You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: _source/_posts/2026-02-17-xaa-resource-app.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,9 +13,9 @@ type: awareness
13
13
14
14
From an enterprise resource app owner's perspective, Cross App Access (XAA) is a game-changer because it allows their resources to be "AI-ready" without compromising on security. In the XAA model, resource apps rely on the enterprise's Identity Provider (IdP) to manage access. Instead of building out interactive OAuth flows, they defer to the IdP to check enterprise policies and user groups, assign AI agent permissions, and log and audit AI agent requests as they occur. In return, the app's OAuth server needs only to perform a few checks:
15
15
16
-
* When the app's OAuth server receives a POST request to its token endpoint from an AI Agent, the app fetches the IdP's public keys (via the JWKS endpoint) to ensure the ID-JAG token attached to the request was actually minted by the trusted company IdP.
17
-
* It confirms the token was intended for this app specifically. If the *`aud`* claim doesn't match the app's own identifier, it rejects the request.
18
-
* Finally, it checks the end user ID in the token's `sub` claim to know *whose* data to look up in your database. It must map to the same IdP identity. It will reject the request if the user isn't recognized.
16
+
* When the app's OAuth server receives a POST request to its token endpoint from an AI agent, the app fetches the IdP's public keys (via the JWKS endpoint) to ensure the ID-JAG token attached to the request was actually minted by the trusted company IdP.
17
+
* It confirms the token was intended for this app specifically. If the `aud` claim doesn't match the app's own identifier, it rejects the request.
18
+
* Finally, it checks the end user ID in the token's `sub` claim to know whose data to look up in your database. It must map to the same IdP identity. It will reject the request if the user isn't recognized.
19
19
20
20
You can read in depth about XAA to better understand how this works and examine the token exchange flow.
21
21
@@ -45,7 +45,7 @@ To register your resource app with Okta, and set up secure agent-to-app connecti
45
45
* Find **Cross App Access** and select **Turn on** (enable the toggle)
46
46
* Refresh the Admin Console
47
47
48
-
> Note: Cross App Access is currently a self-service Early Access (EA) feature. You must enable it through the Admin Console before the apps appear in the catalog. If you don't see the option right away, refresh and confirm you have the necessary admin permissions. Learn more in the [Okta documentation on managing EA and beta features](https://help.okta.com/oie/en-us/content/topics/security/manage-ea-and-beta-features.htm).
48
+
> Note: Cross App Access is currently a self-service Early Access (EA) feature. You must enable it through the Admin Console before the apps appear in the catalog. If you don't see the option right away, refresh and confirm you have the necessary admin permissions. Learn more in the [Okta documentation on managing EA and beta features](https://help.okta.com/oie/en-us/content/topics/security/manage-ea-and-beta-features.htm).
0 commit comments