The User Experience
A user signs into your application through your enterprise IDP—the same login they use every day. That’s the only authentication they see. When they ask the AI agent to query an internal database or update a ticket in your internal system, it just works. No OAuth popups. No consent screens. No “click here to connect your account” flows. This happens because the token exchange that grants access to internal MCP servers is entirely server-to-server. The user already proved who they are when they signed in. The Tool Hub exchanges that proof with your IDP behind the scenes, and your MCP servers accept it because they trust the same IDP. The user’s browser is never redirected. No additional credentials are requested.The Problem with AI Agent Auth
Most AI agent platforms that access enterprise services fall into two categories: Service accounts. The agent uses elevated credentials to access APIs. Problems: over-privileged, no user-level audit trail, credentials to manage, blast radius is everything the service account can access. Per-service OAuth. Each service connection requires the user to complete an OAuth consent flow. Problems: UX friction, token management complexity, doesn’t work for real-time agent workflows that span multiple services. Neither approach extends your existing SSO. You’ve invested in enterprise identity—Okta, Azure AD, Auth0—but your AI agents can’t use it.How Char Solves This
Char uses your existing IDP for everything. When a user’s AI agent needs to call an internal MCP server: The key insight: your MCP server validates against the same IDP it already trusts for SSO. Char doesn’t issue identity tokens—it exchanges yours through your IDP.Why This Is Different
| Traditional Approach | Char’s Approach |
|---|---|
| Service account with broad access | User’s actual identity and permissions |
| Credentials stored in vault | No credentials stored—token exchange on demand |
| Separate audit trail per service | Single audit trail through Tool Hub |
| Manual revocation per service | Disable user in IDP, access ends everywhere |
| Each service is a separate integration | One IDP configuration, all services work |
Industry Standards
This architecture implements emerging standards:| Standard | Role |
|---|---|
| Cross-App Access (XAA) | Enterprise-governed app-to-app connections |
| ID-JAG (RFC draft) | Identity Assertion Authorization Grant |
| RFC 8693 | OAuth 2.0 Token Exchange |
| RFC 7523 | JWT Profile for OAuth 2.0 Authorization Grants |
| MCP SEP-990 | Enterprise-Managed Authorization for MCP |
IDP Requirements
Your IDP needs to support RFC 8693 (Token Exchange) to issue ID-JAGs:| Provider | Token Exchange Support |
|---|---|
| Okta | ✓ Native via Cross-App Access (XAA) |
| Auth0 | ✓ Via Custom Token Exchange |
| Keycloak | ⚠️ Token Exchange in v26.2+, but ID-JAG token type not yet supported (#43971) |
| Azure AD | ⚠️ On-Behalf-Of provides similar delegation but uses RFC 7523 directly, not RFC 8693 |
| AWS Cognito | ✗ Not supported—IAM Identity Center has token exchange, but Cognito does not |
| Google Workspace | ⚠️ Limited—requires Workload Identity Federation |
What MCP Servers Require
For this architecture to work, internal MCP servers must be able to validate tokens from your IDP—the same validation they likely already perform for SSO. They also need to accept JWT Bearer Grants (RFC 7523), which is how the Tool Hub presents ID-JAGs in exchange for access tokens. The key insight is that most of this infrastructure already exists. If your MCP server already trusts your IDP for user authentication, it can trust ID-JAGs from that same IDP with minimal additional work. See the Remote MCP Authentication reference for implementation details.Setup Requirements
Remote MCP with ID-JAG requires a one-time setup by your IDP admin. This is different from basic SSO authentication, which only requires configuring your IDP details in the Char dashboard.What’s different about Remote MCP
| Capability | Basic SSO (Current) | Remote MCP (ID-JAG) |
|---|---|---|
| What it does | Validates user identity | Accesses internal MCP servers on user’s behalf |
| Char registration in your IDP | Not required | Required |
| IDP admin involvement | None | One-time setup |
| Token exchange permissions | Not needed | Required (XAA/RFC 8693) |
Why Char needs to be registered
For basic SSO, Char only validates tokens using your IDP’s public JWKS endpoint—no registration needed. For Remote MCP, the Tool Hub must authenticate as a client to your IDP to perform token exchange. Your IDP won’t process token exchange requests from an unknown client. This is a security feature: your IDP controls which applications can request tokens on behalf of your users.One-time IDP setup
Your IDP admin needs to:Register Char as an OAuth client
Create an application registration for Char’s Tool Hub in your IDP. This gives Char a
client_id and credentials to authenticate during token exchange.Grant token exchange permissions
Enable RFC 8693 token exchange (or XAA in Okta) for the Char application. This authorizes Char to exchange user tokens for ID-JAGs.
We’re working with ScaleKit to streamline this setup. ScaleKit provides purpose-built infrastructure for MCP authentication, including ID-JAG token exchange and credential management. Contact us if you’re interested in early access.
Why this architecture
Once setup is complete, the ongoing experience is seamless. Consider an enterprise using Okta with XAA enabled:- Users authenticate to applications via Okta
- Internal MCP servers trust Okta for SSO
- Char validates user tokens against Okta’s JWKS
- The Tool Hub exchanges tokens via Okta (using its registered credentials)
- MCP servers validate ID-JAGs against Okta
Admin Governance Replaces User Consent
Traditional OAuth requires users to approve each application connection. This made sense when users were connecting personal accounts to third-party apps—you want the user to decide whether to share their Google Calendar with a scheduling tool. Enterprise app-to-app access is different. The decision about whether your internal CRM can access your internal ticketing system isn’t a user decision—it’s an organizational policy. XAA reflects this by moving the approval from per-user consent flows to admin-configured policies in the IDP. When an admin enables XAA between applications in Okta, they’re saying: “Users of Application A are allowed to access Application B’s resources through their existing identity.” The IDP enforces this policy during token exchange. If the policy permits it, the exchange succeeds. If not, it fails. The user never sees a consent screen because the organization already made that decision. This is why there are no OAuth popups when accessing internal MCP servers. The enterprise admin configured the access policy. The IDP enforces it. The user just works.Security Properties
| Property | How It’s Achieved |
|---|---|
| User-scoped access | ID-JAG contains user’s identity, MCP server enforces their permissions |
| No credential storage | Tokens exchanged on demand, never persisted |
| Short-lived tokens | ID-JAGs and access tokens expire in minutes |
| Audience scoping | Each ID-JAG is bound to a specific MCP server |
| Centralized revocation | Disable user in IDP, all access ends immediately |
| Full audit trail | All tool calls flow through Tool Hub with user identity |