Announcing CIMD support for MCP Client registration
Learn more
Agentic Authentication
Jun 23, 2026

Scalekit joins Okta's Cross App Access ecosystem

Ravi Madabhushi
Cofounder
Open in ChatGPT

Scalekit is part of the first wave of partners behind Cross App Access (XAA) — the open standard Okta brought to the enterprise, now part of MCP, for securely connecting AI agents to the tools they work across.

A year ago, an AI agent that could act across a company's tools was a demo. Today it's a line item on nearly every enterprise roadmap. Agents draft the launch summary, pull the open tickets, reconcile the numbers, and run the code review — reaching into project trackers, design tools, CRMs, and data warehouses to get it done.

The ambition isn't the bottleneck. The connection is. For a single task, an agent might need a ticket from Linear, a design from Figma, and a doc from Notion — and someone has to wire up three separate OAuth flows to make that happen, with IT seeing none of them. Most agents still reach their tools through static API keys that never expire and consent screens that go to users, not admins. Every new connection is another credential to leak and another blind spot to govern. Faced with that, security teams do the rational thing and slow agents down. The productivity is real, but so is the risk — and the risk usually wins.

Cross App Access changes that trade. Today, Okta announced the first partners adopting XAA — the open standard for governing how AI agents connect to enterprise applications — and Scalekit is proud to be among them.

Here's the part worth being precise about: XAA establishes trust, but it doesn't do the work on its own. The standard lets an agent carry the enterprise's identity to the door of another application. Something still has to act on that identity — take the token, decide what the agent is actually allowed to reach, and broker the connection to each downstream tool; that’s where Scalekit sits. We turn the identity XAA provides into governed, scoped access across the tools an agent needs.

"Watching the Identity Assertion Authorization Grant grow from an early idea into an adopted standard has been remarkable. Securing how agents authenticate — and governing what they're authorized to do — is one of the hardest problems in enterprise AI. Scalekit is proud to be pushing that boundary alongside Okta and the rest of this ecosystem."

— Ravi Madabhushi, Co-founder & CTO, Scalekit

The standard itself is built on the IETF OAuth Working Group's Identity Assertion JWT Authorization Grant (ID-JAG), now incorporated into the Model Context Protocol as its Enterprise-Managed Authorization extension — and Okta is the first major identity provider to ship it at enterprise scale. The premise is simple: identity, not credentials, governs every connection. An agent authenticates through the enterprise's own identity provider, inherits the access its user already has, and works with short-lived tokens scoped to the task in front of it. Authorize once, centrally, and the policy follows the agent everywhere. No static keys. No consent fatigue. A clear record of what connected to what. Read more about the same here.

Connecting agents to the tools they need

If you're building an AI product for the enterprise, your customers already sign in through their identity provider. With XAA, the agents inside your product can reach the tools those users are cleared for — without anyone wiring up a separate connection to each one. Scalekit sits in the middle as the gateway: your agent asks Figma for the latest designs, and Scalekit turns the user's identity into a scoped token for Figma, makes the call, and hands back the result — no per-user OAuth, no per-app consent. None of that is possible without XAA; without it there are no per-user tokens, only shared credentials standing in for everyone — the exact problem the gateway exists to remove. Your customers put agents to work across their stack from day one, under the policies they already trust, and the security review that used to gate the deal gets shorter.

If you're an enterprise connecting agents to your own internal systems, it's the same story from the other chair. Access flows from the identity and groups you already manage. Scalekit is the gateway your agents run through — enforcing what each one is allowed to reach and brokering the connection to every system behind it. You grant access once, you see every connection, and you can pull it back the moment a role changes.

Through all of it, the tools agents reach — Asana, Figma, Linear, and others — stay exactly where your data already lives. Scalekit doesn't hold your data or stand in for your tools. It secures the path between an agent and the systems it's allowed to touch.

When your product is the tool agents reach

The same shift runs in the other direction. More and more products expose an MCP server so agents can work with them directly — and the enterprises evaluating you will ask whether their agents can reach yours safely, under their own identity policy. If you build on Scalekit, the answer is already yes. Scalekit handles the authorization layer an MCP server needs to be XAA-compatible: an agent arrives with its enterprise identity, Scalekit validates it and issues a scoped token, and your server simply sees a valid, governed request. You don't stand up an authorization layer of your own — and the same goes for any B2B app using Scalekit for enterprise authentication. XAA-readiness becomes one more thing you can offer your customers without building it twice.

A first set of enterprise tools supports XAA today, with more adopting it through the year, and Okta's broad availability through the Okta Integration Network arrives in August. The standard gets more useful as the ecosystem fills in — and Scalekit is building alongside it, so that as the list of reachable tools grows, what your agents can do grows with it.

No items found.
Open in ChatGPT
On this page
Introduction
This is some text inside of a div block.
This is some text inside of a div block.
Share this article
Copy link
More from our blog
More articles
Agentic Authentication
Oct 6, 2025
Cross-app access: Identity provider directed access for agentic auth flows
Akshay Parihar
MCP authentication
Apr 28, 2025
MCP authorization layer: Securing agentic workflows
Ravi Madabhushi
More articles

Acquire enterprise customers with zero upfront cost

Every feature unlocked. No hidden fees.
Start for free
Talk to an engineer
Start Free
$0
/ month
1 million Monthly Active Users
100 Monthly Active Organizations
1 SSO connection
1 SCIM connection
10K Connected Accounts
Unlimited Dev & Prod environments
The Auth Stack
for AI applications
hi@scalekit.com
16192 Coastal Hwy Lewes,
DE 19958
slack logo
Join our community 
Modular Auth
MCP AuthAgent AuthSSOSCIM
Full Stack Auth
User & Org ManagementAuth MethodsAPI AuthRoles & PermissionsCustomizationEnterprise Auth
Extensibility
Auth workflowsIntegrations
Compare
Scalekit vs Auth0Scalekit vs StytchScalekit vs DescopeScalekit vs CognitoScalekit vs ClerkScalekit vs WorkOS
Industry Reports
State of Auth 2025Enterprise MCP patterns
Auth Guides
MCP AuthSingle Sign-onPasswordlessSCIMOAuth
Resources
DocsAPI ReferenceBlogRelease NotesSDKs
Company
LegalTrust CenterCustomers
Compliance
Follow us on
All systems operational
Copyright © 2026.
ScaleKit Inc. All rights reserved

We use cookies, so things load fast, we learn what to fix, and you can always reach us on chat

Okay, got it!