I have two web apps, each with their own physical servers, urls, SSL certs, users, databases, etc. which communicate through APIs. They’re both running python, one using plain Flask, the other Django. I was hoping to allow a single 2FA to work for both applications, but since they don’t have any kind of direct access to each other, I figure there was no direct way to do this.

Would it be considered insecure to pass tokens between the applications? Are there any examples of using such a mechanism or advice for best practices?