Why it matters
Getting auth right is what makes A2A safe. Overly permissive auth invites abuse; overly restrictive auth breaks integrations.
Advertisement
The architecture
API key: simple, fast to set up. Static credential; rotation is manual.
OAuth: for delegated access on behalf of a user. Enables consent flows.
Advertisement
How it works end to end
mTLS: mutual TLS with client certificates. Zero-trust; each agent verifies the other cryptographically.
Session tokens: A2A sessions can carry auth context across multiple task interactions.
Token scoping: limit what an authenticated caller can do. Not every A2A call should have full access.