A2A Agent Card Trust

What this is. An A2A Agent Card is not just metadata. It is the front door to a remote opaque agent. This profile turns the card into an intake decision before context, authority, or evidence crosses the agent boundary.

SecurityRecipes is positioned as The Secure Context Layer for Agentic AI. That layer needs a decision point before a newly discovered A2A agent is trusted. MCP controls tool access; A2A controls agent-to-agent coordination. The Agent Card is where a reviewer first sees the remote agent’s identity, supported interfaces, auth requirements, skills, signatures, and extended-card behavior.

The A2A Agent Card Trust Profile scores that discovery surface as a security intake artifact. It helps teams decide whether a card is ready for production handoff, restricted metadata-only pilot use, owner review, denial, or immediate session termination.

What was added

  • data/assurance/a2a-agent-card-trust-profile.json - source model for Agent Card fields, trust profiles, decisions, controls, sample cards, and industry alignment.
  • data/evidence/a2a-agent-card-trust-profile.json - generated evidence pack for CI, MCP, architecture review, and diligence.
  • MCP tools: recipes_a2a_agent_card_trust_profile and

Regenerate and validate:

Evaluate a trusted production card:

Trust profiles

Profile Default decision Use when
trusted-production-agent allow_trusted_agent_card A remote agent has HTTPS interfaces, provider identity, standard auth, signed-card evidence, scoped skills, gateway enforcement, audit logs, and high-impact approval controls.
restricted-pilot-agent pilot_with_restricted_context The card is valid and authenticated but lacks enough evidence for production. Restrict it to metadata-only handoffs.
public-discovery-only hold_for_agent_card_intake The card may be indexed or reviewed, but it must not receive tenant context or delegated authority.
blocked-agent-card deny_insecure_agent_card The card leaks secrets, advertises insecure interfaces, includes prompt-injection instructions, or requests unsafe skills without controls.

Why it matters

A2A makes agents discoverable and composable across vendors. That is useful, but it also creates a new trust problem: an enterprise cannot let any discovered opaque agent receive internal context just because it publishes a card.

This profile answers concrete reviewer questions:

  • Does the Agent Card use HTTPS interfaces?
  • Is provider identity present and reviewable?
  • Are standard HTTP-layer security schemes declared?
  • Is the card signed before production promotion?
  • Are high-impact skills gated by approval and gateway policy?
  • Does the card contain credential material or prompt-injection text?
  • Which handoff profiles may the agent receive after intake?

The trusted-source path is hosted Agent Card monitoring, signature verification, allowlist drift detection, procurement exports, remote agent trust tiers, and A2A/MCP gateway enforcement.

Industry alignment

This feature is grounded in current primary guidance:

MCP examples

List trust profiles:

{}

Inspect production profile:

{
  "profile_id": "trusted-production-agent"
}

Evaluate a restricted pilot card:

{
  "profile_id": "restricted-pilot-agent",
  "production": false,
  "declared_controls": [
    "https_interface",
    "standard_http_auth",
    "gateway_enforced",
    "metadata_only_context",
    "audit_log"
  ],
  "agent_card": {
    "name": "Public CVE Research Agent",
    "description": "Reads public vulnerability references and returns citation-only summaries.",
    "provider": {
      "organization": "Example Research Vendor",
      "url": "https://research.example.com"
    },
    "version": "0.9.2",
    "supportedInterfaces": [
      {
        "url": "https://research.example.com/.well-known/a2a",
        "protocolBinding": "https://a2a-protocol.org/specification/transport/http+json",
        "protocolVersion": "1.0"
      }
    ],
    "capabilities": {
      "streaming": false,
      "pushNotifications": false,
      "extendedAgentCard": false
    },
    "securitySchemes": {
      "bearer": {
        "httpAuthSecurityScheme": {
          "scheme": "Bearer",
          "bearerFormat": "JWT"
        }
      }
    },
    "securityRequirements": [
      {
        "bearer": ["research.read"]
      }
    ],
    "defaultInputModes": ["text/plain"],
    "defaultOutputModes": ["text/markdown"],
    "skills": [
      {
        "id": "public-cve-summary",
        "name": "Public CVE summary",
        "description": "Read public advisories and summarize mitigation options with citations."
      }
    ]
  }
}

See also