The latest articles on DEV Community by himi humu (@himi_humu_98f93c3598e5737). https://dev.to/himi_humu_98f93c3598e5737 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3692370%2Fa53759a2-3c64-41c9-bb34-04250de2ed6e.jpg https://dev.to/himi_humu_98f93c3598e5737 en himi humu Sun, 04 Jan 2026 09:30:47 +0000 https://dev.to/himi_humu_98f93c3598e5737/exploring-did-based-authentication-for-a2a-protocol-agents-50d7 https://dev.to/himi_humu_98f93c3598e5737/exploring-did-based-authentication-for-a2a-protocol-agents-50d7 <p>A2A Protocol is gaining attention as an agent-to-agent communication standard, but authentication remains a practical challenge when implementing real-world systems.</p> <p>This post explores one possible approach using <strong>DID (Decentralized Identifier) signatures</strong> to authenticate agents without requiring pre-registration in a central registry. I've built a small experimental library to test this idea, and I'd like to share the code and learnings with the community.</p> <blockquote> <p><strong>Note</strong>: This is an experimental implementation based on <code>@a2a-js/sdk</code> (compatible with A2A Protocol Specification v0.3.0).</p> </blockquote> <h2> Quick overview </h2> <p>This approach aims to:</p> <ul> <li>Enable agent authentication without central pre-registration</li> <li>Support two trust models: <code>did:web</code> (HTTPS-based) and <code>did:ethr</code> (blockchain-based)</li> <li>Allow cross-domain authentication between different DID methods</li> </ul> <p><strong>Experimental library:</strong></p> <ul> <li>GitHub: <a href="https://github.com/humuhimi/a2a-did" rel="noopener noreferrer">https://github.com/humuhimi/a2a-did</a> </li> <li>npm: <a href="https://www.npmjs.com/package/a2a-did" rel="noopener noreferrer">https://www.npmjs.com/package/a2a-did</a> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>a2a-did </code></pre> </div> <h2> The authentication challenge </h2> <p>When implementing A2A Protocol in practice, a few pain points emerge:</p> <h3> 1) OAuth pre-registration overhead </h3> <p>If each agent needs its own identity, you'll need OAuth client registration for every agent created. Sharing the same <code>client_id</code> across agents makes it difficult to distinguish who sent what.</p> <h3> 2) Central registry dependencies </h3> <p>Questions arise: Who operates the registry? What happens if it goes down? What if you prefer not to register every agent centrally?</p> <h3> 3) Cross-domain authentication complexity </h3> <p>When agents from different organizations need to communicate, verifying the other party's identity can be challenging.</p> <p>This post explores one possible solution using <strong>DIDs (Decentralized Identifiers)</strong>, with code you can experiment with.</p> <h2> Quick demo (takes ~3 minutes) </h2> <h3> Prerequisites </h3> <ul> <li>Node.js 18+</li> <li>npm / pnpm / yarn </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a new project</span> <span class="nb">mkdir </span>my-a2a-project <span class="nb">cd </span>my-a2a-project npm init <span class="nt">-y</span> <span class="c"># Install the library</span> npm <span class="nb">install </span>a2a-did tsx </code></pre> </div> <h3> Basic example: Creating a <code>did:web</code> identity </h3> <p>Create <code>demo1.ts</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createAgentDIDService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">a2a-did</span><span class="dl">'</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">=== Creating DID:web Identity ===</span><span class="se">\n</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">service</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">createAgentDIDService</span><span class="p">([</span><span class="dl">'</span><span class="s1">web</span><span class="dl">'</span><span class="p">]);</span> <span class="kd">const</span> <span class="nx">identity</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">service</span><span class="p">.</span><span class="nf">createIdentity</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">web</span><span class="dl">'</span><span class="p">,</span> <span class="na">agentId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">my-agent</span><span class="dl">'</span><span class="p">,</span> <span class="na">config</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">web</span><span class="dl">'</span><span class="p">,</span> <span class="na">domain</span><span class="p">:</span> <span class="dl">'</span><span class="s1">example.com</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">✓ Identity created successfully!</span><span class="se">\n</span><span class="dl">'</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">DID:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">identity</span><span class="p">.</span><span class="nx">did</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Key ID:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">identity</span><span class="p">.</span><span class="nx">keyId</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Private key length:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">identity</span><span class="p">.