The "Agent Verified" signup flow from WorkOS is exactly what I've been telling the agent platforms they should be doing with Cross App Access! Very cool to see this launch! 👏

https://workos.com/auth-md/docs/flows/verified

"The agent's provider — OpenAI, Anthropic, Cursor, or any trusted agent platform — attests to the user's identity at registration time. Your service verifies the attestation and issues credentials synchronously, no human interaction required."

In Cross App Access terms:

• The "agent platform/provider" is the ID-JAG issuer, because users are already signed in to those platforms when they use agents
• The "service" is the ID-JAG consumer (the Resource AS), and issues an access token if the ID-JAG is trusted and valid

You can test this out in the Cross App Access sandbox today! https://xaa.dev/

my head feels like a blender that has been filled past the "do not fill above" line

Found my todo list for 2026 https://kylegabriel.com/projects/2020/06/automated-hydroponic-system-build.html

TIL about UIScreenshotService which enables iOS apps to provide a high res PDF screenshot of the app content when the user uses the system screenshot action! Chrome uses this to give a full export of the page!

I'm impressed, Cathay Pacific transferred my vegetarian meal request to the new flight they moved me to after the incoming flight was late and missed the connection. Normally airlines say oh well you didn't reserve the meal 72 hours before the flight.

Happy final Daylight Savings Time Eve to all our friends in British Columbia! I hope we can join you on the other side soon!

I'm setting up a temporary laptop for my next trip and it's shocking how much faster the cross-device passkey flow is compared to looking up and hand typing my long 1Password passwords

If you’re struggling to get AI agents past enterprise security reviews, join me tomorrow for a session on how Cross App Access (XAA) brings managed authorization to MCP!

I'll be joined by Sohail Pathan to show off our Cross App Access playground and give a live demo of how the protocol works!

Tomorrow - February 18, 2026 (8 AM PT)

👉 https://www.brighttalk.com/webcast/14899/661521?utm_source=apk_social&utm_medium=brighttalk&utm_campaign=661521

Inspired by some #indieweb folks creating /caw pages on their websites, I made one of my own! Here you can listen to the most recent crow recorded from my house:

https://aaronparecki.com/caw/

Apparently I missed the introduction of the 4.4mm TRRRS audio jack 10 years ago and just now discovered it. What a cool idea.

"I'll just check my critical thinking and nuke it in the microwave" has to be my favorite quote from this Business Insider video on Trader Joe's white-labeled food

Me looking at my todo list on a Sunday night after having done at least a couple things today, yet somehow it looks more like a list of what I did *not* do today.

oh no, due to a series of misclicks, I just accidentally archived the most recent 100 emails in my inbox.

if nothing else, reviewing my "all mail" folder is doing a good job of making me question how important emails in my inbox actually are.

The new MCP spec just dropped! 🎉

There's too many new things to get into everything, but there are two big changes I am most excited about 👀

📝 Client ID Metadata Documents (CIMD) - a simpler way to manage client registrations, clients describe themselves with a URL they control
🔐 Enterprise-Managed Authorization extension (aka Cross App Access) - eliminate the OAuth redirect and get tokens for an MCP server by requesting them from the enterprise IdP

It's been great working on this with folks like Den Delimarsky, Paul Carleton, David Soria Parra, Nick Cooper, Tyler Leonhardt, and more!

Read more about what these mean for you in my full post
👉 https://aaronparecki.com/2025/11/25/1/mcp-authorization-spec-update

Inspired by a question from @thisismissem.social, I wrote up a document describing how to apply DPoP (RFC9449) to the OAuth Device Flow (RFC8628).

https://datatracker.ietf.org/doc/draft-parecki-oauth-dpop-device-flow/

The IETF OAuth Working Group has adopted the Identity Assertion Authorization Grant specification!

This specification provides a mechanism for an application to use an identity assertion to obtain an access token for a third-party API by coordinating through a common enterprise identity provider

This is the basis of Cross App Access (XAA), providing IT admins better visibility and control of app-to-app connections by configuring the connections in their enterprise IdP.

While it will still be a while before it is an RFC, this is an important step in the standards process, as this is the first time the document is "official"! This signifies that the working group agrees that the problem is worth solving, and agrees on the general direction of the spec.

Thanks to everyone for your contributions and feedback so far!

And thanks to my co-authors Karl McGuinness and Brian Campbell!

Well that's the last time I take my ID out of my wallet to go through airport security. I made the mistake of putting it into my pocket instead of back in my wallet and it seems to have fallen out somewhere between PDX and SFO 🫠

So many neighbor dogs like to do their business in our unfinished driveway. Thankfully the neighbors do clean up after their dogs. But if this happens after 8pm, they have been tripping the alarm that keeps out the creepers from the yard.

So earlier this week I set up a new automation. If the cameras spot an animal in the driveway, it disarms the alarm for 5 minutes. This gives their humans enough time to clean up without tripping the alarm. Then it re-arms the alarm after.

This has significantly reduced the number of false positive alarms!

Tonight I had *three* false alarms where dog walkers picking up their dog poop from the driveway set off the siren. I feel bad when people who pick up after their dog set off the alarm because I'm glad they are being responsible! But also tonight I had two people wander in, one smoking something and the other stealing some trash.

Five alarms in one night was enough for me to attempt to fix this.

So now, if everything goes according to plan, if an animal is spotted in the driveway it will disarm the alarm for 5 minutes. That should give the nice people who pick up after their dogs enough time to do so without triggering the siren.

I don't know why I'm so excited to have a fully functional landline phone system in the house, complete with wired and wireless phones, local extensions for each room, voicemail boxes, bidirectional connection with the intercom system, and inbound and outbound dialing. Complete phone nerdery over here, someone should probably stop me.