Cross App Access (XAA) for Resource Applications is currently in Beta. To learn more about Auth0’s product release cycle, read Product Release Stages. To participate in this program, contact Auth0 Support or your Technical Account Manager.
This guide assumes you use Okta as your enterprise identity provider (IdP) and have administrative access to an Okta tenant you can use for testing. If you don’t have one, read Create and configure your Okta tenant.
Key benefits
XAA delivers key benefits for every role in your enterprise ecosystem:- For Enterprise IT administrators: Centralized control, visibility, and policy enforcement over application access to enterprise and user data.
- For SaaS providers and developers: Standardized and secure integration for enterprise AI to foster ecosystem growth.
- For end-users: Streamlined and frictionless connections between applications, eliminating complex OAuth consent flows.
Use cases
Common use cases for XAA include:- Connect AI agents to enterprise applications: An employee uses an AI agent to read from their calendar app and post an update about their availability in the enterprise messaging app. Instead of requiring the employee to go through redirection flows and consent prompts, the AI agent uses XAA to obtain an access token from the enterprise IdP to securely call the APIs of both the calendar and messaging app, if approved by the enterprise access policy.
- Connect SaaS applications: In our previous example, the enterprise calendar and messaging app both support XAA. Employees can seamlessly connect the messaging app to access the calendar app’s API without user redirection or consent while following enterprise access policies.
How it works
The XAA flow involves the following actors:- Requesting App: The application or AI agent that needs to access a resource.
- Resource App: The application that owns the protected resource and exposes it via an API
- Enterprise IdP: The IdP, such as Okta, that authenticates employees.

Prerequisites
With our Acme example in mind, the XAA flow has the following prerequisites:- The Resource App (Todo0) Authorization Server is federated with the enterprise IdP through OIDC so that it can generate access tokens for end-users authenticated by that IdP.
- The Requesting App (Agent0) is registered with the Resource App Authorization Server as an OAuth 2.0 client with a valid client_id and credentials to request access tokens from the Resource App Authorization Server.
- The Acme IT admin has defined XAA access controls between Agent0 and Todo0.
End-to-end XAA flow
With our Acme example in mind, the end-to-end XAA flow has the following steps:- The Acme employee logs into the Requesting App (Agent0) using SSO with the enterprise IdP. The Requesting App obtains an ID token to verify the Acme employee’s identity.
- The Requesting App makes a token exchange request to the IdP to exchange the ID token for a cross-domain Identity Assertion JWT Authorization Grant, also known as ID-JAG. The IdP validates the request and checks the XAA policy defined by the Acme IT Admin.
- If the XAA policy allows for it, the IdP returns the ID-JAG to the Requesting App.
- The Requesting App makes a token request using the ID-JAG to the Resource App (Todo0) Authorization Server.
- The Resource App Authorization Server validates the ID-JAG using the public key it also uses for its OpenID Connect flow with the IdP. If valid, the authorization server returns an access token.
- The Requesting App makes a request with the access token to the Resource App’s API.
Set up the end-to-end test environment for the Resource App
This section explains how to set up the end-to-end test environment for the Resource App. By configuring your Auth0 tenant as the Resource App Authorization Server, your SaaS application can start accepting incoming ID-JAG requests without requiring any code changes. This enables your SaaS API to generate access tokens in response to these requests, allowing AI agents and other applications to seamlessly consume your API.This guide assumes you use Okta as your enterprise identity provider (IdP) and have administrative access to an Okta tenant you can use for testing. If you don’t have one, read Create and configure your Okta tenant.
- Configure and register your Resource App: This includes configuring your Auth0 tenant and registering your SaaS application as a Resource App with Okta. To learn more, read Resource App setup.
- Configure the Requesting App to test the end-to-end: This includes registering a test Requesting App in your Auth0 tenant and updating Okta to link it with your Resource App. To learn more, read Requesting App setup.
- Configure how your Auth0 tenant federates with your customer’s enterprise IdP: In our test environment, the enterprise IdP will be your Okta test tenant, representing one of your enterprise customers. To learn more, read Federate with the enterprise IdP and Organization configuration.
- Manage Cross App Access in Okta: Configure agent-to-app and app-to-app connections in the Okta Admin Console. To learn more, read Manage Cross App Access in Okta.

Create and configure your Okta tenant
To set up your end-to-end test environment for the Resource App, you need to create and configure your Okta tenant for Cross App Access.- On the Okta Developer website, sign up for an Okta Integrator Free Plan. Once you sign up, you should be redirected to your new Okta tenant.
- In the Okta Admin Console, navigate to Settings > Features. Under Early access features, enable Cross App Access.

Resource App setup
To set up your Resource App, you need to:Create the API in Auth0
If you have already created a custom API in your Auth0 tenant, you can skip this section.

