Home

Documentation

Documentation

Quick Start

Run the demo before writing any code. It executes the complete XAA flow against live services in about two minutes and shows you the actual tokens and HTTP requests at each step.

No accounts needed

The playground IDP (IdenX) accepts any email address and any 6-digit code. No signup required.

Go to the Demo → and click Try the Demo on the home page.

What to do

Enter any email address and click Start. Execute the four steps in order. After each one, open View Details and spend a moment on the Token and Request tabs before moving to the next step.

What each step produces

Step 1: Login A popup to IdenX. Use any email and any 6-digit code. You receive an ID Token, a JWT proving the user's identity to your application. Check the aud claim: it equals your client_id.

Step 2: Token Exchange The ID Token is sent to the IDP. You receive an ID-JAG. Look at the decoded token: aud is now the Authorization Server URL and resource is the API URL. The IDP has re-addressed the credential to the next service in the chain, with no user interaction.

Step 3: JWT Bearer Grant The ID-JAG is presented to the Authorization Server. You receive an Access Token. The iss is the Auth Server, aud is the Resource Server, and sub carries a provider prefix (e.g. customer1:alice@example.com). This is the token your resource server validates.

Step 4: API Call The Access Token is sent as a Bearer token to the Resource Server. The server validates the JWT and returns the user's data.

What to look at in View Details

Each step's detail panel has four tabs:

  • Request: the exact HTTP call that was made
  • Response: what came back
  • Token: inspect the decoded claims of whatever token was produced
  • Code: ready-to-use code snippets (cURL, JavaScript, Python, Go, Java, C#) that replicate the request

The Request and Code tabs show exactly what your own implementation needs to do.

Key claims to watch

As you step through the flow, notice how the token audience shifts at each step:

Tokenaud claimMeaning
ID Token (Step 1)Your client_id"This user authenticated to your app"
ID-JAG (Step 2)Auth Server URL"The IDP vouches for this user to the Auth Server"
Access Token (Step 3)Resource Server URL"The Auth Server grants access to this resource"

This progressive narrowing is the core of XAA: each token is scoped to the next service in the chain.

If something fails

  • Popup blocked — allow popups from this origin and retry Step 1
  • Token expired — ID tokens last ~10 minutes; click Re-login in Step 1 if you took a break
  • 401 on Step 4 — check the Troubleshooting page

You can re-run any individual step without restarting the entire flow.

Next step

When the flow makes sense, go build:

  • Building a requesting app? Start with Register Your App to get your credentials, then follow the four steps in the Requesting App section.
  • Building a resource server? Jump to Resource Server Overview to configure JWT middleware and test against the playground.
XAA
xaa.dev

Social

These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein.

Presented byOkta Developer

Copyright © 2026 Okta. All rights reserved.