What is the Agent2Agent (A2A) Protocol?
A2A is Google's open protocol for agent-to-agent communication, letting AI agents from different vendors discover each other's capabilities and collaborate on multi-step tasks. Announced in April 2025 with over 50 enterprise partners, A2A is the missing piece for agentic AI architectures: where MCP standardizes how an agent talks to its tools, A2A standardizes how agents talk to other agents.
How A2A works
An A2A-compliant agent publishes an Agent Card — a JSON document describing what the agent can do, what authentication it requires, and what skills it offers. Other agents discover Agent Cards either through a registry (e.g. an enterprise catalog) or by direct URL resolution.
When Agent A wants to delegate a task to Agent B:
- Capability discovery — A reads B's Agent Card to confirm B has the relevant skill
- Task initiation — A sends a
task/sendrequest describing the work, optionally with structured inputs - Streaming updates — B can stream progress, intermediate artifacts, and clarifying questions back to A
- Task completion — B returns the final artifact (text, structured data, file, or another delegated task)
The protocol is built on standard web primitives (HTTP, JSON-RPC, Server-Sent Events) so existing infrastructure handles auth, rate-limiting, and observability.
A2A vs. MCP
These protocols solve adjacent but distinct problems:
| Layer | Protocol | Question it answers |
|---|---|---|
| Agent-to-tool | MCP | How does Claude call a read_file function? |
| Agent-to-agent | A2A | How does a research agent delegate to a code-review agent? |
Most production agentic deployments will use both. A coordinator agent on A2A delegates to specialist agents, each of which uses MCP internally for tool access.
Security implications
A2A introduces a new attack surface: cross-agent trust. When Agent A delegates to Agent B and incorporates B's response into its context, A is implicitly trusting B's output. Three concrete risks:
- Cross-agent prompt injection. If Agent B is compromised, malicious, or has been prompt-injected itself, the response it returns to A becomes a prompt-injection vector. A treats B's output as authoritative.
- Authority amplification. An agent that can call other agents effectively accesses the union of their tool capabilities. Compromising one agent in an A2A network compromises the cumulative blast radius of every agent it can call.
- Identity spoofing via Agent Cards. If Agent Card discovery isn't authenticated, an attacker can publish a card claiming to be a legitimate agent and intercept delegated tasks.
Defending A2A deployments
Effective defenses mirror the principles of zero-trust microservice architectures:
- Authenticated Agent Cards — sign cards, verify signatures before delegation
- Per-task scoping — each delegated task carries an explicit capability scope; the receiving agent can't escalate beyond it
- Cross-agent output validation — treat responses from other agents as untrusted input, run them through guardrails before incorporating into context
- Audit trails — log every cross-agent task with originator identity, capability scope, and final disposition
See also
The A2A specification is published at github.com/google/A2A.