Agent-to-agent (A2A) interoperability is the ability for one AI agent to discover, authenticate, and invoke another — possibly running on a different platform, owned by a different organization, or built by a different team. As agent deployments grow from isolated assistants into coordinated networks, A2A calling becomes the connective tissue. The protocol decisions you make now — how agents identify themselves, how capabilities are advertised, how calls are authorized — determine whether that network is governable or opaque. For a broader orientation on how A2A differs from other integration patterns, see A2A vs MCP: What's the Difference?.
What "Interoperability" Actually Means for Agents
Interoperability in distributed systems usually means agreeing on a wire format and transport. For agents, the problem is wider. Two agents can share an HTTP transport and still fail to interoperate safely because they have no common model for identity, no shared vocabulary for capabilities, and no agreed mechanism for authorization.
Genuine A2A interoperability requires at minimum:
- A structured representation of what an agent can do and how to reach it — usually called an agent card.
- A credential that the calling agent presents to prove its identity and authorization.
- A protocol for the target agent to validate that credential and enforce scopes.
- A shared understanding of how errors, rejections, and partial results are communicated back.
Without these, "integration" between agents means hard-coded assumptions on both sides, which breaks the moment either agent changes.
Agent Cards: The Discovery Primitive
The concept of an agent card has emerged as the standard way to make an agent's capabilities machine-readable. An agent card is a versioned document that describes what the agent can do, what inputs it accepts, what scopes it exposes to callers, and where it can be reached.
Cards serve two purposes. First, they enable discovery: a caller that has never seen a particular agent can fetch or reference its card and understand what is on offer without human mediation. Second, they enable validation: when an agent's capabilities change, its card version advances, and any caller holding a stale reference can detect the mismatch before attempting a call that is no longer valid.
The versioning dimension is easy to underestimate. In practice, agents are updated frequently — new capabilities added, old ones removed or renamed. A calling agent that assumes a capability exists and proceeds without checking the current card version will eventually fail in ways that are hard to diagnose, because the failure happens at runtime rather than at connection time. Card versioning makes the contract between caller and target explicit and checkable.
Secure Discovery: The Risks of Open Registries
Discovery is where interoperability and security come apart if you are not careful. An open registry of agent endpoints is convenient, but it introduces prompt injection and spoofing risks: a malicious actor could register an agent that impersonates a legitimate one, or an existing agent's endpoint could be hijacked and its card updated to redirect callers.
Sound A2A discovery design addresses this with a few principles. First, endpoint registration should go through validation — at minimum, confirming that the URL is reachable and that the registrant controls it. For public endpoints, requiring encrypted transport and a verifiable public hostname is a minimum baseline. Private address ranges and internal network addresses should be rejected to prevent server-side request forgery scenarios where a caller is tricked into fetching from internal infrastructure.
Second, card versions should be signed or otherwise tamper-evident. A caller that receives a card update should be able to confirm it originated from the legitimate owner of that agent, not from a third party who has intercepted or injected the update.
Third, discovery scope should match deployment scope. An agent that is intended only for internal use within an organization should not be reachable via a public discovery mechanism. The architecture should support both private agents, visible only within a trust boundary, and public agents, intentionally exposed to external callers — with different endpoint URLs and different access controls for each.
Authorization: Scopes, Not Secrets
The authorization model for A2A calls needs to be as rigorous as any other API authorization pattern — and arguably more so, because the caller is an autonomous agent that may be acting on instructions you cannot fully predict.
The right model is capability-scoped credentials. Rather than issuing a calling agent a broad credential that lets it call anything the target exposes, the connection between caller and target should specify exactly which capabilities are permitted. If the target agent offers five tools but the caller only needs one, the connection grants access to that one. The target validates that the presented credential carries the right scope for the requested operation and rejects anything outside it.
