Skip to Content
A2A Public APIAuthentication

Authentication

Cendriix A2A uses Access Grants — policy documents backed by signed JWTs — not opaque API keys.

API key format

Each grant carries embedded claims:

FieldDescription
idGrant identifier (grt_<ksuid>)
typeagent for A2A invocations
capabilitiesPermission strings: agents:invoke, tasks:read, tasks:stream, tasks:cancel
scope.agent_idsWhich agents this key can invoke
caveats.allowed_cidrsIP allowlist (optional)
caveats.not_afterHard expiry timestamp
caveats.max_calls_per_minutePer-key rate limit
caveats.dpop_requiredWhether DPoP binding is required (default: true)

Token lifecycle

Access Grant (Postgres policy document) → Token Exchange (POST /v1/oauth/token) → Short-lived JWT (15-min TTL, RS256, KMS-signed) → DPoP-bound to client keypair (RFC 9449)

The SDK handles token exchange and DPoP proof generation automatically.

DPoP (Demonstration of Proof-of-Possession)

Every API request includes two headers:

Authorization: DPoP eyJhbGciOi... DPoP: eyJ0eXAiOiJkcG9wK2p3dCIs...

The DPoP proof binds the token to the client’s keypair. If the token leaks, it is useless without the private key. The SDK generates and manages the keypair automatically.

Scopes

ScopeGrants
agents:invokeInvoke agents via SendMessage
tasks:readRead task status and artifacts
tasks:streamSubscribe to SSE task streams
tasks:cancelCancel running tasks
agents:listList available agents and read agent cards
webhooks:manageRegister and manage webhook endpoints

Workload identity federation (OIDC)

For CI/CD pipelines (GitHub Actions, GitLab CI, etc.), use OIDC token exchange instead of static API keys:

# GitHub Actions example TOKEN=$(curl -sS -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=cendriix.ai") curl -sS https://api.cendriix.ai/v1/oauth/token \ -d grant_type=urn:ietf:params:oauth:grant-type:token-exchange \ -d subject_token_type=urn:ietf:params:oauth:token-type:jwt \ -d subject_token=$TOKEN \ -d scope="agents:invoke tasks:read"
Last updated on