess

For Assess:

• Multi-vendor support (Okta, Auth0, WorkOS, Descope, Scalekit)
• Incorporated into MCP spec as enterprise auth extension
• IETF standardization in progress for ID-JAG
• Addresses a real and growing attack surface (agent token management)

Not yet Trial because:

• IETF draft is not yet an RFC
• Limited public production deployment evidence
• Playground is still in beta
• Competing approaches (OAuth 2.1 + DPoP, GNAP) remain viable for some use cases

Further Reading

• xaa.dev — Open Sandbox for Cross App Access
• Cross App Access — Securing AI Agent Connections (Okta)
• Cross App Access extends MCP (Okta Newsroom)
• XAA: The enterprise way to govern AI app integrations (WorkOS)
• Cross App Access — oauth.net