A2A Protocol AI Citations: 2026 Definitive Guide

Written by: Mariana Fonseca, Editorial Team, AI Growth Agent

Key Takeaways for A2A Citations

• The A2A protocol, now under Linux Foundation stewardship, lets autonomous AI agents from different vendors discover, authenticate, and collaborate through structured messaging.

• This guide consolidates validated citation examples across APA, IEEE, BibTeX, and Chicago styles for the official A2A specification and related security research.

• Core A2A abstractions, including Agent Card, Task, Message, and Artifact, form the foundation for reliable multi-agent workflows across frameworks like ADK, LangGraph, and CrewAI.

• Security topics such as token granularity, Agent Card signing, and prompt-injection risks must appear in any production deployment or technical documentation.

• Schedule a consultation session with AI Growth Agent to produce and maintain authoritative citation content at scale.

Core A2A Concepts and Abstractions

A2A builds on existing web standards, including HTTP, JSON-RPC, and Server-Sent Events, rather than introducing new transport primitives. Four abstractions form the protocol’s core.

• Agent Card. A machine-readable JSON document advertising an agent’s capabilities, endpoint URL, authentication methods, and input/output expectations, published at /.well-known/agent-card.json.

• Task. A stateful unit of work with a unique identifier and a defined lifecycle that moves through states such as submitted, working, and completed.

• Message. The atomic carrier of instructions and context exchanged between agents within a task.

• Artifact. A structured output produced by task execution, such as a report or file.

A typical request lifecycle follows four steps: agent discovery via GET /.well-known/agent-card, authentication (including OpenID Connect flows), the sendMessage API, and the sendMessageStream API using Server-Sent Events. The official specification is maintained at github.com/a2aproject/A2A and mirrored at a2a-protocol.org/latest/. Understanding how these core abstractions evolved into production-ready standards benefits from a quick look at the protocol’s development and adoption.

See how AI Growth Agent’s living citation engine keeps A2A references current as the protocol evolves, and schedule a demo to explore fit.

Current A2A Market and Ecosystem

A2A version 1.0 focused on protocol maturity and standardization, including multi-protocol bindings for REST, gRPC, and JSON-RPC, enhanced type safety and clarity, stricter versioning, and a comprehensive error taxonomy. IBM’s Agent Communication Protocol (ACP) merged into A2A in August 2025 under Linux Foundation governance, which consolidated two previously competing standards into a single lineage.

Luca Muscariello, Distinguished Engineer at Cisco, describes A2A as “the syntactic layer that makes agent-to-agent communication reliable and interoperable,” and notes that several generations of agentic technology evolved at unprecedented speed within the protocol’s first year. Official tutorials and SDK references are available at a2a-protocol.org/latest/tutorials/ and a2a-protocol.org/latest/sdk/.

A2A Transport Patterns and Solution Paths

A2A has explicit bindings for JSON-RPC, gRPC, and JSON over REST, with custom bindings permitted if they fulfill the binding requirements defined in the specification. Three transport patterns cover most production use cases.

• Synchronous HTTP POST for short-lived, blocking-free request and response interactions.

• Server-Sent Events (SSE) streams for real-time asynchronous updates during long-running tasks.

• Webhook push notifications for event-driven callbacks when polling is impractical.

Conversation continuity uses a context_id. When using AgentSession, the A2A context_id is automatically derived from session.service_session_id. The samples repository at github.com/a2aproject/a2a-samples provides reference implementations for each transport pattern.

Key Factors When Evaluating A2A

Four factors determine whether A2A fits a given multi-agent system.

1. Asynchrony requirements. A2A is async-first, with SSE and push notifications designed for long-running operations. Systems that require synchronous, blocking tool calls fit better with MCP.

2. Agent boundary preservation. A2A strongly preserves agent boundaries so that delegated tasks run only within the recipient agent’s context without implicit access to the caller’s data or tools.

3. Authentication flexibility. A2A supports fine-grained authorization on a per-skill basis as advertised in the Agent Card, including specific OAuth scopes that grant access to certain skills but not others.

4. Framework interoperability. A2A is designed to work across agent frameworks including ADK, LangGraph, and CrewAI, which makes it suitable for heterogeneous enterprise environments.

Typical A2A Implementation Stages

A typical A2A workflow consists of three main phases: discovery via the Agent Card, authentication and authorization, and structured message exchange within a defined task lifecycle that supports both synchronous and asynchronous patterns.

In practice, implementation proceeds in three steps. First, the remote agent publishes an Agent Card at /.well-known/agent-card.json that describes its skills, supported authentication schemes, and endpoint. Second, the client agent performs an HTTP GET to retrieve the card and initiates the appropriate authentication flow. Third, the client sends tasks via sendMessage or sendMessageStream and receives artifacts when the task completes. When background processing is required, setting background=True returns a continuation token for later polling.

