How Okta & Anthropic Are Partnering on XAA, MCP & Glasswing

In recent months, the industry witnessed an explosion of agents, with machine identities accessing thousands of tools to cobble together projects faster and with precision. 

This ecosystem demands granular control and oversight of agentic actions.

Enabling enterprise customers to securely manage access to Claude and a growing ecosystem of AI-powered business applications, Okta has been announced as a featured identity provider supporting Anthropic's beta programme. 

Joint customers including Ramp, Webflow and HubSpot can now use Okta as the governance layer for Claude Enterprise while accessing applications from participating model context protocol (MCP) providers like Asana, Atlassian, Canva, Figma, Granola, Linear and Supabase.

The beta programme is a lesson in practice on how secure connections between Claude and enterprise applications can be established through cross app access (XAA) – which is an open protocol led by Okta extending OAuth for secure agent-to-app and app-to-app access. 

XAA also serves as the official authorisation extension within MCP under the name ‘Enterprise Managed Auth’.

“The industry has seen that when technology ecosystems grow quickly, open standards become critical to helping them scale securely,” says Ely Kahn, Chief Product Officer at Okta. 

“Okta first championed cross app access to give organisations a common way to secure AI agent connections and continuing that work with Anthropic and other partners marks a significant milestone in the journey to broad industry adoption. 

“Together, we’re helping drive ecosystem alignment around the standards shaping the AI era.”

Simplifying AI identity governance with XAA

Designed to help enterprises centralise identity management for AI tools, the partnership strengthens security while reducing administrative complexity. 

With Okta acting as the governance layer, IT teams can authorise MCP connectors once across the organisation, assign access based on existing Okta groups and roles and revoke permissions automatically when users or AI agents are offboarded.

Much to the relief of security teams, the approach removes the need for repetitive user consent prompts and fragmented agent configurations, all while ensuring that access remains aligned with enterprise policies.

Eliminating the headache of orphaned accounts, steps in the automated offboarding feature, meaning access to AI tools and connected applications is revoked alongside other enterprise permissions whenever user roles changes or accounts are deactivated.

“Enterprise-managed auth gives MCP the foundation it needs to scale across an enterprise, with Okta as our first identity provider partner,” says Mayank Malhotra, Member of Technical Staff at Anthropic.

“When an admin authorises a connector once for the whole organisation, every employee gets instant access to more of their tools through Claude, governed by the IDP they already trust. 

“We invite MCP developers to support enterprise-managed auth so their connectors are enterprise ready on day one.”

A brief history, bold present and bright future

When agents went mainstream, organisations required stronger governance over how these systems access sensitive resources.

Born of this challenge, XAA was introduced in June 2025 to extend identity governance to AI agents. 

This replaced in a single stroke, static credentials and unmanaged approvals with a simple, centrally managed authorisation through identity providers.

The protocol gained further momentum after being adopted by the OAuth working group in September 2025 before becoming part of MCP in November 2025, providing a standardised authorisation layer across AI applications and connected services.

Beyond basic identity governance, Okta is further broadening its collaboration with Anthropic to strengthen enterprise AI security. 

Answering the big question of who is responsible for agentic actions, organisations can now import Claude Managed Agents into Universal Directory. This enables administrators to assign human owners and enforce centralised governance policies to AI agents.

Okta is also integrating Identity Security Posture Management with the Claude Compliance API, giving security teams greater visibility into identity risks, dormant accounts and configuration issues across Claude Enterprise environments. 

To top it all off, Okta has joined Anthropic's Project Glasswing, deploying Claude Mythos Preview to help accelerate vulnerability discovery and strengthen AI infrastructure security.