Universal Authentication for A2A and MCP using DIDs, JWT, and HTTPS
Abstract
A2A and MCP are two emergent standards for AI-based systems to communicate. Early work on A2A and MCP focused on using services that were under the control of the developer, or that the developer could easily acquire access keys for. An Agentic Web is forming that will flourish when any two agents, anywhere in the world, can establish trust and communicate with each other.
Currently, the most popular way of establishing trust is by using well known OAuth servers from Google, Facebook, and Microsoft. This is a practical solution for some use cases, but it is far from a universal solution. In most cases, OAuth necessitates a third-party for authentication which greatly increases the attack surface and presents an unnecessary complication.
The cryptographic community has been working on decentralized solutions that don't require agents to both agree and rely on a third-party authentication service. Cryptographic solutions allow each party to self-authenticate using HTTPS, challenges, and public key cryptography.
W3C Decentralized Identifiers (DIDs)
The DID specification started development in 2019, was funded by the Department of Homeland Security, and eventually became a W3C standard. Although the DID specification predates A2A, the protocol provides a foundation for global identity scoped to individuals, businesses, and governments, and fine-grained authentication for services (e.g. agents) representing those entities.
This document proposes a lightweight solution that uses DIDs, JWT, and HTTP to authenticate A2A agents, MCP servers, and any other networked service.
Flexible Network Architecture
The main components of the network architecture are:
- DID document repositories - Repositories store DID documents and make them available through a variety of DID methods such as web or sov. For example the DID did:web:example.com:mike resolves to the HTTP URL https://example.com/mike/did.json DID documents can be hosted on any companies website, making them trivial to publish.
- A2A services - An A2A service may host one or more agent programs available at different HTTP endpoints that support the A2A protocol.
- MCP services - An MCP service may host one or more tools at different HTTP endpoints that support the MCP protocol.
- Any networked program - Any program that can use HTTP to communicate with a service can authenticate and communicate with an A2A or MCP service.
The above diagram shows the many different ways agentic services can interact:
- An A2A service connecting to another A2A service
- An MCP service connecting to another MCP service
- An A2A service using MCP to connect to an MCP service
- An MCP service using A2A to connect to an A2A service
- Any program using an A2A or MCP client
Terminology
- DID - Decentralized Identifier. A DID is a globally unique identifier that resolves to a DID document.
- DID Document - A JSON document that represents a DID and contains a list of services. For Universal Authentication, each service represents an agent, and each agent has an id which is that agent's fragment identifier.
- DID fragment identifier - Similar to webpage URLs like https://example.com#about a DID can contain a fragment identifier, such as did:web:example.com#wallet. Each service (agent) in the DID document has an id which is that agents fragment identifier.
- Agent - An agent is a network service that is accessible over HTTP. The address of the agent service is represented by the serviceEndpoint property of the service (agent) record in the DID document.
DID and Agent Discovery
Before any two agents can communicate, they must discover each other. There are many different efforts underway to index agents and agentic services such as MCP. For universal authentication, the only requirement is that an agent represented by one DID discovers the DID of another agent.
For example, the Matchwise iPhone app can share a person's geolocation (DID+geo) to a presence service, which returns a list of DIDs that represent other people who are nearby. Another example is an MCP matching service, where people submit their DID and brief description, and the matching service returns a list of DIDs that should be considered for matching.
Resolving an Agent DID from a DID Document
- A (user) agent discovers the DID of a peer agent and wants to communicate with the peer.
- The user agent fetches the DID document of the peer from a DID document repository.
- The DID document provides a list of agents in the "service" array. The DID from step #1 includes the
"id" of the service to communicate with as a fragment. For example,
did:web:example.com:mike#friendswhich indicates to communicate with the "friends" agent in the DID document athttps://example.com/mike/did.json. - The user agent evaluates the service record to discover the HTTP endpoint of the peer agent and the protocol to use, such as MCP or A2A.
- The user agent establishes a connection using the discovered endpoint and protocol to begin HTTP communication.
Authentication Flow
- The user agent sends an HTTP request to the peer agent that does not include an Authorization header, or includes an invalid Authorization header.
- The peer agent requires authentication, and responds with an HTTP 401 and a WWW-Authenticate header that includes an Agentic challenge
- The user agent uses a private key of the verification method that is associated with the user agent in the DID document to sign the challenge. The signed challenge is encapsulated in a JWT and sent as the Authorization header in the HTTP request to the peer agent.
- The peer agent validates the signed challenge and responds with an HTTP 200 and a JWT in the response body.
- The user agent validates the JWT and uses the public key in the JWT to decrypt the message.
For details on the schema of the agentic challenge, agent key resolution, and generation of the JWT, please review the Agentic Profile Auth Github repository.
DID Document Example
{
"@context": [
"https://www.w3.org/ns/did/v1",
"https://w3id.org/security/suites/jws-2020/v1",
"https://agenticprofile.org/ns/agentic-profile/v1"
],
"id": "did:web:iamagentic.ai:15",
"name": "Mike Prince",
"media": {
"images": [
"512x512",
"96x96"
]
},
"verificationMethod": [],
"service": [
{
"id": "#connect",
"name": "Connect",
"type": "A2A/connect",
"serviceEndpoint": "https://api.matchwise.ai/agents/connect",
"capabilityInvocation": [
"did:web:api.matchwise.ai#system-key"
]
},
{
"id": "#presence",
"name": "Presence",
"type": "A2A/presence",
"serviceEndpoint": "https://api.matchwise.ai/agents/presence",
"capabilityInvocation": [
"did:web:api.matchwise.ai#system-key"
]
}
]
}
The above is a DID document for the individual/entity "Mike Prince" and has the following properties:
- The following agents (under the "service" property) are described: connect, and presence
- The connect agent's DID derives to did:web:iamagentic.ai:15#connect and is available at
https://api.matchwise.ai/agents/connect - The connect agent uses the A2A protocol, and is of the type "connect" which is well known to facilitate business connections. Other available agent types are "friends", "dating", "venture", "vc", "voter", "politician", "buy", and "sell".
- Both the connect and presence agents authenticate using the
did:web:api.matchwise.ai#system-keyThis is a server optimization to minumize the number of keys to manage. Some agents may prefer to manage their own keys and not allow the DID document host to authenticate on their behalf. - Media for this entity is available at
https://iamagentic.ai/15/mediaand of size 512x512 and 96x96
An important take-away from using DID documents that describe multiple agents is that the DID for this document establishes a globally unique identifier that can be used to build reputation and trust.
References
- A2A Protocol
- MCP Protocol
- W3C Decentralized Identifiers (DIDs)
- JWT
- Agentic Profile Auth Github repository
- Demo of Cloud A2A and MCP Quickstart project
- Agentic Profile blog