Ongoing A2A Operations and Measurement

A2A implementations should maintain audit trails that log tasks, inputs, outputs, and status transitions, including caller ID and timestamps, to support traceability and incident response. Authorization state may persist in peer caches because updates to AgentCards are not guaranteed to propagate synchronously, which can cause version drift and stale-policy decisions. These audit trails become especially critical when cached authorization decisions diverge from current policy, because historical logs often provide the only reliable record for incident reconstruction.

Periodic card refresh cycles and centralized policy propagation therefore count as operational requirements rather than optional hardening. If managing citation freshness across evolving protocol versions sounds familiar, talk to AI Growth Agent about automating that refresh cycle.

Security and Authentication in A2A

The A2A specification requires HTTPS for all production deployments, with TLS 1.3 or later and strong cipher suites recommended for both the JSON-RPC/HTTP binding and the optional gRPC binding.

Authentication schemes are declared in the Agent Card using OpenAPI 3.0 Security Scheme format. Supported schemes include Bearer tokens, Basic Auth, API keys, OAuth, and mutual TLS. The protocol does not mandate a single framework. Instead, authorization remains an implementation-specific decision per the A2A specification.

Several documented vulnerabilities appear in current implementations.

• Long-lived tokens. A2A does not impose strict expiration durations on tokens for sensitive operations, which allows leaked or intercepted tokens to be reused for unauthorized access.

• Coarse-grained scopes. Broad tokens such as payment tokens can be abused across unrelated resources or actions.

• Optional Agent Card signing. A2A v0.3+ supports but does not enforce Agent Card signing, which enables spoofing because no central registry exists. Version 1.0 introduced Signed Agent Cards for cryptographic identity verification, but adoption depends on implementers.

• Prompt injection. A2A attacks are adaptive and stateful across multi-turn sessions, as documented in Palo Alto Unit 42’s Agent Session Smuggling research.

• Permission propagation. Access rights granted to one agent can expand beyond original authorization as tasks are delegated across multiple agents without governance controls.

The 2026 ACM paper Security Analysis of Agentic AI Communication Protocols: A Comparative Evaluation by Louck, Dvir, and Stulman presents the first empirical comparative security analysis of A2A using a 14-point vulnerability taxonomy and proposes the Secure Transport Envelope (STE) as a blueprint for next-generation secure agent communication. The arXiv preprint arXiv:2505.12490 identifies structural OAuth weaknesses in early A2A implementations, including long token lifetimes, coarse scopes, and absent consent flows.

Recommended production mitigations include token granularity with minimal permissions per task, revocation propagation across distributed systems, scope attenuation in delegation chains, authenticated push notification channels, and audit logging of all task metadata.

A2A vs MCP Protocol Comparison

A2A defines how agents communicate and coordinate across organizational boundaries, while MCP defines how agents connect to internal tools and data sources, so the two protocols are complementary and together form a foundational layer for interoperable multi-agent systems. Kevin Gao, Head of Developer Relations at Descope, describes MCP as the vertical integration layer for agent-to-tool communication and A2A as the horizontal integration layer for agent-to-agent communication. The following table breaks down the key architectural and operational differences across six dimensions.

Dimension	A2A Protocol	MCP (Model Context Protocol)	Source
Primary role	Agent-to-agent coordination and task delegation	Agent-to-tool and agent-to-data-source access	StackOne
Architecture	Peer-to-peer between autonomous agents	Client-server between agent and tool server	Obot
Core primitives	Agent Cards, Tasks, Artifacts, Messages	Tools, Resources, Prompts	InfoQ
Authentication standard	Flexible: Bearer, Basic, API key, OAuth, mTLS declared via OpenAPI 3.0 Security Scheme in AgentCard	OAuth 2.1 with PKCE mandated for all clients, ASM, PRM, and DCR required	Descope
Best fit	Multi-agent delegation, long-running async workflows, capability-based collaboration	Structured, deterministic access to external systems such as CRMs and databases	StackOne
Governance	Linux Foundation (A2A Project)	Anthropic (specification author), Linux Foundation aligned	Cisco

Production systems often use a hybrid MCP plus A2A architecture in which MCP handles deterministic tool integration with enterprise systems and A2A handles modular delegation between specialized agents. Rob Barton, Distinguished AI Engineer at Cisco, compares MCP to Layer-2 networking for detailed visibility within a domain and A2A to Layer-3 routing for higher-level summarized capabilities and boundaries, and argues that both layers are required for production-grade agentic architectures.

Risks, Limitations, and Common A2A Mistakes

Three categories of error appear consistently in A2A documentation and implementations.

Conflating A2A with MCP in citations. Authors should cite the protocol that matches the architectural role being described, because A2A connects agents to other agents while MCP connects agents to tools and data. Citing the wrong specification misrepresents the system’s design.

Citing pre-merger ACP sources as independent. Following the August 2025 ACP merger, papers and documentation that reference ACP as a separate standard require updated citations that point to the unified A2A specification.

Understating security limitations. The A2A specification does not mandate a specific authentication or authorization scheme, and security remains an implementation-specific decision. Technical writing that presents A2A as inherently secure without qualifying this implementation dependency is inaccurate. Standardization via protocols such as A2A improves interoperability but means a single misconfigured protocol can expose multiple systems at once.

