Module SDD-B13 — The A2A Protocol — Agent-to-Agent Communication Security

The A2A Protocol — Agent-to-Agent Communication Security

B6 introduced inter-agent trust. This deep-dive goes deep on the A2A protocol that makes inter-agent communication real — and the attack surface it creates. The Agent Card, the Task lifecycle, signed JSON-RPC payloads: every B6 attack now targets a concrete protocol artifact.

45
minutes
8
artifacts
3
sub-sections
A2A (Agent2Agent) is the open wire protocol (JSON-RPC 2.0 over HTTP, optional SSE streaming) for agent-to-agent communication, announced by Google in April 2025 and backed by fifty-plus enterprise partners. A2A is a transport and coordination protocol, not a security protocol. It defines how agents talk; it does not guarantee who is talking, that the message is intact, or that the message is fresh. The authentication, integrity, freshness, and authorization are the implementer's responsibility, layered on top. This deep-dive reads every protocol artifact — the Agent Card, the Task lifecycle, Messages, Artifacts, the JSON-RPC methods — as an attack surface, and maps the four core threats (impersonation, task hijacking, tampering, replay) to their B6 controls and A2A-specific fixes.
Key Claims
Load-Bearing Claims

A2A is a transport and coordination protocol, not a security protocol. It defines how agents talk; it does not guarantee who is talking, that the message is intact, or that the message is fresh. The Agent Card's `authentication` field declares what scheme the agent expects (OAuth2, API key, mTLS); it does not perform the authentication. The places implementers skimp — payload signing, delegation-depth limits, Agent Card integrity, push-notification endpoint auth — are exactly where the attacker enters.

The four core threats (impersonation, task hijacking, tampering, replay) are the concrete protocol-level realization of B6's abstract attacks. The forged orchestrator message from B6 is now a forged `message/send` JSON-RPC call. The unauthenticated peer is now an Agent Card whose `authentication` field was not validated. The replay is now a captured `tasks/pushNotification/set` registration replayed to redirect task results to an attacker's webhook. The cascade is now a multi-hop delegation chain.

Every defense that defeats each threat is a B5/B6 control applied at the A2A boundary — no new primitives. HMAC payload signatures (B6), nonces and timestamps with freshness windows (B6), scoped credentials (B5), caller-bound authorization on state-mutating calls (B5/B6), attenuated capability tokens with max-delegation-depth (B5/B6). The same controls B6 built for the abstract message channel, now scoped to A2A artifacts.

Delegation-chain attenuation is the cascade-bounding control. Over-propagation gives a compromised leaf agent the orchestrator's full authority. Attenuated capability tokens — each hop mints a strictly weaker token authorizing only a specific method on a specific Task, with a max-depth that decreases at each hop — bound the leaf's compromise to the task it was minted for. This is B5's scoped credential and B6's blast-radius cap, applied inter-agent.

After This Module
01
Describe the A2A protocol specification — Agent Cards, the Task lifecycle (submitted/working/input-required/completed/failed/canceled), Messages (roles user/agent), Artifacts (structured outputs), and the JSON-RPC 2.0 methods (message/send, message/stream, tasks/get, tasks/cancel, tasks/pushNotification/set) — as a concrete attack surface.
02
Explain the A2A trust model — how agents authenticate to each other, how delegation chains propagate authority, and where the trust assumptions live in the protocol versus where the protocol is silent.
03
Identify the four core security threats specific to A2A — agent impersonation via forged Agent Cards, task hijacking via Task lifecycle manipulation, message tampering via unsigned JSON-RPC payloads, and replay attacks via captured message/send calls — and map each to the B6 defenses.
04
Articulate the precise relationship between MCP and A2A — MCP is agent-to-tool, A2A is agent-to-agent; the two protocols compose and the boundary between them is itself an attack surface.
05
Evaluate the four multi-agent orchestration architectures (orchestrator-worker, peer-to-peer, hierarchical, market-based) for cascade-failure blast radius, and design authorization constraints that bound how far one agent's compromise propagates.
Artifacts
01
Teaching Document
~3,500 words; 3 sub-sections — the protocol as attack surface (Agent Card, Task lifecycle, Messages/Artifacts, JSON-RPC methods), the trust model and its gaps (authentication, delegation chains, the four core threats mapped to B6), orchestration architectures and cascade failure (four topologies, cascade propagation, authorization primitives, Agent Card as attack surface, MCP/A2A/Crew comparison); with anti-patterns, key terms, references
READ
02
Diagrams
6 Mermaid diagrams — the protocol as attack surface (four artifact clusters), MCP vs A2A (the boundary as attack surface), the four orchestration topologies with cascade blast radius, delegation chain (over-propagation vs attenuated capability tokens), the four core threats mapped to B6 controls, the push-notification hijack sequence
READ
03
Slide Deck
12 slides — reveal.js, dark theme, design-system teal; covers the thesis (transport not security), the protocol in one slide, Agent Card as reconnaissance, Task lifecycle hijackable transitions, four threats mapped to B6, push-notification hijack, delegation chains (over-propagation vs attenuation), four topologies, MCP vs A2A, anti-patterns, the lab
READ
04
Teaching Script
Verbatim teaching transcript with [SLIDE N] cues, ~3,000 words spoken at ~140 wpm across 12 slide cues
READ
05
Flashcards
20 flashcards (TSV) — mix of recall, application, analysis; covers the four artifacts, four core threats, MCP/A2A boundary, delegation chains, topologies, push-notification hijack, Agent Card integrity, lost provenance
TEST
06
Exam
15 questions, 20/40/40 Bloom distribution (3 recall / 6 application / 6 analysis), 70% pass; validated JSON with rationale per question
TEST
07
Lab Spec
Build Two A2A Agents, Then Attack the Channel — runnable simulation (Python 3.10+, type hints, no GPU, no external deps): implement the A2A protocol layer (Agent Cards, Tasks, Messages, Artifacts, JSON-RPC methods), execute the four threats against the undefended channel, apply B6 defenses (HMAC signatures, nonces, capability tokens), confirm each is blocked (~45-60 min)
DO
08
Module Web Page
Single-file HTML hub
HERE