Skip to main content
A2A security enables authentication and authorization for agent-to-agent communication, protecting endpoints while maintaining protocol compliance.
The user exposes an A2A endpoint; only clients with valid credentials can discover the agent and send JSON-RPC requests.

Quick Start

1

Basic Bearer Token

Protect your A2A endpoint with a simple bearer token:
2

Client Authentication

Connect to protected endpoints using authorization headers:

How It Works


Security Configurations

Bearer Token Authentication

The simplest authentication method using a shared secret:

Client Example

Extended Agent Card

When authentication is enabled, the agent card can indicate security requirements:

Common Patterns

Environment-Based Tokens

FastAPI Integration

Multi-Environment Setup


Best Practices

  • Use cryptographically secure random tokens (32+ characters)
  • Store tokens in environment variables, never in code
  • Rotate tokens regularly in production environments
  • Use different tokens for different environments
  • Consider using prefixes like sk-prod-, sk-dev- for identification
  • Keep /.well-known/agent.json public per A2A specification
  • Only protect the /a2a endpoint with authentication
  • Ensure agent cards don’t expose sensitive information
  • Status endpoints can remain public for health checks
  • Return standard HTTP 401 for invalid/missing tokens
  • Use consistent error message format
  • Log authentication attempts for monitoring
  • Implement rate limiting for failed authentication attempts
  • Use HTTPS in production environments
  • Implement proper logging and monitoring
  • Consider API gateways for additional security layers
  • Set up proper CORS policies for web clients
  • Monitor token usage patterns for anomalies

A2A Protocol

Learn the A2A protocol basics and setup

Agent API

RESTful API endpoints for agent services