The auth question that has no good default. Three identity shapes, four scoping decisions, and the leak modes you only see in production.
Single-agent auth is straightforward: the user authenticates to the agent; the agent acts as the user. Multi-agent breaks the symmetry. When agent A delegates to agent B, who is B running as? The user? The agent? A service identity with the user as a claim? Each answer leaks something different in production, and there is no obviously-correct default.
This guide covers the three identity shapes, the four scoping decisions, and the leak modes you only see after launch. Chapter 5 of A2A in Production is the long version.
The user's token (or a derived per-call token) propagates through every hop. The specialist authenticates upstream as the user. Audit trails show user actions; rate limits hit the user; permission models look exactly like single-agent.
Strengths: simple mental model; existing audit and rate-limiting infrastructure works.
Leak modes: the user has permissions they didn't expect to delegate (the agent can do everything the user can do, not what they asked it to do). Token scope is the only protection, and most user tokens are not scoped per-action.
The specialist has its own service identity. Each call includes a claim asserting "this is being done on behalf of user X." Upstream APIs that understand the pattern apply authorization based on the user claim; ones that don't see the specialist's identity.
Strengths: limits blast radius; supports specialist-specific permissions; audit trail distinguishes agent from user.
Leak modes: most upstream APIs don't understand the user-context claim. They authorize the specialist; you've effectively granted the specialist all the user's permissions across those APIs.
The specialist authenticates upstream as itself. The user isn't part of the upstream call. Useful when the user has no upstream account and the specialist is acting "for the system" rather than "for the user."
Strengths: cleanest separation between agent and user identity.
Leak modes: zero audit trail tying user actions to upstream operations. Per-user rate limiting impossible. Cross-tenant scoping has to be entirely in your application layer because upstream doesn't see it.
Independent of identity shape, you make four scoping calls:
The cleanest pattern when you control all the agents: OIDC at every boundary. The user authenticates once; the resulting ID token includes claims; each agent verifies the token, may exchange it for a more-scoped token, passes it to the next hop.
Hard parts: token-exchange infrastructure (most orgs don't have it); scope-granularity decisions (every team wants different ones); the gap between the OIDC standard and what each upstream API actually supports.
Separate from user identity, the agents themselves need to authenticate to each other. mTLS, signed JWTs, network policies -- the same toolkit you'd use for any microservice mesh. The choice is mostly determined by what your platform supports.
A2A in Production Chapter 5 is the auth chapter. It covers the three identity shapes in depth with worked examples, the four scoping decisions, OIDC end-to-end with the token-exchange details, the leak modes with concrete mitigations, and the "you don't know what your upstream supports" reality that constrains every decision.
A2A in Production
The book on multi-agent systems and agent orchestration. Twelve chapters drafted; readable end to end as of v1.0.0-early.2. PDF + EPUB. Free updates through v1.0 and beyond. $39 (early access), secure checkout.
Read more & buy $39 →Published by Yaw Labs.