What is the A2A protocol?
By Identra · Updated
The A2A (Agent2Agent) protocol is an open standard that lets independent AI agents discover each other, exchange tasks, and return results across vendor and framework boundaries. Launched by Google in April 2025 and now governed by the Linux Foundation, it defines Agent Cards for discovery and standard transports so agents from different platforms can collaborate securely.
Key numbers
- More than 150 organizations back the A2A protocol, up from about 50 at its April 2025 launch (Linux Foundation, April 2026)
- The core A2A repository passed 22,000 GitHub stars in its first year (Linux Foundation, April 2026)
- A2A 1.0, the first stable specification, defines three transports: JSON-RPC 2.0, gRPC, and HTTP+JSON (A2A Protocol Specification v1.0)
How does the A2A protocol work?
A2A standardizes how one agent, the client, asks another agent, the remote server, to do work. Each participating agent publishes an Agent Card, a JSON document describing its identity, skills, service endpoint, and authentication requirements. A client agent reads the card, picks the right agent for the job, and sends it a task. The remote agent moves the task through a defined lifecycle and streams results back as messages and artifacts.
Version 1.0 of the specification, the first stable release, defines three transport bindings: JSON-RPC 2.0, gRPC, and HTTP+JSON. Agents advertise which transports and security schemes they support, which lets an agent built on one framework delegate to an agent built on a completely different stack. That interoperability is the point: A2A treats every agent as an opaque service, so agents can collaborate without exposing their internal state, models, or tools.
A2A vs MCP: what is the difference?
The Model Context Protocol connects a single agent to its tools and data sources; A2A connects agents to other agents. In the common analogy, MCP gives an agent hands while A2A gives agents a shared language. A procurement agent might use MCP to query an inventory API, then use A2A to negotiate delivery dates with a supplier's scheduling agent.
The two are complementary, and most agentic architectures will run both. That also means their risks compound: an agent compromised through a malicious MCP tool can push poisoned instructions to every agent it talks to over A2A. Security teams need to treat the combined mesh, not each protocol in isolation, as the attack surface.
How do agents authenticate each other in A2A?
A2A deliberately reuses established web security rather than inventing new cryptography. An Agent Card declares supported schemes in its securitySchemes field: API keys, HTTP authentication, OAuth 2.0, OpenID Connect, or mutual TLS. Clients obtain credentials out of band, present them on every request, and run all traffic over HTTPS.
Agent Cards can also be digitally signed so a client can verify that a card actually belongs to the agent it claims to describe. What the protocol does not do is mint identities. Every agent still needs its own credential from your identity infrastructure, which makes each A2A endpoint a non-human identity that must be issued, scoped, rotated, and retired like any other machine identity.
What breaks when agents trust each other?
Agent-to-agent trust fails in ways traditional service-to-service auth does not, because the payloads are natural language that the receiving agent acts on. Security researchers analyzing A2A deployments consistently flag a short list of failure modes:
None of these are exotic. They are the confused deputy problem, prompt injection, and shadow AI replayed at machine speed across a mesh of autonomous actors, with each new agent multiplying the paths an attacker can chain together.
- Agent Card spoofing: an attacker publishes a forged or lookalike card so victim agents delegate tasks to a malicious endpoint
- Cross-agent prompt injection: a hostile agent embeds instructions in task results that the receiving agent then executes
- Confused deputy attacks: a low-privilege agent routes requests through a high-privilege agent to reach data it could never access directly
- Untraceable delegation: task chains hop across three or four agents and no single hop records which human the work traces back to
- Shadow agents: teams stand up A2A endpoints outside governance, growing the mesh faster than security can inventory it
How do you secure an A2A deployment?
Start with identity. Give every agent its own credential, never a shared service account, so each A2A request is attributable to exactly one agent and, through the delegation chain, to a human owner. Scope those credentials to least privilege and prefer short-lived tokens over long-lived secrets so a stolen credential expires before it is useful.
Then verify and observe. Accept only signed Agent Cards from a curated registry, require mutual TLS or OAuth on every hop, and log every task exchange so you can reconstruct who asked what of whom. Because agent behavior changes with the prompts flowing through it, static reviews are not enough: runtime monitoring of agent-to-agent traffic is what catches a well-credentialed agent doing something it should not.
How Identra thinks about it
A2A, as we read it, makes agent identity the load-bearing wall of the agentic enterprise. The protocol solves interoperability and sensibly delegates authentication to existing standards, but that means the hard problems land on your identity infrastructure: issuing per-agent credentials, mapping delegation chains back to accountable humans, and watching what authenticated agents actually do. Treat every A2A endpoint as a first-class non-human identity with an owner, a scope, and a lifecycle, and instrument the mesh at runtime before agent sprawl grows it past the point of inventory.
Go deeper: The Non-Human Majority
Frequently asked questions
Does A2A replace MCP?
No. MCP connects an agent to tools and data; A2A connects agents to other agents. Most production agent architectures use both, with MCP inside each agent and A2A between them.
Who governs the A2A protocol?
The Linux Foundation. Google launched A2A in April 2025 and donated the specification, SDKs, and tooling to the Linux Foundation in June 2025, where it is developed under open governance with backers including AWS, Cisco, Microsoft, Salesforce, SAP, and ServiceNow.
How do agents authenticate under A2A?
With standard web mechanisms declared in the Agent Card: API keys, HTTP authentication, OAuth 2.0, OpenID Connect, or mutual TLS. Credentials are obtained out of band, and A2A itself does not issue or manage identities.
What is an Agent Card?
A JSON metadata document each A2A server publishes describing its identity, skills, service endpoint, and authentication requirements. Clients use it for discovery, and cards can be digitally signed to prevent spoofing.
