Shane Deconinck

Explainer

A2A (Agent-to-Agent Protocol)

How agents discover and talk to each other

The Problem

Agents in Silos

For AI agents to reach their full potential, some will need to be able to collaborate. But today there’s no standard way for agents to discover each other or communicate.

A2A (Agent-to-Agent Protocol) aims to fix this. Google released the initial spec in April 2025, then donated it to the Linux Foundation in June. By September, IBM’s ACP (Agent Communication Protocol) merged in, signaling serious industry commitment.

At time of writing, the Technical Steering Committee includes Google, Microsoft, AWS, IBM, Salesforce, SAP, and others. With this backing, A2A has real momentum.

πŸ“Œ Worth watching: In December 2025, the Linux Foundation launched AAIF (Agentic AI Foundation) separately, housing MCP and other projects. Some speculate these initiatives may merge.

Let’s look at how it works.

What A2A Solves

Three Core Problems

A2A addresses three fundamental challenges for agent collaboration:

πŸ”
Discovery
How does Agent 1 find out what Agent 2 can do? A2A defines Agent Cards: JSON documents where agents describe their capabilities.
πŸ“¨
Communication
How do agents exchange requests and results? A2A defines Tasks: structured messages that can be long-running, with status updates and streaming results.
πŸ”
Authentication
How do agents prove who they are? A2A delegates to existing standards: OAuth 2.0, OpenID Connect, API keys, or mTLS. You choose.

Think of A2A as a common language. It doesn't tell agents what to do, just how to introduce themselves and communicate.

Agent Cards

How Agents Introduce Themselves

Every A2A agent publishes an Agent Card: a JSON document describing what it can do and how to reach it.

Agent Card travel-agent.example.com 
{
  "name": "Travel Booking Agent",
  "description": "Books flights and hotels",
  "url": "https://travel-agent.example.com",
  "skills": [
    {
      "id": "book-flight",
      "name": "Book Flight",
      "description": "Search and book flights"
    }
  ],
  "capabilities": {
    "streaming": true,
    "pushNotifications": true
  },
  "securitySchemes": { ... }
}
Key Fields
skills capabilities securitySchemes

Discovery methods: Direct URL, /.well-known/agent.json, or registry lookup.

The Agent Card is self-asserted. The agent claims its own capabilities. There's no verification.

Tasks

How Work Gets Done

When Agent 1 wants Agent 2 to do something, it creates a Task. Tasks progress through states:

SUBMITTED β†’ WORKING β†’ COMPLETED
What makes tasks powerful:
  • Long-running: Tasks can take minutes or hours. Agent 2 sends progress updates.
  • Streaming: Results can arrive incrementally as artifacts.
  • Interactive: Agent 2 can pause for input (INPUT_REQUIRED) or additional auth (AUTH_REQUIRED).
  • Terminal states: COMPLETED, FAILED, CANCELLED, or REJECTED.

Unlike simple API calls, tasks model real work that takes time and may need back-and-forth.

Authentication

What the Spec Allows

A2A doesn't reinvent authentication. It delegates to existing standards via the Agent Card's securitySchemes:

OAuth 2.0 OpenID Connect API Keys HTTP Auth mTLS

The spec says authentication is "out-of-band": you obtain credentials however you normally would, then include them in A2A requests. The Agent Card tells you what's required.

securitySchemes example
"securitySchemes": {
  "oauth2": {
    "type": "oauth2",
    "flows": {
      "clientCredentials": {
        "tokenUrl": "https://auth.example.com/token",
        "scopes": { "agent:invoke": "..." }
      }
    }
  }
}

Best Practice: On-Behalf-Of

The A2A spec allows various OAuth flows, but when agents act on behalf of users, one pattern stands out:

Token Exchange (RFC 8693)

Agent 1 exchanges the user's token for a new token scoped to Agent 2. The resulting token identifies both the user and the acting agent.

This is the On-Behalf-Of (OBO) pattern. It preserves user identity through the agent chain, enabling:

  • Audit trails: Agent 2 knows Alice requested this, via Agent 1
  • Fine-grained authorization: Policies can consider both user and agent
  • Least privilege: Tokens are scoped to specific resources
Why not client_credentials?

With client_credentials, Agent 2 only sees "Agent 1 is calling me". It can't enforce user-specific policies or audit who actually requested the action.