</span><span class="nx">privateKey</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="dl">'</span><span class="s1">bytes</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="nf">main</span><span class="p">().</span><span class="k">catch</span><span class="p">(</span><span class="nx">console</span><span class="p">.</span><span class="nx">error</span><span class="p">);</span> </code></pre> </div> <p>Run it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx tsx demo1.ts </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>=== Creating DID:web Identity === ✓ Identity created successfully! DID: did:web:example.com:agents:my-agent Key ID: did:web:example.com:agents:my-agent#key-1 Private key length: 32 bytes </code></pre> </div> <h2> What this approach covers (and what it doesn't) </h2> <h3> ✅ What it provides </h3> <ul> <li> <strong>Agent authentication without pre-registration</strong> (DID-based self-sovereign approach)</li> <li> <strong>Cryptographic verification</strong> (using JWS signatures)</li> <li> <strong>Cross-domain authentication</strong> (agents from different organizations)</li> <li> <strong>Two DID methods</strong> (<code>did:web</code> and <code>did:ethr</code>)</li> </ul> <h3> ❌ What it doesn't handle (intentionally out of scope) </h3> <h4> 1) Delegation/Authorization </h4> <p>This focuses on authentication ("who are you?") rather than authorization ("what can you do?"). Delegation scenarios ("agent A acting on behalf of user B") would likely require Verifiable Credentials or similar mechanisms.</p> <h4> 2) Fine-grained access control </h4> <p>DIDs prove identity, but access control policies belong in a separate layer (like a policy engine).</p> <h4> 3) Production-ready security </h4> <p>This library provides the signature verification primitives. Production deployments would need additional considerations:</p> <ul> <li>Replay attack protection (<code>iat</code>/<code>exp</code>/<code>jti</code> validation)</li> <li>DID Document caching</li> <li>Rate limiting and monitoring</li> </ul> <p>For details, see: <a href="https://github.com/humuhimi/a2a-did/blob/main/SECURITY.md" rel="noopener noreferrer">https://github.com/humuhimi/a2a-did/blob/main/SECURITY.md</a></p> <h2> Why consider DID signatures? </h2> <h3> Challenges with traditional approaches </h3> <p><strong>OAuth 2.0 for dynamic agents:</strong></p> <ul> <li>Each agent typically needs its own client registration</li> <li>Doesn't scale well: 100 agents = 100 registrations</li> <li>Less suited for runtime agent creation</li> </ul> <p><strong>Central registries:</strong></p> <ul> <li>Operational overhead (who runs it, who pays for it?)</li> <li>Single point of failure risk</li> <li>Privacy concerns about central registration</li> </ul> <p>These concerns have also been discussed in the A2A community, where centralized Agent Registries raise SPOF and potential censorship concerns.</p> <h3> DID-signature approach </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Sign A2A messages with agent's private key ↓ Distribute public keys via DID Documents ↓ Verify signatures → authenticate the agent </code></pre> </div> <p>This approach aims to reduce pre-registration needs and central registry dependencies, enabling mutual verification between agents as a basic authentication layer.</p> <blockquote> <p><strong>Note</strong>: While the A2A spec describes signing Agent Cards, standardized fields for message-level signatures aren't fully specified yet. This implementation treats message signing as a <strong>protocol extension</strong>.</p> </blockquote> <h2> Example: <code>did:web</code> signing + verification </h2> <h3> About <code>did:web</code> </h3> <ul> <li> <strong>Trust model</strong>: HTTPS + DNS (leverages existing web infrastructure)</li> <li> <strong>Setup</strong>: Relatively simple (just needs a web server)</li> <li> <strong>Suited for</strong>: Company agents, stable endpoints</li> </ul> <blockquote> <p>⚠️ <strong>Important:</strong> Production use requires HTTPS. For local testing, consider using tools like mkcert for HTTPS setup, or a resolver configured to allow localhost.</p> </blockquote> <h3> Step 1: Create a DID identity </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createAgentDIDService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">a2a-did</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Initialize did:web service</span> <span class="kd">const</span> <span class="nx">service</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">createAgentDIDService</span><span class="p">([</span><span class="dl">'</span><span class="s1">web</span><span class="dl">'</span><span class="p">]);</span> <span class="c1">// Create DID for agent</span> <span class="kd">const</span> <span class="nx">identity</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">service</span><span class="p">.</span><span class="nf">createIdentity</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">web</span><span class="dl">'</span><span class="p">,</span> <span class="na">agentId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">my-agent</span><span class="dl">'</span><span class="p">,</span> <span class="na">config</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">web</span><span class="dl">'</span><span class="p">,</span> <span class="na">domain</span><span class="p">:</span> <span class="dl">'</span><span class="s1">example.com</span><span class="dl">'</span> <span class="c1">// port defaults to 443</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">DID:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">identity</span><span class="p">.