Home

Documentation

Documentation

Bring Your Own Resource

Your app is the resource server in the Cross App Access flow. It receives access tokens from requesting apps, validates them against an Authorization Server's JWKS, and serves protected data — either as a REST API or an MCP server. The playground provides the Identity Provider, requesting app, and (optionally) the Authorization Server so you can focus on token validation.

Where your app fits

Steps 1–3 are handled by the playground. Your resource server only participates in Step 4 — validating the access token and returning data.

What you'll set up

Choose how the access token gets issued, then configure your server to validate it:

StepPlayground Auth (recommended)Own Auth Server
1. OIDC LoginPlayground IDPPlayground IDP
2. Token ExchangePlayground IDPPlayground IDP
3. JWT Bearer GrantPlayground Auth Server (https://auth.resource.xaa.dev)Your Auth Server
4. API CallYour Resource ServerYour Resource Server

Playground Auth Server (recommended)

Your resource server validates tokens issued by the playground's Authorization Server. This is the fastest way to get started — you only need to configure JWT middleware on your server.

Plain Text

Best for: Testing your resource server's token validation without running your own auth server.

Own Auth Server

The ID-JAG is addressed to your authorization server, which validates it and issues its own access token. Your auth server must support the JWT Bearer grant (RFC 7523) and trust the playground IDP as an issuer.

Best for: Verifying the full production chain, including your auth server's ID-JAG validation and access token issuance.

See Own Auth Server requirements for what your auth server must implement.

What the playground provides

The XAA Playground ships with three pre-configured services so you can focus on building your resource server:

ServiceURLWhat it does
Identity Provider (IdenX)https://idp.xaa.devAuthenticates users and issues ID Tokens / ID-JAGs
Authorization Serverhttps://auth.resource.xaa.devValidates ID-JAGs and issues access tokens for your resource
Requesting Apphttps://app.xaa.devDrives the 4-step XAA flow and calls your resource

You don't need to run or configure these services — they're already running. Just register your resource and start testing.

What your resource server needs

REST API

  1. Accept Authorization: Bearer <token> on protected endpoints
  2. Validate the JWT signature against the Auth Server's JWKS
  3. Verify iss, aud, and exp claims
  4. Enforce scopes per endpoint
  5. Expose a /health endpoint returning HTTP 200
  6. Allow CORS from the playground origins, or use Proxy Mode

See REST API Setup for middleware examples in JavaScript, Python, Go, Java, and C#.

MCP Server

Everything in the REST checklist above, plus:

  1. Implement StreamableHTTP transport (POST /mcp)
  2. Publish RFC 9728 protected resource metadata at /.well-known/oauth-protected-resource
  3. Return a WWW-Authenticate discovery hint on 401 responses

See MCP Server Setup for a full example.

Next step

Ready to get started?

  1. Set up your server using the guides above
  2. Open Test Your Resource App and click Register custom resource
  3. Walk through the 5-step registration wizard
  4. Run the 4-step XAA flow against your server

See Testing Guide for a detailed walkthrough of the registration wizard and flow tester.

XAA
xaa.dev

Social

These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein.

Presented byOkta Developer

Copyright © 2026 Okta. All rights reserved.