𝗔𝟮𝗔 𝗣𝗿𝗼𝘁𝗼𝗰𝗼𝗹 𝗔𝘂𝘁𝗵: 𝗪𝗵𝘆 𝘁𝗵𝗲 𝗦𝗽𝗲𝗰 𝗶𝘀 𝗧𝗵𝗶𝗻 𝗮𝗻𝗱 𝗪𝗵𝗲𝗿𝗲 𝘁𝗵𝗲 𝗛𝗼𝗹𝗲𝘀 𝗔𝗿𝗲

The A2A (Agent2Agent) protocol is becoming the standard for AI agent communication. Google announced it in 2025 and the Linux Foundation runs it now.

When I looked at the authentication section of the spec, I found almost nothing. It does not define a new authentication mechanism. It simply tells you to use existing standards like OAuth2, OpenID Connect, or mTLS.

This thinness is intentional. A2A defines the frame but delegates the contents to other standards. This creates security holes if you are not careful.

𝗛𝗼𝘄 𝗔𝟮𝗔 𝗪𝗼𝗿𝗸𝘀 A2A is a protocol for one agent to hand a task to another. It uses JSON-RPC over HTTP.

• Client Agent: The agent that sends the request. • Remote Agent: The agent that receives the task. • Agent Card: A JSON file where the Remote Agent lists its capabilities and auth requirements.

The Agent Card is the most important part. A client reads this card first to learn how to authenticate before sending a request.

𝗧𝗵𝗲 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗛𝗼𝗹𝗲𝘀 A2A leaves several critical tasks to the implementer. If you do not handle these, your agents are at risk.

  • Card Tampering: Signing the Agent Card is optional (MAY). If you do not sign it, an attacker can redirect your agent to a malicious server.
  • Replay Attacks: A2A does not have a way to bind tokens to a specific client. If someone steals a bearer token, they can impersonate your agent.
  • Privilege Escalation: Authorization is left to external infrastructure. If you do not enforce per-skill checks, a "read-only" agent might gain "write" access.
  • Identity Chaining: A2A does not handle how a user's identity moves through a chain of agents.

𝗛𝗼𝘄 𝘁𝗼 𝗕𝘂𝗶𝗹𝗱 𝗜𝘁 𝗦𝗮𝗳𝗲𝗹𝘆 Do not rely on the spec alone. You must turn the optional rules into mandatory ones.

• Always sign your Agent Cards. Use JWS and JCS. • Use mTLS for agent-to-agent paths. This prevents token theft from being enough to compromise your system. • Enforce per-skill authorization at your API Gateway. • Use sender-constrained tokens (like DPoP) to stop replay attacks.

A2A is the plumbing. The security comes from the water you run through it. Use proven standards like SPIFFE or Identity Chaining to fill the gaps.

Quelle: https://dev.to/kanywst/a2a-protocol-auth-taken-apart-why-the-spec-is-thin-and-where-that-leaves-holes-22ii

Optionale Lern-Community: https://t.me/GyaanSetuAi