Authentication
Cendriix A2A uses Access Grants — policy documents backed by signed JWTs — not opaque API keys.
API key format
Each grant carries embedded claims:
| Field | Description |
|---|---|
id | Grant identifier (grt_<ksuid>) |
type | agent for A2A invocations |
capabilities | Permission strings: agents:invoke, tasks:read, tasks:stream, tasks:cancel |
scope.agent_ids | Which agents this key can invoke |
caveats.allowed_cidrs | IP allowlist (optional) |
caveats.not_after | Hard expiry timestamp |
caveats.max_calls_per_minute | Per-key rate limit |
caveats.dpop_required | Whether DPoP binding is required (default: true) |
Token lifecycle
Access Grant (Postgres policy document)
→ Token Exchange (POST /v1/oauth/token)
→ Short-lived JWT (15-min TTL, RS256, KMS-signed)
→ DPoP-bound to client keypair (RFC 9449)The SDK handles token exchange and DPoP proof generation automatically.
DPoP (Demonstration of Proof-of-Possession)
Every API request includes two headers:
Authorization: DPoP eyJhbGciOi...
DPoP: eyJ0eXAiOiJkcG9wK2p3dCIs...The DPoP proof binds the token to the client’s keypair. If the token leaks, it is useless without the private key. The SDK generates and manages the keypair automatically.
Scopes
| Scope | Grants |
|---|---|
agents:invoke | Invoke agents via SendMessage |
tasks:read | Read task status and artifacts |
tasks:stream | Subscribe to SSE task streams |
tasks:cancel | Cancel running tasks |
agents:list | List available agents and read agent cards |
webhooks:manage | Register and manage webhook endpoints |
Workload identity federation (OIDC)
For CI/CD pipelines (GitHub Actions, GitLab CI, etc.), use OIDC token exchange instead of static API keys:
# GitHub Actions example
TOKEN=$(curl -sS -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=cendriix.ai")
curl -sS https://api.cendriix.ai/v1/oauth/token \
-d grant_type=urn:ietf:params:oauth:grant-type:token-exchange \
-d subject_token_type=urn:ietf:params:oauth:token-type:jwt \
-d subject_token=$TOKEN \
-d scope="agents:invoke tasks:read"Last updated on