Why it matters

Getting auth right is what makes A2A safe. Overly permissive auth invites abuse; overly restrictive auth breaks integrations.

Advertisement

The architecture

API key: simple, fast to set up. Static credential; rotation is manual.

OAuth: for delegated access on behalf of a user. Enables consent flows.

A2A auth optionsAPI keystatic, simpleOAuthuser delegationmTLScert-based zero-trustChoose by trust domain: internal → API key; user-delegated → OAuth; zero-trust → mTLS
Three auth approaches.
Advertisement

How it works end to end

mTLS: mutual TLS with client certificates. Zero-trust; each agent verifies the other cryptographically.

Session tokens: A2A sessions can carry auth context across multiple task interactions.

Token scoping: limit what an authenticated caller can do. Not every A2A call should have full access.