8 min read

A2A Protocol Security: Stopping Token Leaks in Agent Chains

The A2A protocol reached production status in 2026 with widespread enterprise adoption, but its specification deliberately omits critical security controls like replay protection and credential scope limits. These gaps create an authorization vacuum where token leakage, PII exposure, and lateral attack propagation thrive across agent handoffs. This guide breaks down the risks, competing fix frameworks, and immediate steps to secure your A2A deployments.

Featured image for "A2A Protocol Security: Stopping Token Leaks in Agent Chains"

The A2A protocol hit production status in April 2026 with over 150 organizations running it across Google, Microsoft, and AWS platforms, yet the specification still deliberately omits replay protection, rate limiting, artifact integrity, and mandatory credential scope controls. That gap isn’t theoretical — it’s the authorization vacuum where token leakage lives.

The Problem: Why A2A Handoffs Are the New Attack Surface

By mid-2026, over 40% of enterprise applications feature task-specific AI agents, making the A2A handoff the primary attack vector for lateral instruction propagation. When a customer-facing claims agent hands off a triage task to an external partner-operated Remote-Agent, the task message often accidentally includes the customer’s SSN or payment information embedded in free-text fields. Traditional DLP, WAFs, and application-level filtering are ineffective for A2A payloads because DLP was built for files and email, WAFs cannot parse JSON-RPC task messages, and app-level filtering creates fragmented enforcement. Traditional DLP, WAFs, and application-level filtering are ineffective for A2A payloads because DLP was built for files and email, WAFs cannot parse JSON-RPC task messages, and app-level filtering creates fragmented enforcement. A real-world A2A flow that frequently leaks PII involves a customer-facing claims agent handing off a triage task to an external partner-operated Remote-Agent, where the task accidentally includes the customer’s SSN or payment information embedded in free-text fields.

The protocol’s fluid client-server role model — where any agent can act as client or server depending on the interaction — creates novel attack surfaces that traditional API security overlooks. Agent cards are unsigned by default, creating spoofing and prompt injection vectors. There is no standard authorization mechanism at the AgentSkill boundary; a calling agent that authenticates successfully can invoke any skill the AgentCard advertises.

What the Spec Got Wrong: Missing Controls You Can’t Ignore

The A2A specification deliberately omits replay protection, rate limiting, artifact integrity, and mandatory credential scope controls. This isn’t an oversight — it’s a design choice that prioritizes open interoperability over security defaults. The result: production adoption has outpaced the deliberately minimal security specification, creating an authorization vacuum where implicit trust between agents, fragmented competing extensions, and semantic payload attacks outpace traditional security controls.

OAuth’s RFC 8693 Token Exchange specification does not enforce multi-hop delegation chains; nested prior-actor claims are informational only and must not be considered in access control decisions. Cross-Agent Privilege Escalation (demonstrated September 2025) and Agent Session Smuggling (published November 2025) exploit trust between agents in multi-hop delegation scenarios. Only 44% of organizations have implemented policies to manage AI agents, and systems with least-privileged AI access had a 17% incident rate versus 76% for over-privileged systems. Only 44% of organizations have implemented policies to manage AI agents, and systems with least-privileged AI access had a 17% incident rate versus 76% for over-privileged systems.

Real Attacks: From Agent Card Poisoning to RCE

A critical vulnerability (GHSA-vg22-4gmj-prxw, CVSS 9.8) exists in PraisonAI’s unauthenticated A2A official example, where an LLM-driven eval() tool enables remote code execution via unauthenticated JSON-RPC message/send requests. The example exposes an A2A server without configuring auth_token, binds to 0.0.0.0, and registers a calculate(expression) tool implemented with Python eval(expression). An unauthenticated network client can send a JSON-RPC message/send request to /a2a, the A2A handler passes the attacker-controlled message to agent.chat(), and the model invokes the registered calculate tool, causing eval() to execute Python in the server process. A critical vulnerability (GHSA-vg22-4gmj-prxw, CVSS 9.8) exists in PraisonAI’s unauthenticated A2A official example.

Agent Card Poisoning is a metadata injection vulnerability in A2A that allows maliciously crafted metadata to redirect sensitive data transmissions to attacker-controlled endpoints. For facilities running lights-out or semi-autonomous operations where AI agents interact with PLCs, MES platforms, and ERP systems, a poisoned agent card could silently reroute operational telemetry without triggering standard intrusion detection. Agent Card Poisoning is a metadata injection vulnerability in A2A that allows maliciously crafted metadata to redirect sensitive data transmissions to attacker-controlled endpoints.

A2A Contagion — the lateral propagation of malicious instructions across an AI agent ecosystem when a compromised agent passes semantic payloads to downstream agents — exploits the protocol’s design assumption of implicit trust between agents. The receiving agent executes the instruction because it originated from a “trusted” internal source. A2A Contagion — the lateral propagation of malicious instructions across an AI agent ecosystem when a compromised agent passes semantic payloads to downstream agents — exploits the protocol’s design assumption of implicit trust between agents.