Summary and Decision Support for A2A Citations

The A2A protocol serves as the open standard for agent-to-agent communication in multi-vendor AI systems, governed by the Linux Foundation and built on HTTP, JSON-RPC, and SSE. Accurate citation requires four elements: the specification and repository URLs noted earlier, the relevant academic security papers (arXiv:2505.12490 and the 2026 ACM comparative analysis), and a clear distinction from MCP in any architectural description.

Most documentation programs struggle to maintain that citation accuracy over time as the protocol evolves and new security research appears. AI Growth Agent produces and maintains living, machine-readable citation resources across AI surfaces, so the content that researchers, developers, and technical writers rely on stays current without manual intervention.

Ready to eliminate manual citation maintenance? Book a demo to see AI Growth Agent’s self-healing content architecture in action.

Frequently Asked Questions

Where are the official A2A protocol specification and GitHub repository?

The canonical specification is published at a2a-protocol.org/latest/specification/ and versioned in the GitHub repository at github.com/a2aproject/A2A. The repository includes the full specification document, agent discovery documentation, tutorials, and SDK references. The a2a-samples repository at github.com/a2aproject/a2a-samples provides reference implementations for discovery and communication patterns. When citing the specification in academic or technical writing, use the A2A Project as the corporate author, the Linux Foundation as the publisher, and the versioned specification URL as the source. For BibTeX, the @techreport entry type fits the specification itself, and @misc suits the samples repository or blog-format developer guides.

What is the difference between A2A and MCP, and which should I cite for a given system?

A2A and MCP operate at different layers of the agent stack and are not interchangeable in citations. MCP, published by Anthropic in November 2024, standardizes how an individual agent accesses external tools, APIs, and data sources through a client-server model. A2A, introduced by Google in April 2025 and now governed by the Linux Foundation, standardizes how autonomous agents discover each other, delegate tasks, and coordinate across organizational boundaries using a peer-to-peer model.

In a layered architecture, a planner agent might use A2A to delegate work to specialist agents that internally use MCP to access CRM systems or policy repositories. Cite the protocol that matches the specific interaction being described. Citing A2A for a tool-access pattern, or MCP for an inter-agent delegation pattern, misrepresents the system’s design and will be flagged in peer review.

What are the primary security vulnerabilities documented for A2A in 2025 and 2026?

Four vulnerability classes appear consistently across the academic and practitioner literature. First, long-lived OAuth tokens: the A2A specification does not impose strict expiration durations, so intercepted tokens remain usable for extended periods. Second, coarse-grained scopes: broad tokens can be abused across unrelated resources, which violates the principle of least privilege. Third, optional Agent Card signing: A2A v0.3+ supports but does not enforce cryptographic signing of Agent Cards, which enables agent impersonation in the absence of a central registry. Version 1.0 introduced Signed Agent Cards, but enforcement depends on implementers.

Fourth, prompt injection: A2A’s multi-turn, stateful task model creates an adaptive attack surface that differs from the static injection risks in MCP. The 2026 ACM paper by Louck, Dvir, and Stulman (DOI: 10.1145/3803431) provides the first empirical comparative analysis using a 14-point vulnerability taxonomy. The arXiv preprint arXiv:2505.12490 documents structural OAuth weaknesses in early implementations. Both papers should be cited alongside the official specification when documenting protocol security in academic or technical writing.

How should I cite A2A in APA, IEEE, and BibTeX formats?

For APA 7th edition, treat the A2A Project as the corporate author, use the year the version you are citing was published, italicize the title, name the Linux Foundation as publisher, and include the specification URL. Example: A2A Project. (2025). Agent-to-Agent (A2A) protocol specification. Linux Foundation. https://a2a-protocol.org/latest/specification/.

For IEEE, use the bracketed online source format: A2A Project, “Agent-to-Agent (A2A) Protocol Specification,” Linux Foundation, 2025. [Online]. Available: https://a2a-protocol.org/latest/specification/. For BibTeX, use @techreport with the fields author, title, institution, year, and url. For the GitHub repository, use @misc with a note field that indicates the repository URL and the access date if the content is not versioned. For academic security papers such as the 2026 ACM comparative analysis, use the standard @article entry with the DOI field populated.

What does it mean that A2A content should be “living” for citation purposes?

The A2A protocol remains under active development. Version 1.0 introduced Signed Agent Cards, multi-tenancy, and modernized security flows that earlier releases did not include. IBM’s ACP merged into A2A in August 2025, which makes pre-merger ACP citations outdated. Security research published in 2025 and 2026 has identified vulnerabilities that the original specification did not address.

A citation that was accurate in mid-2025 may misrepresent the current state of the protocol by late 2026. Living citation resources address this by refreshing specification references, updating security paper citations as new research appears, and flagging when a cited version has been superseded. For organizations that produce technical documentation at scale, maintaining that currency manually across hundreds of articles does not scale. AI Growth Agent’s self-healing content architecture handles that refresh cycle automatically, so citation resources remain accurate without manual intervention each time the protocol evolves.