Learn how Cross-App Access (XAA), or the Identity Assertion JWT Authorization Grant (ID-JAG), extends enterprise SSO to APIs through IdP-mediated tokens.

DeScope's resource offers insights, tutorials, and resources for software developers and IT professionals. Readers can learn about software architecture, cloud computing, and cybersecurity. With articles, tutorials, and best practices, DeScope provides  guidance and expertise for building and securing digital infrastructure.

Descope

Cross-App Access (XAA), also known as Identity Assertion JWT Authorization Grant (ID-JAG), is an OAuth extension that enables enterprise identity providers to mediate app-to-app API access through short-lived, policy-controlled tokens. Unlike traditional API keys or OAuth consent flows, ID-JAG centralizes access management at the IdP level, providing IT teams with visibility, audit trails, and instant revocation capabilities. The specification leverages existing OIDC infrastructure where the IdP issues signed JWTs that apps exchange for scoped access tokens. AI agents are accelerating adoption since they require secure, automated API access without manual consent flows or long-lived credentials.

What is Cross-App Access (XAA) and How It Works

The problem with API keys and OAuth consent flows

Securing and simplifying app-to-app access