← Back to library

One Login to Rule Them All: Cross-App Access for MCP — Garrett Galow, WorkOS

Watch videoView transcript

AI Engineer23:24Transcript ✅Added May 19, 2:40 am GMT+8

Actionable Insights

  • Inventory MCP credentials and standing tokens now. Before adopting XAA or similar, list every MCP server, auth domain, token location, refresh-token lifetime, and revocation path. First command shape: search config dirs for mcpServers, .env, api_key, and OAuth caches. Evaluate by whether IT can revoke a compromised developer’s agent access within minutes.
  • Put MCP server approval behind IdP policy. For enterprise teams, require that approved MCP clients/servers map to Okta/Entra/Google Workspace groups. Use WorkOS (https://workos.com), Okta (https://developer.okta.com), or your IdP’s app-integration model. Caution: today’s MCP ecosystem is uneven; do not assume every server supports enterprise auth.
  • Prefer scoped, short-lived access over blanket consent. When connecting tools like Figma/Notion/GitHub to coding agents, request least-privilege scopes and short token TTLs. Add an acceptance test: disable a user in IdP and verify agent tool calls fail quickly.
  • Model “client can request server access” as an explicit trust edge. Document triples like Cursor -> may request -> Figma via Okta. Review them like firewall rules. This maps directly to the XAA demo’s managed connections portal and makes cross-app policy auditable.
  • Keep fallback OAuth flows, but log them. XAA-like flows will not cover different auth domains or unmanaged SaaS. Log every manual consent, alert on unapproved MCP servers, and rotate tokens after machine compromise.

Core thesis

Enterprise MCP adoption is blocked by fragmented OAuth consent and unmanaged standing credentials; Cross-App Access tries to let trusted clients and servers rely on the enterprise IdP for policy-controlled access.

Big ideas / key insights

  • The valuable pattern is not “let the agent run longer”; it is to make the work inspectable, measurable, and interruptible.
  • The transcript evidence points to concrete workflow design: artifacts, traces, evals, policies, or specs that survive a single chat context.
  • The comment evidence is used as a sanity check: where practitioners push back, the verdicts below are deliberately more conservative.
  • The strongest practical takeaway is to convert the creator’s idea into a small pilot with explicit success/failure criteria before standardizing it.

Best timestamped moments

  • 1:15 — MCP usage today means repeated consent screens for each tool.
  • 3:47 — IT cannot reliably tell which MCP services or clients employees are using.
  • 4:48 — A real compromise story illustrates why unmanaged tokens are dangerous after device compromise.
  • 6:19 — XAA is introduced as a way for IdP-mediated trust to bridge client and server.
  • 7:51 — Demo: XAA-compatible Claude Code auto-connects Figma after Okta login.
  • 13:29 — Managed connections portal: policy says Cursor can request access to Figma.
  • 17:33 — Scoped access is discussed as a needed extension/caveat.

Practical takeaways / recommended workflow

  1. Create the durable artifact first. Write the spec/rubric/policy/trace schema before letting agents perform expensive work.
  2. Run a constrained pilot. Pick one repository, one team, or one workflow; record baseline cost, latency, failure rate, and review time.
  3. Instrument the loop. Capture traces, commands, tool calls, test results, and human corrections so the workflow can be evaluated later.
  4. Add gates. Require acceptance tests, human approval for sensitive actions, and rollback paths before allowing broader automation.
  5. Review after 5-10 runs. Keep the practice only if it improves measurable outcomes, not just because the demo felt compelling.

Comment insights

Comments are sparse but useful. One viewer says teams desperately need this. Pushback asks whether it is just OAuth on-behalf-of token exchange and notes it may not work across different auth domains. That caveat is important: XAA is strongest inside a shared enterprise trust boundary.

Deep research

  • Model Context Protocol authorization. MCP has authorization/security guidance but implementation support varies across clients and servers. Source: https://modelcontextprotocol.io
  • OAuth 2.0 Token Exchange RFC 8693. The commenter’s “OBO token exchange” comparison is valid: token exchange is a known OAuth pattern. Source: RFC 8693.
  • Okta / IdP app assignment docs. Enterprise IdPs already manage app assignment, SSO, and session revocation; XAA extends this mental model to agent tool access.
  • WorkOS. WorkOS provides enterprise auth/SSO tooling and has public materials around AuthKit, SSO, and agent access. Source: https://workos.com

Evidence quality note: research here uses named public documentation, standards, and widely known project sources where available. Some vendor claims are treated as product claims unless independently benchmarked in the user’s environment.

Verdicts

  • MCP consent fatigue is real: Agree / high confidence.
  • XAA solves enterprise MCP auth: Mixed / medium confidence. It addresses shared-domain enterprise cases, but cross-domain, server support, scopes, and revocation semantics remain hard.
  • Standing MCP tokens are a security risk: Agree / high confidence. Long-lived tokens outside IdP controls complicate incident response.

Screen-level insights

Frames show WorkOS/XAA title slides, Cursor/Claude terminal demos, consent screens, a trust diagram linking Cursor/Figma/Okta, and a managed connections portal. The visual step matters because XAA is a policy graph; seeing the portal makes the governance model concrete.

