What is Cross App Access (XAA)?

Cross App Access (XAA), formally known as the "Identity Assertion Authorization Grant", is an extension of OAuth that enables an enterprise identity provider to manage the connection between two applications. It replaces the user's manual approval step with a token exchange to enable an application to request an access token for a resource server without any user interaction.

How does Cross App Access work?

Cross App Access works in four steps: 1) User Authentication (SSO) - User logs in to the requesting application via their Identity Provider (IdP), 2) Token Exchange - IdP issues a signed JWT identity assertion (ID-JAG) proving the user's identity, 3) Access Token Request - Requesting app sends the ID-JAG to the Resource Authorization Server, which validates the assertion and issues an access token, 4) Access Resource - Application can now access protected resources on behalf of the user.

The Sandbox for testing Cross App Access (XAA)

Test secure agent-to-app and app-to-app authorizations

Cross App Access (XAA) implements OAuth Identity Assertion Authorization Grant (ID-JAG).

Run a live XAA flow in seconds

No accounts, no config, no waiting. Watch a real IDP issue an ID-JAG, exchange it for an access token, and call a protected API. All pre-configured and running live in your browser.

Launch demo

Ready to bring your own actors?

If you've built your own app or agent, register them here and test your implementations.

Register, test, and manage your requesting app

Register your app with our Identity Provider to receive a client ID and secret. Use those credentials in your own local environment to run and test the XAA flow.

Get started

Register, test, and manage your resource app

Point us to your API and verify it correctly accepts XAA-issued tokens. We provide the IDP and requesting app.

Get started

Why Cross App Access (XAA)?

The Problem

Repeated consent prompts across apps frustrate users, pushing them to share credentials or adopt unsanctioned tools and creating Shadow IT.

The Mechanism

XAA uses OAuth ID-JAG, a signed delegation token the Identity Provider issues once so apps can securely act on a user's behalf without re-prompting.

The Outcome

Apps connect seamlessly under enterprise control with no repeated sign-ins, no manual approvals, and no reason for users to resort to Shadow IT.

How Cross App Access Works

XAA Actors

Click on an actor to highlight their role in the flow below

The 4-step XAA flow

User Authentication

The User logs into the Requesting App via the Identity Provider using Auth Code + PKCE. The Requesting App receives a signed ID Token.

Auth Code + PKCE

Token Exchange

The Identity Provider issues an ID-JAG, a signed delegation token that replaces the user consent screen entirely. No pop-up, no approval prompt.

RFC 8693

Access Token Request

The Resource App's Authorization Server validates the ID-JAG and issues a scoped access token without user interaction.

RFC 7523

Access Resource

The Requesting App calls the Resource App with the access token as a standard Bearer credential.

RFC 6750