WeChat ID
aaronpk_tv
#xaa
-
Enterprise AI just got a lot more secure. Anthropic launched a beta of "Enterprise Managed Auth" in Claude, so you can now connect Claude seamlessly to MCP servers through your enterprise IdP like Okta!
Now employees no longer have to connect MCP servers manually and wait for a series of OAuth and login prompts. Once you log in to Claude from Okta, all the preconfigured MCP servers are already connected! It's not every day you get to improve both usability and security!
This is an application of the Cross App Access pattern, defined in the Identity Assertion JWT Authorization Grant being standardized in the OAuth working group at the IETF.
Seeing adoption from a massive player like Claude is a huge validation of the effort! It's been fantastic to work with the folks at Anthropic over the past year on this Paul Carleton and Den Delimarsky. And of course this wouldn't be possible without the collaboration with my co-authors on the spec Karl McGuinness and Brian Campbell!
https://claude.com/blog/enterprise-managed-auth
https://www.youtube.com/watch?v=5kTDt9ewTwE -
Cross-Domain API Access: Beyond the "Obvious" Shortcuts
Cross-domain access is everywhere in today's software landscape. Whether you look at enterprise SaaS applications, AI agents interacting with user data across multiple platforms, or "integrated experiences" pulling information from a calendar, a chat tool, and a wiki—everything eventually needs to talk across boundaries.continue reading... -
The "Agent Verified" signup flow from WorkOS is exactly what I've been telling the agent platforms they should be doing with Cross App Access! Very cool to see this launch! π
https://workos.com/auth-md/docs/flows/verified
"The agent's provider β OpenAI, Anthropic, Cursor, or any trusted agent platform β attests to the user's identity at registration time. Your service verifies the attestation and issues credentials synchronously, no human interaction required."
In Cross App Access terms:
β’ The "agent platform/provider" is the ID-JAG issuer, because users are already signed in to those platforms when they use agents
β’ The "service" is the ID-JAG consumer (the Resource AS), and issues an access token if the ID-JAG is trusted and valid
You can test this out in the Cross App Access sandbox today! https://xaa.dev/ -
If youβre struggling to get AI agents past enterprise security reviews, join me tomorrow for a session on how Cross App Access (XAA) brings managed authorization to MCP!
I'll be joined by Sohail Pathan to show off our Cross App Access playground and give a live demo of how the protocol works!
Tomorrow - February 18, 2026 (8 AM PT)
π https://www.brighttalk.com/webcast/14899/661521?utm_source=apk_social&utm_medium=brighttalk&utm_campaign=661521 -
The new MCP spec just dropped! π
There's too many new things to get into everything, but there are two big changes I am most excited about π
π Client ID Metadata Documents (CIMD) - a simpler way to manage client registrations, clients describe themselves with a URL they control
π Enterprise-Managed Authorization extension (aka Cross App Access) - eliminate the OAuth redirect and get tokens for an MCP server by requesting them from the enterprise IdP
It's been great working on this with folks like Den Delimarsky, Paul Carleton, David Soria Parra, Nick Cooper, Tyler Leonhardt, and more!
Read more about what these mean for you in my full post
π https://aaronparecki.com/2025/11/25/1/mcp-authorization-spec-update
