Secure MCP with Cross-App Access (XAA)
Use your customer's enterprise IdP to broker short-lived, scoped access to your MCP server, with no long-lived keys and no code changes required.
Cross-App Access (XAA) lets your customer’s enterprise identity provider (IdP), such as Okta, act as the trust broker for your MCP server. Instead of storing long-lived API keys or requiring individual OAuth consent flows, an AI agent presents a signed identity assertion from the enterprise IdP. Scalekit exchanges that assertion for a short-lived, scoped access token, which the agent uses to call your MCP server.
The enterprise admin authorizes the connector once. All users in the relevant IdP groups inherit access automatically, and every token request is logged through the IdP’s existing audit trail.
How Cross-App Access works
Section titled “How Cross-App Access works”- The AI agent requests an identity assertion (ID-JAG) from the enterprise IdP. The IdP can be any provider that supports XAA - Okta, Microsoft Entra, or others.
- The IdP returns a signed ID-JAG JWT containing standard claims: issuer (
iss), subject (sub), audience (aud), and expiry (exp). - The agent exchanges the ID-JAG at Scalekit’s
/oauth/tokenendpoint using the JWT Bearer grant (grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer). - Scalekit validates the JWT’s signature, issuer trust, and audience, then enforces the configured scopes and returns a short-lived access token.
- The agent calls your MCP server with the Bearer token. Your server validates it exactly as it does today, with no code changes required.
Enable Cross-App Access
Section titled “Enable Cross-App Access”- Open the Scalekit Dashboard.
- Navigate to Auth for SaaS > MCP Servers.
- Select your MCP server.
- Toggle on Enable Cross-App Access (XAA).
Supported MCP clients
Section titled “Supported MCP clients”XAA works with all three registration types that Scalekit supports:
- DCR clients (Dynamic Client Registration) - Public clients such as Claude Desktop, Cursor, and VS Code that auto-register are fully supported. No additional configuration is needed.
- CIMD clients (Client ID Metadata Document) - Clients that use a metadata URL as their identifier are also supported with XAA automatically.
- Pre-registered confidential clients - If your MCP client requires a fixed
client_idandclient_secret, pre-register the client in the Scalekit dashboard and provide your customer with the client id and secret for them to configure in their MCP clients.
When to use XAA
Section titled “When to use XAA”- No secret sprawl - agents never store persistent API keys; tokens are short-lived and scoped to specific operations.
- Central IdP governance - the enterprise IdP is the single control plane for all agent access, with a unified audit trail.
- One-time admin setup - an admin authorizes the connector once; all users in the mapped groups inherit access without individual consent flows.