Creativity · Agent Protocol
A2A Authentication — OAuth & Beyond
A2A doesn't invent new auth. Agents authenticate to one another using the same mechanisms services have used for years — OAuth 2.0 bearer tokens, API keys, mTLS — with the Agent Card declaring which scheme the callee expects. This keeps A2A compatible with existing identity infrastructure and side-steps the need for agent-specific credential formats.
Protocol facts
- Sponsor
- Google (+ industry partners)
- Status
- proposed
- Spec
- https://google.github.io/A2A/
- Interop with
- OAuth 2.0, OpenID Connect, mTLS, API keys, A2A
Frequently asked questions
How does one agent authenticate to another in A2A?
Most deployments use OAuth 2.0 bearer tokens — the calling agent obtains a token from its identity provider and includes it in the Authorization header. The Agent Card tells the caller which issuer and scopes to use.
Can agents use mTLS instead?
Yes — for service-to-service deployments inside a trusted boundary, mTLS is a common choice and the Agent Card can declare it as the required auth scheme.
Does A2A define agent-specific credential formats?
No. A2A deliberately reuses existing standards. The thinking is: agent identity is just service identity with a new label, and reinventing OAuth would slow adoption.
Sources
- Google — A2A overview — accessed 2026-04-20