The Fragmented Fix Landscape: SINT, APOA, AAP, A2A Secure

The ecosystem’s security response produced incompatible competing authorization layers that require custom extensions and non-standard metadata, undermining the seamless interoperability the protocol was designed for. Here’s how the main contenders compare:

ExtensionCore MechanismApproval TiersKey Limitation
SINT ProtocolEd25519 capability tokens at skill boundaryT0/T1 auto, T2 operator, T3 human sign-offRequires PolicyGateway deployment per agent server
APOAScoped delegation tokens with capability attenuationSignature, expiration, revocation, scope verificationTypeScript-only; limited ecosystem adoption
AAP (Agent Authorization Protocol)Local broker intersects ATX identity with resource policyThree CPI modes: Retrieve, Assume, ExchangeCredential never enters agent reasoning context — by design
A2A SecureEd25519 message signing, cold/hot key delegation, trust registryReplay protection, rate limiting, idempotency built-inPython-only; does not terminate TLS (requires reverse proxy)

The SINT Protocol provides an Ed25519 capability-token enforcement layer at the skill invocation boundary, with tiered approval flows: T0/T1 auto-execute, T2 requires operator approval, and T3 requires human sign-off for irreversible actions. The SINT Protocol provides an Ed25519 capability-token enforcement layer at the skill invocation boundary, with tiered approval flows: T0/T1 auto-execute, T2 requires operator approval, and T3 requires human sign-off for irreversible actions. APOA adds scoped delegation tokens and capability attenuation for A2A, with servers verifying signature, expiration, revocation, and scope on incoming messages. The Agent Authorization Protocol (AAP) resolves trust into concrete scoped access without credential values entering the agent’s reasoning context, using a local operator-controlled broker to intersect identity (ATX) with resource policy. The Agent Authorization Protocol (AAP) resolves trust into concrete scoped access without credential values entering the agent’s reasoning context, using a local operator-controlled broker to intersect identity (ATX) with resource policy. A2A Secure adds Ed25519 message signing, cold/hot key delegation with automatic rotation, trust-registry-based sender verification, replay protection, rate limiting, and idempotency to the A2A protocol.

None of these extensions are standardized. Each requires custom implementation, and they don’t interoperate. You pick one, you own the integration debt.

Inline Inspection: The Only Thing That Actually Works at Scale

Inline PII inspection on A2A task handoffs can detect and redact sensitive data in approximately 8 milliseconds at P50 (block path 18 ms), writing tamper-evident audit logs with content stripped. The Client-Agent’s task hand-off is routed through a transparent egress; PII detection runs on the task message; if SSNs, credit cards, PHI, or other sensitive data are present, the message is redacted, the call is blocked, or it is routed for human approval. Inline PII inspection on A2A task handoffs can detect and redact sensitive data in approximately 8 milliseconds at P50 (block path 18 ms), writing tamper-evident audit logs with content stripped.

This approach works because it doesn’t rely on the protocol’s missing controls — it enforces policy at the network boundary where the handoff actually happens. Real-time inline PII inspection and policy enforcement adds latency (8-18ms per handoff) that creates throughput bottlenecks at scale, but that’s the tradeoff: you either inspect every message or you accept that tokens will leak.

Building Your Defense: A Practical Stack

Core enterprise controls for A2A security include mTLS, signed agent cards, SPIFFE/SPIRE machine identities, and zero-trust per-request authorization. A2A and MCP together form the complete agentic AI security stack: A2A secures agent-to-agent communication, while MCP secures agent-to-tool communication. Core enterprise controls for A2A security include mTLS, signed agent cards, SPIFFE/SPIRE machine identities, and zero-trust per-request authorization.

Start with the basics that the spec should have mandated:

  • Signed Agent Cards (JWS) — A2A v1.0.0 added this; verify every card before trusting it
  • mTLS everywhere — Use your service mesh (Istio/Linkerd) for transport encryption and identity
  • SPIFFE/SPIRE machine identities — Replace ad-hoc API keys with workload identity
  • Zero-trust per-request authorization — Never trust an authenticated caller to invoke any skill

Then layer inline inspection for PII and semantic payload analysis. The 8ms P50 latency is acceptable for most workflows; the 18ms block path is your human-approval escalation route.

Decision Framework: What to Implement First

If you’re running A2A in production today, you have an authorization vacuum. The contrarian take: A2A’s fluid client-server role model and design assumption of implicit trust between agents make it architecturally incompatible with zero-trust authorization, meaning the ecosystem’s patchwork of capability-token extensions will never achieve the security model enterprises actually need without breaking the interoperability that defines the protocol.

Enterprises must treat every A2A handoff as an untrusted boundary requiring zero-trust enforcement, regardless of whether the remote agent is internal or partner-operated. Relying on the protocol’s implicit trust model or retrofitting fragmented extensions will result in systemic breaches as agent meshes scale.

Immediate actions (this sprint):

  1. Enable signed Agent Card verification on all inbound connections
  2. Deploy inline PII inspection at your A2A egress points
  3. Audit every AgentSkill for over-privileged access — least-privilege cuts incident rates from 76% to 17%

Next quarter: 4. Pick one capability-token extension (SINT, APOA, or AAP) and standardize on it 5. Implement delegation chain auditing — OAuth’s nested act claims are informational only 6. Add semantic payload inspection for A2A Contagion detection

The open question: Will the Linux Foundation standardize a capability-token layer before the fragmented extensions calcify into incompatible islands? The protocol’s interoperability promise depends on it.


For deeper context on how A2A and MCP complement each other in production stacks, see MCP vs A2A: Why the Real Answer Is “Both in the Right Order”. For the operational challenges of governing agent fleets at scale, see MCP and A2A Together: Building Multi-Agent Systems in 2026.