AI
Three Consent Screens on Day One
Paul Carleton walked through a new employee’s first day at Acme Corporation. The employee spins up Cloud Code and faces a long list of MCP servers without authentication. Each server requires clicking through a separate OAuth consent screen: Linear, Figma, Atlassian, Google Drive, Asana. Carleton said the user is not the real decision-maker – the IT admin signed the contracts. The consent screen becomes a meaningless pop-up. Meanwhile, Max Gerber, playing the IT admin, gets a CISO requirement to enforce read-only access for all coding agents. Gerber must audit every connection across multiple MCP clients and servers, jumping between Google admin, Slack admin, and Figma admin views.
Inserting the Workforce IDP
Carleton introduced the IETF draft known as cross-app access (XAA), or ID Jag. The spec inserts the workforce IDP into the OAuth flow. The IT admin pre-configures trust between the MCP client, the IDP, and the authorization server. The end user logs into the IDP once. The MCP client requests an ID Jag from the IDP, exchanges it with the authorization server for an access token, and calls the MCP server. No consent screen appears. Carleton said the ID Jag replaces user consent with IT-admin consent from the SSO provider. The user does not interact with the flow at all.
Demo: Cloud Code and Cursor Skip Consent
Carleton ran a live demo. He logged into Okta to get an ID token, exchanged it for an ID Jag targeted at a Stytch authorization server, then got a JWT bearer access token. The token worked on a demo MCP server. He then opened Cloud Code, logged into the workforce IDP, and saw all MCP servers turn green. “We skipped three consent screens,” he said. He repeated the same flow in Cursor, connecting to a Figma MCP server. Both clients used the same XAA flow without a single user consent prompt. Carleton noted that as more servers adopt XAA, users progressively see fewer consent screens.
Beyond Friction: Attribution and Specificity
Gerber explained that removing consent friction unlocks two improvements. Attribution: with XAA, the authorization server can issue one access token per agent session instead of one token for all windows. If a Cloud Code session deletes a database, the IT admin can trace which conversation caused it. Specificity: because access tokens are cheap to create, the orchestrator can get a broad token and sub-agents can get read-only or task-scoped tokens. Gerber said XAA does not solve these problems directly, but it opens the door.
Q&A
Can the access token include a refresh token for offline use? Yes, the authorization server can return a refresh token or tie the token to the SSO session, depending on configuration. ▶ Watch (18:16)
What does the IT admin have to configure for the MCP client? The MCP client is an OIDC client that logs into the workforce IDP; the admin enters a client ID, client secret, and issuer URL into a config box. ▶ Watch (18:54)
Is XAA specific to MCP? No, the draft predates MCP by a couple of years. It works for any app-to-app communication that currently requires an OAuth consent flow. MCP servers do not need to change; only clients, IDPs, and authorization servers do. ▶ Watch (20:36)
Notable Quotes
“We skipped three consent screens.” Paul Carleton · ▶ Watch (12:28)
“The user didn’t have to do anything in this flow.” Max Gerber · ▶ Watch (8:56)
“Ask your friendly neighborhood IT admin, is XAA right for you? We think they’ll say yes.” Paul Carleton · ▶ Watch (17:58)
Key Takeaways
- Cross-app access (XAA) removes per-server OAuth consent screens by inserting the workforce IDP into the token exchange.
- The ID Jag (identity assertion JWT) is exchanged for an access token without user interaction, enabling one SSO login for all MCP servers.
- XAA is not MCP-specific and works for any app-to-app authorization; IT admins configure trust once and gain central visibility.
About the Speaker(s)
Max Gerber is the software engineering lead for agent and AI identity at Twilio, where he works on core identity SDKs and APIs including OAuth, SAML, SSO, and RBAC. He previously led identity initiatives at Stytch and served as a lead engineer on MuleSoft’s IAM team during its integration.
Paul Carleton is a Core Maintainer of the Model Context Protocol and Auth Nerd at Anthropic, where he leads auth implementations across Anthropic’s clients and the TypeScript and Python SDKs. He drives MCP conformance testing efforts to ensure consistent behavior across the ecosystem.