Create the Resource App in Auth0
If your Auth0 tenant already has one or several applications ready to log into your SaaS application, you can skip this section.
Register the Resource App in Okta
You must register your SaaS application in the Okta Integration Network (OIN) for it to be considered a valid Resource App. To register your SaaS application as a Resource App in Okta, you have two options:- For a quick test setup, we recommend using the Todo0 application that is already registered in the OIN. In the Okta Admin Console, go to Applications > Applications > Browse App Catalog and search for
Todo0. Select it and add the integration.

- You can also request the registration of a new application in the OIN from your Okta tenant. To learn more, read the Submission process for SSO and SCIM integrations. To accelerate the registration process, contact your Auth0 or Okta representative.
In a production environment, your enterprise customers will install your SaaS application from the OIN catalog during their IdP setup.
Requesting App setup
In a production environment, you configure each Requesting App once to enable its connection with your Resource App.
Create the Requesting App in Auth0
To test the end-to-end environment, create and register an application that behaves as the Requesting App. The application should be a confidential client that can store client secrets, such as a web application. To create an application representing the Requesting App in your Auth0 tenant:- Navigate to Applications > Applications and select Create Application.
- Enter a name and select Regular Web Application.

- Once you’ve created the application, scroll to Settings and enable the Cross App Access toggle.

client_id and the issuer URL of your Auth0 tenant. This enables the connection between the Requesting App, identified by the client_id, and the Resource App, identified by the issuer URL. To learn more, read Test the end-to-end XAA flow.
Register the Requesting App in Okta
In a production environment, the Requesting App developer registers the Requesting App in the Okta Integration Network (OIN). Enterprise customers will install the Requesting App from the OIN catalog during their IdP setup.
- For a quick test setup, we recommend using the Agent0 application that is already registered in the OIN. In the Okta Admin Console, go to Applications > Applications > Browse App Catalog and search for
Agent0. Select it and add the integration.

- You can also request the registration of a new application in the OIN. To learn more, read the Submission process for SSO and SCIM integrations. To accelerate the registration process, contact your Auth0 or Okta representative.
- Go to Applications > Applications and select the application (e.g. Agent0).
- Under Sign On, select Edit and add the Requesting App’s callback URL in the Redirect URI field. Adjust the Redirect URI’s value depending on the testing application you want to use. To learn more, read Test the end-to-end XAA flow.
- Select Save.

- Navigate to Applications and select the application (e.g. Agent0).
- Select Assign > Assign to People and select your test user.
- Select Save.
Federate with the enterprise IdP and Organization configuration
In a production environment, you configure each of your enterprise customers once to federate it with your Auth0 tenant. Auth0 will add support for Self-Service SSO in later versions, enabling you to delegate XAA configuration to your enterprise customers as part of SSO setup.
Configure an Okta Workforce Enterprise connection
Use your Resource App’sclient_id and client_secret to create an Okta Workforce Enterprise connection in your Auth0 tenant.
When creating the Okta Workforce Enterprise connection, activate the Cross App Access - Resource Application role. This enables your Resource App to accept ID-JAGs issued by the enterprise IdP associated with that connection, in this case, your Okta tenant.

- Navigate to Applications > Applications and select the application (e.g. Todo0).
- Under Sign On settings, select Edit and add the callback URL in the Redirect URI field.
- Select Save.

- Navigate to Applications and select the application (e.g. Agent0).
- Select Assign > Assign to People and select your test user.
- Select Save.
- Navigate to Authentication > Enterprise > Okta Workforce:
- Enter the Okta Workforce Enterprise connection you created and select the Applications tab. Then, enable the Requesting App you created for the connection.
- Go back to the list of Okta Workforce connections. Select the three dots on the right for your connection and select Try. You will be redirected to authenticate in your Okta tenant to complete the login with your test user.

Configure an Organization
Optionally, if you want an enterprise customer to use Organizations, create an Organization and enable the Okta Workforce Enterprise connection for that Organization. This automatically associates access tokens generated using XAA, in the scope of this connection, to the correspondingorg_id if the target user is a member of the Organization.


