DEV Community

Evan Lin
Evan Lin

Posted on • Originally published at evanlin.com on

Security Declaration for AI Agents: Deep Dive into A2AS (Agent-to-Agent Security) Certification Mechanism

#agents #ai #security #opensource

A2AS-CERTIFIED

Reference links:

This article documents an interesting Pull Request I received while maintaining linebot-adk (LINE Bot Agent Development Kit): adding the A2AS security certificate to the project. This is not just a YAML file, but a significant milestone for AI Agents to move towards "industrial-grade security" in 2026.

Google Chrome 2026-03-26 22.45.44

Background

When we develop Agents like linebot-adk that have Tool Use (Function Calling) capabilities, the biggest concern for users is often: "Will this Agent issue commands without my permission?" or "What data can it access?".

Traditionally, we could only write explanations in README.md, but that's for humans to read, not for system verification. This is why A2AS (Agent-to-Agent Security) emerged – it's hailed as the "HTTPS of the AI world".

🛠️ Step 1: Understanding the BASIC Model of A2AS

A2AS is not just a name; it has a complete BASIC security model behind it, designed to solve the trust issue between AI Agents:

  • (B)ehavior Certificates: Declarative certificates that clearly define the behavior boundaries of the Agent.
  • (A)uthenticated Prompts: Ensures that the source of prompts is trustworthy and traceable.
  • (S)ecurity Boundaries: Uses structured tags (such as <a2as:user>) to isolate untrusted input.
  • (I)n-Context Defenses: Embeds defense logic in prompts to reject malicious injections.
  • (C)odified Policies: Writes business rules into code and enforces them during inference.

🎨 Step 2: Deconstructing a2as.yaml – The Agent's ID Card

In PR #1 received by linebot-adk, the most core change was the addition of a2as.yaml. This file is like the Agent's "digital signature", making the code logic explicit:

manifest:
  subject:
    name: kkdai/linebot-adk
    scope: [main.py, multi_tool_agent/agent.py]
  issued:
    by: A2AS.org
    url: https://a2as.org/certified/agents/kkdai/linebot-adk

agents:
  root_agent:
    type: instance
    models: [gemini-2.5-flash]
    tools: [get_weather, get_current_time]
Enter fullscreen mode Exit fullscreen mode

Why is this important?

This certificate is directly linked to the content of our main.py. When the certificate declares tools: [get_weather, get_current_time], it means this is a limited-authorization Agent. If it tries to execute delete_database, the security monitoring system can immediately detect that it is outside the certificate scope.

🌐 Step 3: Combining Code Logic

In linebot-adk, we used Google's ADK (Agent Development Kit) to build the Agent. The A2AS certificate can accurately map our program architecture:

1. Tool Declaration and Implementation

In multi_tool_agent/agent.py, we defined two tools:

def get_weather(city: str) -> dict:
    # Implement the logic to get the weather
    ...

def get_current_time(city: str) -> dict:
    # Implement the logic to get the time
    ...
Enter fullscreen mode Exit fullscreen mode

The A2AS certificate will register these functions in the tools block, ensuring that the Agent's capability boundaries are transparent and auditable.

2. Runner and Execution Loop

In main.py, we start the Agent through Runner:

runner = Runner(
    agent=root_agent,
    app_name=APP_NAME,
    session_service=session_service,
)
Enter fullscreen mode Exit fullscreen mode

The manifest.subject.scope in the certificate marks main.py, which means the entire startup process (including FastAPI's Webhook processing) is within the A2AS compliant scope.

🚀 Step 4: Why is this the "HTTPS of the AI world"?

Imagine if you want a "travel agent Agent" to talk to a "hotel reservation Agent".

  • Without A2AS: The travel Agent can only "blindly trust" the hotel Agent.
  • With A2AS: The travel Agent can first check the other party's a2as.yaml certificate. If the other party claims to have the right to "modify orders" but the certificate doesn't say so, the travel Agent can refuse the transaction.

This "verify first, then execute" model is the trust network that A2AS wants to build.

🛠️ Common Pitfalls and Troubleshooting

❓ What if the certificate expires or the Commit Hash doesn't match?

Reason: A2AS certificates are bound to a specific Git Commit. When you modify the logic of agent.py but don't update the certificate, the verification will fail. Correction: Every time you modify the core functions of the Agent (such as adding a Tool or changing the Model), you must regenerate and sign a2as.yaml.

❓ Does using A2AS increase latency?

No. A2AS is mainly a "declarative" and "structured" specification. During the inference phase, it uses structured tags (S in the BASIC model) to help LLMs distinguish between instructions and data, which can reduce the hallucinations caused by the model's confusion and improve execution efficiency.

🏁 Conclusion

Through the introduction of this A2AS certificate, linebot-adk is no longer just a simple LINE Bot example; it has become a transparent Agent that meets the 2026 security standards. In an era where AI agents are gradually penetrating our lives, "transparency" is the best defense.

If you are also developing AI Agents, you might as well go to A2AS.org and add that badge of trust to your project. Happy Coding! 🦞

Top comments (1)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.