Production-ready AI agents need to be secure, and auth is a big part of security. Auth0 is partnering with Google Cloud to help deliver secure authentication for the Agent2Agent (A2A) protocol.

What is the Agent2Agent protocol?

Agent2Agent (or A2A) is a new open interoperability protocol created by Google Cloud, and launched a month ago, with support and contributions from 60+ companies.

It aims to allow agents to communicate with other agents regardless of their implementation framework or tech stack. For example, a “client” agent should be able to communicate with server agents implemented with LangGraph, Google ADK, Vercel AI SDK, any other agentic framework or any agent implemented without one.

Why is auth important for AI agents?

As companies and developers deploy AI agents into production, interactions between these agents will be common. And naturally, these interactions need to be secure.

We can say that each AI agent can act as a client (when requesting data from other AI agents) and as a server (when responding to data requests from other AI agents).

So we end up with some auth-related questions to be answered. These matters are important when implementing any system, and agentic systems are no exception. But there are also a few questions that become more prevalent with the rise of AI agents:

Authentication: How does the server agent know who is trying to perform an action?
Delegation: Is the agent acting on its behalf, or on behalf of a user?
Consent: If the client is acting on behalf of a user, how does the user consent to this operation?
Authorization: How does the server agent know if the caller can perform the action (e.g. call a specific tool)? If the client is acting on behalf of a user, is the user authorized to perform this action?
Auth for headless agents (agents without a UI): How should AI agents without a UI authenticate users?
Fine-grained authorization: How do we ensure AI agents only have the permissions they need to perform their task, and not more?

What are we partnering on?

A2A is being designed to support enterprise-grade authentication and authorization from day one. This means the protocol should be able to provide good answers to those questions and support all of those scenarios in multi-agent systems built with A2A.

We are working with Google Cloud to define A2A auth specs based on secure standards, and build SDKs and code samples that showcase A2A auth capabilities. This will include how to integrate A2A with Auth0 and our new product Auth for GenAI, providing both great security and great auth user experiences.

How does auth work in A2A?

Agents expose how they operate via Agent Cards, which include what they can do, how they can communicate (e.g. support streaming?), and how clients should authenticate to them following the OpenAPI spec. Clients use the Agent Card to discover agents and understand how to interact with them.

For example, this agent card defines an HR agent that can receive an email and reply if a person works at a company or not. Clients can authenticate by obtaining an access token via a client credentials OAuth flow and then providing the token to the agent to authenticate.

AgentCard(
    name='Staff0 HR Agent',
    description='This agent handles external verification requests about Staff0 employees made by third parties.',
    url=f'http://{host}:{port}/',
    version='1.0.0',
    defaultInputModes=HRAgent.SUPPORTED_CONTENT_TYPES,
    defaultOutputModes=HRAgent.SUPPORTED_CONTENT_TYPES,
    capabilities=AgentCapabilities(streaming=True),
    skills=[
        AgentSkill(
            id='is_active_employee',
            name='Check Employment Status Tool',
            description='Confirm whether a person is an active employee of the company.',
            tags=['employment status'],
            examples=[
                'Does John Doe with email jdoe@staff0.com work at Staff0?'
            ],
        )
    ],
    authentication=AgentAuthentication(schemes=['public']),
    securitySchemes={
        'oauth2_m2m_client': OAuth2SecurityScheme(
            description='',
            flows=OAuthFlows(
                authorizationCode=ClientCredentialsOAuthFlow(
                    tokenUrl=f'https://{os.getenv("HR_AUTH0_DOMAIN")}/oauth/token',
                    scopes={
                        'read:employee_status': 'Allows confirming whether a person is an active employee of the company.',
                    },
                ),
            ),
        ),
    },
    security=[{
        'oauth2_m2m_client': [
            'read:employee_status',
        ],
    }],
)

One thing we have also been exploring with the Google Cloud team is how agents that don't have a UI (“headless agents”) should authenticate users. For these scenarios we believe the Client Initiated Backchannel Authentication (CIBA) flow will be a very valuable tool for developers and architects. CIBA is an OpenID Connect flow that does not rely on redirects in the user's browser. Instead, Agents can reach out to users outside via push notification, email, SMS, etc. for them to authenticate. To give you an idea about what CIBA provides from a security standpoint, it can also be used to meet the strong auth requirements of FAPI for financial transactions.

A working sample

Enough chat, let's see some working code :) We've worked with the Google Cloud A2A team to build a demo showcasing these capabilities. Imagine a scenario where:

John Doe, who works at Staff0 wants to open a bank account by talking to a chatbot agent
Because of internal policies, the bank agent needs to verify that the user is an employee at Staff0, so it contacts the Staff0 HR agent.
The Staff0 HR agent can use the Staff0 HR API to check if the user is an employee or not.

For example, it could result in an application flow like this: <amp-youtube

data-videoid="X22XNlRnHZU"
layout="responsive"
width="480" height="270">

</amp-youtube> </AmpContent>

To make it simple to run such a sample, we uploaded it to the A2A repo here. The sample A2A client plays the part of the Bank Agent. When you run the demo, this is what happens behind the scenes:

Closing thoughts

At Auth0 we believe AI has the potential to radically reshape software in general and identity in particular. We believe there will be an explosion in AI agents (non-human identities), which requires more security, finer grained access control and support for various delegation scenarios.

We look forward to continuing our collaboration with Google Cloud, and helping builders secure their AI agents, both by contributing to AI protocols (e.g. MCP, A2A), new capabilities of Auth for GenAI, and developing new products and features that enable an AI powered world.

About the author

Damian Schenkelman

VP R&D (Auth0Lab)

Damian was one of Auth0's earliest employees. He loves building products for developers and taking things from 0 to 1.

He played key roles in implementing product features and growing the engineering organization in the early stages, and later on defining Auth0's architecture for scale and creating new products. Today he helps shape Auth0's long term strategy and leads Auth0Lab, a small and amazing team doing research and development of forward-looking products.

He spends his spare time with family, and friends, exercising, and catching up on all things NBA.

View profile