Manage Cross App Access in Okta
Once you’ve finished setting up your end-to-end test environment, you can manage how valid XAA applications can connect to each other in the Okta Admin Console.
- Navigate to Applications > Applications and select your Resource App (e.g. Todo0).
- Under the Manage Connections tab, add:
- Requesting Apps: applications that can connect to your SaaS application
- Resource Apps: applications your SaaS application can connect to
Test the end-to-end XAA flow
To test the end-to-end XAA flow, you need to verify that your Auth0 tenant can accept the JWT-Bearer requests sent by the Requesting App. Auth0 handles that for you out of the box. Before you can test the end-to-end XAA flow, make sure you:- Update the Redirect URI field to the callback URL of your testing application that acts as your Requesting App in your Okta tenant, as explained in Register the Requesting App in Okta.
- Provide your Okta representative with the following information:
- The issuer URL of your Auth0 tenant. Your Resource App is associated with the issuer URL in the Okta Integration Network (OIN), enabling Requesting Apps to refer to it when requesting ID-JAGs.
- The Auth0
client_idthat maps to each Requesting App in the OIN.
| Field | Instructions | Example |
|---|---|---|
| Issuer URL | Copy your Auth0 domain, prefix it with https://, and add a trailing slash. | https://tenant.region.auth0.com/ or if your customers are using a custom domain, https://custom-domain.com/. |
client_id | Copy the application’s client ID. | ovBLQycaVq6I0Xyuhq84pwDVyJeXWLyx |
Exchange the ID token for an ID-JAG
First, you need to log in to your Requesting App with your Okta test tenant. When you successfully log in and grant consent, Okta redirects the browser back to your Requesting App with an authorization code. Your Requesting App then securely exchanges the authorization code for an Okta access token and ID token. To exchange the Okta ID token for an ID-JAG, the Requesting App makes a token exchange request to the/token endpoint of your Okta test tenant with the following parameters:
| Parameter | Description |
|---|---|
grant_type | The grant type. Set to the token exchange grant type: urn:ietf:params:oauth:grant-type:token-exchange. |
requested_token_type | The type of token the client wants to receive back from the authorization server. Set to the Identity Assertion Authorization Grant, or ID-JAG: urn:ietf:params:oauth:token-type:id-jag. |
audience | The intended recipient of the final token. Set to your Auth0 tenant issuer URL, or your Resource App whose authorization server is located at that specific URL. |
resource | Optional. The Resource App’s API that the client wants to access. When the authorization server issues the final access token, it includes this resource in the token’s aud claim, which the Resource App’s API will use for validation. If you don’t specify a resource parameter, the default audience you set for your tenant is used in the next request to get an access token. If you specify a resource that does not match a valid API audience in your Auth0 tenant, the token exchange request does not fail and you still receive an ID-JAG in return. However, the subsequent request to get an access token with the ID-JAG will be rejected by your Auth0 tenant. |
subject_token | The token the client is exchanging. For XAA, the subject token is the “proof” or “assertion” of the user’s identity. Set to the Okta ID token that the IdP will use to verify the user’s identity. |
subject_token_type | The type of token provided in the subject_token parameter. For XAA, it specifies that an ID token is being presented to the authorization server. |
client_id | The client ID of the Requesting App within the enterprise IdP that is making the token exchange request. |
client_secret | The client secret that that Requesting App uses to authenticate itself with the enterprise IdP. |
/token endpoint. You can set the scopes in the next request to Auth0’s /token endpoint once the Requesting App receives the ID-JAG.
In a production environment, the Requesting App makes the token exchange request to the /token endpoint of your customer’s Okta tenant.
Send ID-JAG to Auth0’s /token endpoint
Once the Requesting App gets an ID-JAG, it sends an access token request to the/token endpoint of your Auth0 tenant:
| Parameter | Description |
|---|---|
grant_type | The grant type. It tells the Authorization Server to expect a JSON Web Token (JWT) as the primary credential in the request. |
client_id | The client ID of the Requesting App within the Resource App Authorization Server making the API call. |
client_secret | The client secret of the Requesting App within the Resource App Authorization Server making the API call. |
scope | The set of permissions the Requesting App is requesting for the access token. |
assertion | The ID-JAG or JSON Web Token (JWT) that acts as the bearer of the identity assertion. |
Beta limitations
XAA Beta has the following limitations:- The Requesting App must be a confidential client and a first-party app in your Auth0 tenant. Public clients, such as SPAs and Native Apps, are not supported.
- Delegated administration is not supported. The enterprise customer cannot directly configure SSO connections on your Auth0 tenant. Self-Service SSO support is planned for a later release.
- There can only be one XAA-enabled connection per upstream IdP issuer. The same Okta tenant can’t be used for more than one XAA-enabled enterprise connection.
- Organization support is limited:
- A connection has a 1:1 assignment with an Organization. Multiple Organizations cannot map to the same connection for XAA access.
- When the Requesting App is configured to require the use of Organizations, users must already be members of the target organization.
- If the
resourceparameter is not specified in the ID-JAG request, the target API is determined by thetenant.default_audience. - No dynamic user creation: The user must have previously logged into your Resource App using the configured Okta connection. Otherwise, the request to exchange the ID-JAG assertion for an access token will fail with a
User not found error.
Rate limits
In XAA Beta, ID-JAG exchanges on the/token endpoint of your Auth0 tenant will be rate-limited to 5 RPS.