Home

Documentation

Documentation

Testing Your Resource App

Verify that your protected API or MCP server correctly accepts XAA-issued tokens, without building a requesting app first.

**[Open the tester →](/developer/test-resource)**

What are you testing?

Testing a REST API

Use this mode to verify that your HTTP endpoints correctly accept XAA access tokens.

Before you start:

  1. JWT middleware: configure your server to validate tokens. See REST API Requirements.
  2. CORS: allow the playground origins, or plan to use Proxy Mode. See REST API Requirements.
  3. Health endpoint: expose /health returning HTTP 200.

Register your resource:

Open Test Your Resource App and click Register custom resource. The wizard has 5 steps:

Step 1: Basic Info. Resource name, server URL, and health endpoint (default /health).

Step 2: Auth Server. Choose Playground or Own. For Own, enter your issuer URL. The token endpoint is auto-discovered via /.well-known/oauth-authorization-server (RFC 8414), falling back to /.well-known/openid-configuration. Also set the Target Client ID, the client_id your auth server expects in the ID-JAG's claims.

Step 3: Scopes & Endpoints. Define the OAuth scopes and API endpoints to test. Optional, but enables per-endpoint selection during the flow.

Step 4: MCP. Skip this step.

Step 5: Test Client. The wizard creates an OAuth client linked to your resource. Save the credentials.

Run the flow:

  • Step 1: login popup to IdenX. Use any email and any 6-digit code.
  • Step 2: Token Exchange: ID Token → ID-JAG. Verify aud and scope in the decoded token panel.
  • Step 3: JWT Bearer Grant: ID-JAG → Access Token. Verify iss, aud, scope match your middleware config.
  • Step 4: API Call. The access token is sent to your REST endpoint. Switch endpoints using the picker without re-authenticating.
Audience claim format

The playground appends a trailing slash to resource URLs (e.g. https://your-resource.example.com/). Your middleware's audience validation must match exactly.

A 200 response means the full XAA chain works. A 401 or 403 means your JWT middleware needs attention. See Troubleshooting.

Pick your auth server mode

The wizard offers two modes. See Resource Server overview for a detailed comparison.

  • Playground Auth Server (recommended) — Your server validates tokens from https://auth.resource.xaa.dev. Fastest way to get started.
  • Own Auth Server — Your auth server issues the access token. See Own Auth Server requirements.

Re-running steps

After fixing an issue, re-run only the failed step. No need to start over:

  • 401 / 403 on Step 4: Fix your middleware, click Call API / Send MCP Request again. Access token still valid.
  • invalid_grant on Step 3: Fix your auth server config, click Get Access Token again. ID-JAG valid for 5 minutes.
  • invalid_target on Step 2: Re-register the resource, then reconnect.
  • Token expired on Step 1: Click Re-login in Step 1's panel.

Use Reset to clear everything and restart from scratch.

XAA
xaa.dev

Social

These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein.

Presented byOkta Developer

Copyright © 2026 Okta. All rights reserved.