Skip to content

Protocols and Frameworks

A2A and interoperability

Agents talking to agents

Your agent can already call tools and coordinate helpers inside your own stack. This lesson is about the harder frontier: how your agent hires an agent it does not own - built by another team, another vendor, on another framework - discovering it, delegating a task, and getting a result back, without either side cracking the other open.

The N times M problem: agents need a lingua franca

By 2025 every serious org had a pile of agents on different stacks - LangGraph here, CrewAI there, Google ADK, Semantic Kernel, a bespoke thing a team shipped last quarter. Each had its own memory, tools, and orchestration. The moment you wanted agent A (a hiring-manager assistant) to use agent B (a sourcing specialist built elsewhere), you hand-wrote an integration - re-inventing discovery, auth, task semantics, and streaming every single time. Wire M clients to N providers that way and you face up to N times M bespoke bridges.[1] Worse, direct integration usually meant leaking internal state, tool schemas, or prompts across a trust boundary.

's thesis is that agents should collaborate the way microservices or companies do - through a published contract and opaque service calls, not by sharing internals. Agent B advertises what it can do and how to reach it; agent A sends work and gets results; neither peeks inside the other. Each agent stays a black box (protecting IP, security, and independent evolution) while still composing into something larger. Google announced A2A on April 9, 2025 with 50+ partners and donated it to the Linux Foundation on June 23, 2025 (Apache-2.0, vendor-neutral governance; founding members include Google, AWS, Cisco, Salesforce, SAP, Microsoft, and ServiceNow).[5]

Tap a node to see what it does.

A shared protocol turns an N times M glue-code explosion into an N plus M ecosystem: implement A2A once and any authorized client can hire any provider. The same economic shift the web got from HTTP.

Google's five design principles

1. Embrace agentic capabilities - support natural collaboration between agents that do not share memory, tools, or context (this is the line separating A2A from "just call it as a tool"). 2. Build on existing standards - HTTP, SSE, JSON-RPC 2.0. 3. Secure by default - enterprise-grade auth on par with OpenAPI. 4. Support long-running tasks - from quick lookups to multi-day human-in-the-loop work. 5. Modality-agnostic - text, audio, video, structured data, files.[1]

MCP vs A2A: tools vs peers

This is the single most confused point in the whole space, so resolve it first. You met the back in the previous lesson. MCP and A2A are not competitors - they standardize different edges of the same agent. The mental model that makes it click: MCP is vertical, A2A is horizontal.[1]

Tap a node to see what it does.

MCP reaches down to the tools and data an agent invokes; A2A reaches sideways to autonomous peer agents it delegates to. MCP gives an agent hands; A2A lets it talk to colleagues. Production systems use both.
MCPA2A
OriginAnthropic, Nov 2024Google, Apr 2025, then Linux Foundation
AxisVertical: agent to toolsHorizontal: agent to agent
Other side is a...tool / resource serverautonomous peer agent
Counterparty statea capability you drivean opaque actor that plans
Unit of interactiontool call / resource readtask delegation to artifact
PrimitivesTools, Resources, PromptsAgent Card, Task, Message
MCP and A2A standardize different edges of the same agent: one vertical to capabilities, one horizontal to peers.

The clean decision rule

If the other side is a capability you invoke, that is MCP. If the other side is an actor that decides how to accomplish your goal, that is A2A. When tempted to "wrap another agent as an MCP tool," ask whether it plans and acts autonomously - if yes, A2A models it honestly (opaque task, lifecycle, streaming, negotiation) instead of flattening a colleague into a function. Google, AWS, and Microsoft all treat the two as a stack, not a choice.[1]

The three primitives

A2A runs over plain HTTP(S). Everything else is three load-bearing objects.[2]

  1. Agent Card. A JSON "business card" a server publishes: identity, endpoint, transports, auth schemes, and - the important bit - a list of skills the client matches against. The discovery and capability document.
  2. Task. A stateful unit of work with a unique id, an optional contextId, a status that walks a defined lifecycle, a growing message history, and output artifacts. The opaque job the peer performs.
  3. Message / Part. A Message is one turn (role = user or agent) carrying typed Parts - text, file, or structured data. An Artifact is a finished deliverable, itself made of Parts. The content exchanged.