Representative extracted frame anchors checked against transcript context:

  • 0:14 — image youtube-extract/EmhRyw6xeT0/frames/000_000014.jpg; transcript context: All right. Good morning everybody. Thank you for coming to this talk. Hopefully your morning was eventful. I caught a little bit of the keynote. I wasn’t able to catch all of it, but it was pretty good. Um, my name’s Garrett Gallo. Today I’m going to be talking about one login to rule them all. Uh, or cross-app access for MCP in case you haven’t heard about
  • 0:45 — image youtube-extract/EmhRyw6xeT0/frames/001_000045.jpg; transcript context: a long time, and now at WorkOS. If you haven’t heard of WorkOS before, we make your app and also your agents enterprise ready. Uh, we power off for the likes of Anthropic, Cursor, OpenAI. So, if you ever logged into Cursor for example, whether that was with username password or like an enterprise IDP, you’ve used WorkOS. Um, today I’m going to be talking abo
  • 1:15 — image youtube-extract/EmhRyw6xeT0/frames/002_000075.jpg; transcript context: Um, but first, uh, if you’ve used MCP at all extensively, you know that it means consent screens on top of consent screens on top of consent screens. Who here uses MCP servers on the regular? Okay, most of you. Um, if you haven’t kind of experienced this before, uh, here is, uh, Cursor which I have set up. Uh, and if you want to use MCP servers with Cursor,
  • 1:45 — image youtube-extract/EmhRyw6xeT0/frames/003_000105.jpg; transcript context: connect. It’ll pop up this window. You have this nice little consent screen that you’re not going to read. You’re just going to say okay. And you’re going to get redirected back. And you need to do this for every single tool, which is frankly pretty annoying. And sometimes you have to do this again. You don’t really know why sometimes you have to do this aga
  • 2:15 — image youtube-extract/EmhRyw6xeT0/frames/004_000135.jpg; transcript context: And, uh, that’s not fun. But it’s in a company with a lot of developers, it’s not just, you know, one person’s inconvenience. Uh, as a user you might log into a half dozen or a dozen MCP servers. Um, but when you combine that together across your team, you basically have dozens and dozens of people spending all this time managing all these consent screens, c
  • 6:19 — image youtube-extract/EmhRyw6xeT0/frames/006_000379.jpg; transcript context: might be able to like automatically set up the MCP servers you’re using in something like Cursor or Claude, um, but you still need to go through all this authentication, um, and manage all these connections yourself. So, um, obviously this isn’t great. So, what are we doing about it? All right, what’s the solution to this? The solution is cross-app access, o
  • 6:49 — image youtube-extract/EmhRyw6xeT0/frames/007_000409.jpg; transcript context: So, let’s say the example of I have Cursor. That’s my MCP client. Uh, Figma’s the MCP server I want to connect to. And then Okta’s the IDP that we use at our company for logging into things. So, both Cursor and Figma already have this trust relationship with Okta, right? To get logged into Cursor, I go through Okta. To log into Figma, I go through Okta. So,
  • 7:21 — image youtube-extract/EmhRyw6xeT0/frames/008_000441.jpg; transcript context: What cross-app access does, it helps bridge the gap between Cursor and Figma by providing a way for Cursor to talk to Figma. They can both depend on that trust reliance on Okta, and they can get credentials issued without manual or human intervention. So, let me show you a little bit what that looks like. So, I’m going to flip over to, uh, my terminal and ma
  • 7:51 — image youtube-extract/EmhRyw6xeT0/frames/009_000471.jpg; transcript context: and, you know, if I check my MCP servers, uh, you know, I’ve connected the Figma server here. Obviously it needs authentication. I could go through that. You know, it’s going to present a consent screen. Um, that’s kind of the standard flow. Uh, in this window over here, uh, we have a version of Claude code that is XAA compatible. Basically implemented XAA h
  • 13:29 — image youtube-extract/EmhRyw6xeT0/frames/016_000809.jpg; transcript context: company already has. Inside of a system like Octa, there’s this new kind of managed connections portal. Where you basically come in and say, “Hey, which app do I want to grant the ability to request access to this other app?” So, in this case, uh we’re saying Cursor can request access to Figma. Uh and that policy means that when if Cursor comes knocking and
  • 17:33 — image youtube-extract/EmhRyw6xeT0/frames/018_001053.jpg; transcript context: the permissions that you have uh with Figma. Um one of the things we’re kind of talking about is like, okay, how do you extend this to be able to um define like scoped access. So, maybe uh you know, Octa’s saying, “Yes, I’m I will grant this crop cross-app access, but there’s caveats alongside like the permissions I’m going to grant.” That’s not something th

My read / why it matters

This video is useful if you convert it into an operating procedure rather than copying the headline. The durable lesson is about control surfaces for AI work: specs humans read, traces teams audit, evals that catch regressions, identity policies that revoke access, or graphs that preserve provenance. The risky version is adopting the slogan without the measurement and governance layer.

Verification notes

  • Source/evidence audit: Checked the extracted transcript/comment packet and named external sources/docs relevant to the main claims. Vendor/tool links are identified as vendor/project sources, not neutral proof of effectiveness.
  • Transcript/comment/frame fidelity audit: Timestamped moments and comment insights were kept close to extracted evidence in youtube-extract/EmhRyw6xeT0/ and the draft packet. Screen claims are limited to the extracted key-frame metadata and visible UI descriptions; for -QFHIoCo-Ko, no frame-derived claims are made because key frames were not extracted.
  • Hallucination/overclaim audit: Headline claims were softened where evidence was insufficient. Verdicts explicitly mark mixed/low-confidence claims and separate practical heuristics from proven facts.
  • Actionable Insights audit: The top section was checked for executable first steps, tools/commands or links where available, evaluation criteria, and cautions. Generic summary bullets were rewritten as workflow steps.
  • Residual uncertainty: I did not have independent benchmark results for the specific demos, and several claims would need local measurement before adoption. Transcript extraction status was marked unknown by the extractor, so the analysis relies on the processor’s excerpted transcript evidence rather than a full raw transcript page.