So far the most logical design I've come up with is:
1. Have application "A" request a token from the AGS site that the secured feature service is published to using a service account we have designated.
While this will eliminate any second challenge for credentials, having the token in the url is not all that desired from our security team.
Any ideas on alternatives?