The is where discovery begins. Here is a trimmed one for a sourcing agent - note the skills array, which is the unit a client (or a registry) selects on:

{
  "name": "TalentScout Sourcing Agent",
  "description": "Finds and screens engineering candidates.",
  "version": "1.2.0",
  "url": "https://sourcing.example.com/a2a",
  "capabilities": { "streaming": true, "pushNotifications": true },
  "defaultInputModes":  ["text/plain", "application/json"],
  "defaultOutputModes": ["application/json"],
  "securitySchemes": {
    "oauth": { "type": "oauth2", "flows": { "clientCredentials": {
      "tokenUrl": "https://sourcing.example.com/oauth/token" } } }
  },
  "skills": [{
    "id": "source-candidates",
    "name": "Source Candidates",
    "description": "Given role criteria, returns ranked candidate profiles.",
    "tags": ["recruiting", "sourcing"],
    "examples": ["Find senior Go engineers in Dublin"]
  }]
}
GET https://sourcing.example.com/.well-known/agent-card.json - the skills array is what a client matches against.

Version nuance - pin your examples

The spec moved from v0.2.x (JSON-RPC only, card at /.well-known/agent.json) to the v0.3 / v1.0 line (multi-binding, card at /.well-known/agent-card.json).[3] Copy-pasting a v0.2 path against a v1.0 agent silently fails discovery. Teach the concepts; pin any wire string to a stated version and negotiate the advertised Major.Minor.

Discovery to delegation, on the wire

Now the whole handshake, cross-vendor. A hiring manager tells their client agent (Vendor A) "find backend engineers in Dublin with Go." The client does not source candidates itself - it delegates to Vendor B's Sourcing Agent it discovered a moment ago.

  1. GET the Agent Card. The client fetches /.well-known/agent-card.json from Vendor B.
  2. Card returned. It carries skills and auth: oauth2; the client matches the skill source-candidates and gets a token.
  3. message/send. The client sends the request as parts [text, data].
  4. Task working. Vendor B returns a Task { id, state: "working" }.
  5. SSE input-required. The task pauses mid-flight and asks "Include contractors?" over an SSE stream, entering state input-required.
  6. Client answers. A second message/send against the same taskId resumes the task.
  7. Completed plus Artifact. The task reaches completed and returns an Artifact: { candidates: [ ...ranked profiles ] }. Neither agent saw the other's tools, memory, or prompts - only the published Card and the returned Artifact crossed the trust boundary.

The method names you actually put on the wire: message/send (block for the result), message/stream (SSE events as work progresses), tasks/get, tasks/cancel, and tasks/pushNotificationConfig/set for webhooks.[4] The v0.3/v1.0 line also defines gRPC and HTTP+JSON/REST bindings for the same abstract operations - an agent advertises which it speaks in its Card.[2]

The task lifecycle

A Task walks a small state machine. The two interrupt states - input-required and auth-required - are the ones that make long-running, human-in-the-loop work first-class: the task pauses, asks, and resumes without failing.

Tap a node to see what it does.

The happy path. Terminal states are completed, failed, canceled, and rejected (the peer declined the work). Match delivery to duration: message/send for fast jobs, message/stream (SSE) to show progress, push notifications (webhooks) for jobs that outlive a connection.

Opacity and trust cut both ways

An Agent Card is self-asserted metadata. Before v1.0 signing, nothing proved an agent is who it claims - unsigned cards, permissive discovery, and free-text skill descriptions are an attack surface (impersonation, prompt injection via crafted skill text, over-broad delegation). And the black-box model that protects IP also means the client cannot see why a peer failed. Academic threat-modeling of the protocol space (MCP / A2A / ACP / ANP / Agora) flags identity spoofing and cross-agent injection as open risks.[9] Prefer signed cards, scoped auth, allow-listed agents, and depth or budget limits to stop delegation loops.

AGNTCY and the wider interop landscape

A2A is a wire protocol. AGNTCY ("Internet of Agents") is a broader infrastructure stack - open-sourced by Cisco/Outshift with LangChain, LlamaIndex, Galileo, and Glean, and welcomed into the Linux Foundation on July 29, 2025.[7] Crucially, it does not replace A2A or MCP - it wraps them with directory, identity, and telemetry.

AGNTCY's four layers

Discovery - the Open Agent Schema Framework (OASF) for describing agent capabilities. Identity - cryptographically verifiable identity plus access control. Messaging - SLIM (Secure Low-latency Interactive Messaging). Observability - end-to-end tracing of multi-agent workflows.