The demo below shows the OBO flow in practice. For deep dive on the pattern, see my OBO Explainer.

See It In Action

The Full Flow

Task Flow with OBO
πŸ‘€User πŸ€–Agent 1 πŸ”Auth Server πŸ€–Agent 2 login (PKCE) user_token request + token GET /.well-known/agent.json Agent Card + securitySchemes OBO exchange a2a_token (sub=alice, act=agent) POST /tasks/send + Bearer token SUBMITTED Processing WORKING COMPLETED + artifacts SUBMITTED WORKING COMPLETED Click Start to begin
Request
β€”
Response
β€”

What's Still Missing

The Trust Gaps

A2A solves discovery and communication. But cross-domain scenarios expose real gaps:

βœ“ Within your organization

Your IdP knows all agents, your authorization server handles delegation. Standard setup works.

βœ— Cross-domain identity

TLS proves domain ownership, but how do you verify agent capabilities and trustworthiness across organizations? No standard mechanism.

βœ— Cross-domain auth

OBO works within a trust domain. But when Agent 1 (org A) calls Agent 2 (org B), whose authorization server issues the token? Federation helps, but adds complexity.

βœ— Confused deputy and scope extension

Even with OBO, tokens flow through agent chains. A malicious agent can misuse delegated authority, but even well-behaved agents can unintentionally extend scope beyond what the user intended. The act claim shows who is acting, but not whether the chain was authorized.

βœ— Non-repudiation

OAuth authenticates sessions, not messages. If Agent 2 claims Agent 1 sent a different request, there's no cryptographic proof either way. Audit trails depend on trusting the systems that write them, not cryptographic evidence.

βœ— Trust durability

Identity is domain/account-centric. If an agent's infrastructure changes (new domain, new cloud provider, certificate rotation), trust relationships break. There's no persistent cryptographic identity that survives these transitions, so reputation can't accumulate.

βœ— Metadata privacy

TLS hides message content, but not communication patterns. Network observers see which agents talk to which. For competitive or sensitive workflows, this metadata leakage reveals business relationships and operational patterns.

Third-Party Agents

Connecting to external agents from your enterprise creates the same policy gap as third-party MCP servers:

The problem: External agents use external IdPs. Your enterprise IdP isn't in the loop for outbound calls.

  • Which users are allowed to delegate to which external agents?
  • How do you audit what those agents do on your users' behalf?
  • Can you revoke access centrally?

Agent gateways like AgentGateway are adding auth portals to provide a single enforcement point for these external connections.

Proof of Possession Limits

DPoP (Demonstrating Proof of Possession) binds tokens to key pairs, preventing token theft. Within a trust domain, OBO + DPoP works fine for Agent 1 β†’ Agent 2.

The problem is multi-hop chains:

  • User β†’ Agent 1 β†’ Agent 2: OBO gives Agent 2 a token with user context
  • Agent 2 β†’ Agent 3: Now Agent 2 has delegated authority it can pass on
  • A compromised Agent 2 can misuse the OBO token from Agent 1's flow

DPoP proves who holds the token, but not whether they should be passing it along. The further down the chain, the harder it is to verify the original delegation was intended.

Emerging Work

The PIC protocol (Nicola Gallo) takes a different approach: authority as a property of execution continuity, not possessed artifacts. If it gains traction, it could fundamentally change how we think about delegation.

Beyond Single Trust Domains?

For internal deployments and established partners, standard OAuth + OBO works. The hard problems appear in open ecosystems where you can't pre-establish trust.

DIDs and Verifiable Credentials offer a path forward:

  • Discoverable identity without centralized registries
  • Verifiable capability claims issued by trusted parties, not self-asserted
  • Delegation chains that can be cryptographically verified across boundaries

TSP (Trust Spanning Protocol) from the Trust over IP Foundation is the emerging implementation of this vision, with work on running A2A over TSP (TA2A) already underway.

Learn More

EXPLAINER MCP (Model Context Protocol)
How agents connect to tools and data
EXPLAINER OBO (OAuth On-Behalf-Of)
How agents authenticate on behalf of users
EXPLAINER TSP (Trust Spanning Protocol)
Cross-org trust layer (TA2A runs A2A over TSP)
 A2A Protocol Specification
Official documentation and spec
 GitHub Repository
Source code and SDKs
 PIC Protocol
Provenance Identity Continuity (authority via execution continuity)