The A2A Protocol — Agent-to-Agent Communication Security
B6 introduced inter-agent trust in the abstract. This deep-dive goes deep on the A2A protocol that makes inter-agent communication real — and the attack surface it creates. The Agent Card, the Task lifecycle, signed JSON-RPC payloads: every B6 attack now targets a concrete protocol artifact.
A2A is a transport and coordination protocol, not a security protocol. It defines how agents talk; it does not guarantee who is talking, that the message is intact, or that the message is fresh. The authentication, integrity, freshness, and authorization are the implementer's responsibility, layered on top — and the places implementers skimp are exactly where the attacker enters.
Learning objectives
Load-bearing claims
A2A defines how agents talk. It does not guarantee who is talking, that the message is intact, or that the message is fresh. The security is the implementer's responsibility, layered on top. The Agent Card's authentication field declares what scheme the agent expects; it does not perform the authentication. The places implementers skimp — payload signing, delegation-depth limits, Agent Card integrity, push-notification endpoint auth — are exactly where the attacker enters.
The forged orchestrator message from B6 is now a forged message/send JSON-RPC call. The unauthenticated peer is now an Agent Card whose authentication field was not validated. The replay is now a captured tasks/pushNotification/set registration replayed to redirect results. The cascade is now a multi-hop delegation chain. B6 named the attacks in the abstract; A2A names the protocol artifacts.
No new primitives. HMAC payload signatures (B6), nonces and timestamps (B6), scoped credentials (B5), caller-bound authorization (B5/B6), attenuated capability tokens (B5/B6). The same controls B6 built for the abstract message channel, now scoped to A2A artifacts. The Task ID is a natural scope boundary; the Agent Card is a natural identity artifact; the JSON-RPC envelope is a natural payload to sign.
Over-propagation gives a compromised leaf the root's full authority. Attenuated capability tokens — each hop mints a strictly weaker token — bound the leaf's compromise to the task it was minted for. This is B5's scoped credential and B6's blast-radius cap, applied inter-agent. A2A makes it enforceable because the Task ID is a natural scope boundary.