Documentation
Documentation
Requesting App Overview
Your app is the requesting party in the Cross App Access flow. It authenticates users through an Identity Provider, obtains a delegation credential (the ID-JAG), exchanges that credential for an access token, and calls a protected resource — either a REST API or an MCP server. The entire flow happens without an interactive consent prompt because the IDP asserts the user's identity on your app's behalf.
Where your app fits
Your app drives every step. The IDP, Auth Server, and Resource Server respond to your requests — you never need to modify or deploy those services.
What you'll set up
- Register Your App — Create an OAuth client at the IDP and get credentials (
client_id/client_secret). - Step 1: OIDC Login — Authenticate the user via Authorization Code + PKCE to obtain a signed ID Token.
- Step 2: Token Exchange — Exchange the ID Token for an ID-JAG (RFC 8693) through the IDP's token endpoint.
- Step 3: JWT Bearer Grant — Present the ID-JAG to the Authorization Server (RFC 7523) to receive a scoped access token.
- Step 4: Call the Resource — Use the access token to call a REST API (
Authorization: Bearer) or invoke MCP server tools.
What the playground provides
The XAA Playground ships with three pre-configured services so you can focus on building your requesting app:
| Service | URL | What it does |
|---|---|---|
| Identity Provider (IdenX) | https://idp.xaa.dev | Authenticates users and issues ID Tokens / ID-JAGs |
| Authorization Server | https://auth.resource.xaa.dev | Validates ID-JAGs and issues access tokens |
| Resource Server | https://api.resource.xaa.dev | A Todo API (REST + MCP) that accepts access tokens |
You don't need to run or configure these services — they're already running. Just register your app and start coding.
Next step
Ready to get started? Register Your App to create your OAuth client and connect it to a resource.
On this page