This is least privilege applied to the agent layer. It means that even if a calling agent is compromised or manipulated into attempting an unauthorized operation, the enforcement happens at the target — not by convention or code review, but by an access check that cannot be bypassed through prompt manipulation. For a detailed look at this threat, see Threat Model: Agent-to-Agent Delegation Abuse.
Credential rotation matters here too. A long-lived static credential issued to a calling agent accumulates risk over time. Designs that support credential expiry and rotation reduce the blast radius of a compromised agent identity.
What Happens Across Organizational Boundaries
Intra-organization A2A calling is relatively tractable: the same identity provider, the same policy store, the same audit log. Cross-organization A2A is harder, because the two sides do not share infrastructure.
The pattern that scales here is the trust manifest: a signed document that one organization issues to express what it permits another organization's agents to do when calling its own. The manifest captures the permitted scopes, any spend limits, expiry, and the cryptographic identity of the trusted counterparty. When an external agent presents a credential, the receiving organization validates it against the manifest rather than against a shared secret. This model is explored in depth in Cross-Org Agent Federation with Trust Manifests.
This approach keeps the two organizations decoupled. Neither needs to be configured inside the other's identity provider. The trust relationship is explicit, bounded, and revocable: if the relationship sours or the counterparty's agents misbehave, the manifest is revoked and the access stops.
The emerging pattern in the industry mirrors this: agent cards for capability advertisement, verifiable credentials or signed tokens for identity, and explicit policy documents for cross-boundary authorization. The details vary across implementations, but the structural requirements are consistent.
Content and Spend Controls on the Call Path
Protocol-level interoperability is necessary but not sufficient for governed A2A calling. Every hop in a multi-agent chain is also a data flow, and that data flow can carry sensitive content — PII retrieved from a database, credentials encountered in a document, or outputs crafted to manipulate the next agent in the chain.
Sound A2A architecture puts inspection points on the call path. Outbound requests from a calling agent should be inspectable for content policy violations before they reach the target. Responses from the target should similarly pass through inspection before the calling agent acts on them. This bidirectional approach catches both over-broad data fetching on the outbound path and prompt injection or data exfiltration on the inbound path.
Spend controls belong at the same layer. An agent chain that loops — whether by design or by misconfiguration — can accumulate cost very quickly. Per-connection spend limits enforce a ceiling independently of what any individual agent's total budget is. If a call would push the caller over the configured threshold, it is blocked before it reaches the target. The caller gets a clear error rather than a silent rejection after the fact.
Common questions
Are agent cards a standard format, or does every platform define its own?
The industry is converging toward common conventions, but a fully standardized format is still emerging. Most implementations share the same structural intent: a versioned document describing capabilities, endpoint URLs, and accepted credential formats. When evaluating A2A interoperability between platforms, check whether the card formats are compatible enough for automated consumption, or whether a translation layer is needed.
How should a calling agent handle a card version mismatch?
The conservative approach is to treat a card version mismatch as a blocking condition: the caller should not proceed until it has fetched the current card and confirmed that the capability it needs is still available under the same contract. Attempting to call with a stale assumption risks either a failed call or, worse, invoking a capability that now does something different from what the caller expected.
Can A2A calls be audited across organizations?
Each organization typically audits calls on its own side: the calling organization records the outbound call, and the receiving organization records the inbound call. There is no single cross-organizational audit log unless the two parties have explicitly agreed to share one. This means that reconstructing a cross-org call chain requires correlating logs from both sides, using a common correlation identifier that both ends record. Praesidia is designed to emit and propagate such identifiers across A2A hops, making cross-boundary tracing practical without requiring a shared infrastructure. See the platform documentation for details on audit log structure, or read Agent-to-Agent (A2A) Communication, Governed for a full walkthrough of governed cross-org calls.
A2A interoperability is still maturing as a discipline, but the foundational requirements are clear: structured capability advertisement through versioned agent cards, scoped credentials that enforce least privilege at every hop, policy-bound authorization for cross-boundary calls, and content and spend controls on the call path itself. Getting these right early means your agent network can grow without becoming a governance liability.