Others you will meet (mostly emerging)

ACP - Agent Communication Protocol (AGNTCY/IBM lineage). ANP - Agent Network Protocol. Agora - appears in research surveys of the design space. AP2 - Agent Payments Protocol; v1.0 A2A is built to be compatible for agent-initiated commerce.

Think of A2A/MCP as the protocols and AGNTCY as the directory plus identity plus telemetry around them. It positions itself explicitly as interoperable with both, making A2A agents and MCP servers discoverable and observable rather than competing on the wire.[8]

Why it matters for 2026: an internet of agents

What separates 2026 from 2025's demos is that the standard landed in the platforms. In its first year A2A crossed 150+ organizations, 22k+ GitHub stars, 5 official SDKs (Python, JS, Java, Go, .NET), and shipped v1.0 - with multi-protocol bindings, enterprise multi-tenancy, and signed Agent Cards. Microsoft wired it into Azure AI Foundry and Copilot Studio; AWS added it via Bedrock AgentCore; enterprises report production use in supply chain, financial services, insurance, and IT ops.[6]

Standardized / shipped

A2A v1.0 under neutral Linux Foundation governance; Agent Card, Task lifecycle, Message/Part/Artifact; JSON-RPC plus gRPC plus HTTP/JSON bindings, SSE plus webhooks; signed cards, standard auth schemes, well-known discovery; MCP as the parallel tool-side standard.

Still emerging / uneven

"Supports A2A" ranges from a v0.2 shim to full v1.0; rival and adjacent efforts (ACP, ANP, Agora, AP2); directories and verifiable identity at fleet scale (AGNTCY, MCP Registry); card-signing adoption still partial in the wild; cross-agent security is actively being threat-modeled.

How to combine the protocols in practice

Use MCP inside each agent for its tools and data, A2A between agents for delegation across teams and vendors, and - at fleet scale - an AGNTCY-style directory / identity / observability layer on top for discovery and tracing. Design real, matchable skills (with tags and examples) into your Card so registries can find you, pick delivery mode by task duration, and do not trust a logo wall - test the actual handshake, because "interoperable" only holds when versions, auth, and modalities all line up.

Check yourself

Match each A2A concept to what it is.

drop here

self-describing document advertising skills, endpoint, auth

drop here

stateful, opaque unit of work with a lifecycle

drop here

finished deliverable a task produces

drop here

the task pauses to ask for clarification

drop here

SSE events as the work progresses

State the vertical/horizontal model, name A2A's three primitives, and give the path where a public Agent Card lives.

Which older path should you not copy-paste? Try to state it, then check.

Two vendors' agents must collaborate without exposing internal tools, memory, or prompts to each other. Which approach fits the requirement?

Why does A2A model work as a stateful task rather than a synchronous request and response?

Lock it in

  • MCP is vertical, A2A is horizontal. Invoke a capability, MCP. Delegate to an actor that decides how, A2A. Production uses both.
  • A2A's three primitives: Agent Card (discovery via /.well-known/agent-card.json), Task (stateful, opaque, with a lifecycle), and Message/Part/Artifact (the content).
  • Agents compose across a trust boundary through a published contract plus opaque calls - neither side exposes tools, memory, or prompts. That opacity is the point.
  • input-required and auth-required make long-running, human-in-the-loop tasks first-class; pick sync / SSE / webhook by duration.
  • A standard turns N times M glue into an N plus M ecosystem - the precondition for a real internet of agents. Guard it with signed cards, scoped auth, and allow-lists.

Primary source

Google - Announcing the Agent2Agent Protocol (A2A)

The cleanest single read for the why: the five design principles, the explicit complementarity with MCP, capability discovery / task management / collaboration, and the candidate-sourcing example. Pair it with the A2A specification when you need exact wire details.

Sources

  1. 1.Google, Announcing the Agent2Agent Protocol (A2A)
  2. 2.A2A protocol specification
  3. 3.A2A specification (protocol repository)
  4. 4.LangChain LangSmith, A2A JSON-RPC binding
  5. 5.Linux Foundation, A2A Protocol Project launch
  6. 6.Linux Foundation, A2A surpasses 150 organizations in its first year
  7. 7.Linux Foundation, welcomes the AGNTCY project
  8. 8.Cisco Outshift, Building the Internet of Agents (AGNTCY)
  9. 9.Threat modeling of agent interoperability protocols (arXiv)