</span><span class="nx">did</span><span class="p">);</span> <span class="c1">// → did:web:example.com:agents:my-agent</span> </code></pre> </div> <p>Key points:</p> <ul> <li> <code>did:web</code> uses HTTPS + DNS as its trust model</li> <li>DID Document locations: <ul> <li> <code>did:web:example.com</code> → <code>https://example.com/.well-known/did.json</code> </li> <li> <code>did:web:example.com:agents:my-agent</code> → <code>https://example.com/agents/my-agent/did.json</code> </li> </ul> </li> <li>Store <code>privateKey</code> securely (type: Uint8Array)</li> </ul> <h3> Step 2: Sign an A2A message </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">signA2AMessage</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">a2a-did</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Standard A2A Protocol JSON-RPC message</span> <span class="kd">const</span> <span class="nx">message</span> <span class="o">=</span> <span class="p">{</span> <span class="na">jsonrpc</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2.0</span><span class="dl">'</span><span class="p">,</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">message/send</span><span class="dl">'</span><span class="p">,</span> <span class="na">params</span><span class="p">:</span> <span class="p">{</span> <span class="na">message</span><span class="p">:</span> <span class="p">{</span> <span class="na">kind</span><span class="p">:</span> <span class="dl">'</span><span class="s1">message</span><span class="dl">'</span><span class="p">,</span> <span class="na">messageId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">msg-001</span><span class="dl">'</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">,</span> <span class="na">parts</span><span class="p">:</span> <span class="p">[{</span> <span class="na">kind</span><span class="p">:</span> <span class="dl">'</span><span class="s1">text</span><span class="dl">'</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Hello from Agent</span><span class="dl">'</span> <span class="p">}]</span> <span class="p">}</span> <span class="p">},</span> <span class="na">id</span><span class="p">:</span> <span class="mi">1</span> <span class="p">};</span> <span class="c1">// Sign with DID identity</span> <span class="kd">const</span> <span class="nx">jws</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">signA2AMessage</span><span class="p">(</span><span class="nx">message</span><span class="p">,</span> <span class="nx">identity</span><span class="p">);</span> <span class="c1">// Attach signature</span> <span class="kd">const</span> <span class="nx">request</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">message</span><span class="p">,</span> <span class="na">signature</span><span class="p">:</span> <span class="nx">jws</span> <span class="p">};</span> </code></pre> </div> <blockquote> <p><strong>Note</strong>: The <code>signature</code> field isn't part of the official A2A spec — it's a protocol extension in this implementation. Alternatively, you could transport the JWS via HTTP headers (e.g., <code>Authorization: DIDAuth &lt;jws&gt;</code>).</p> </blockquote> <h3> Step 3: Verify the signature (receiver side) </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">verifySignedA2ARequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">a2a-did</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// In your server endpoint (Express/Fastify/etc.)</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/a2a</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">signature</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">verifySignedA2ARequest</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">result</span><span class="p">.</span><span class="nx">valid</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">jsonrpc</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2.0</span><span class="dl">'</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="o">-</span><span class="mi">32600</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid signature</span><span class="dl">'</span> <span class="p">},</span> <span class="na">id</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">id</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`✅ Verified message from: </span><span class="p">${</span><span class="nx">result</span><span class="p">.</span><span class="nx">senderDid</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Continue with normal A2A processing...</span> <span class="p">});</span> </code></pre> </div> <p>What happens during verification:</p> <ol> <li>Extract the sender's DID from the signature</li> <li>Resolve the DID Document to get the public key</li> <li>Verify the JWS signature cryptographically</li> <li>If valid, <code>result.senderDid</code> contains the verified identity</li> </ol> <h2> Alternative: <code>did:ethr</code> for blockchain-based trust </h2> <p>If you prefer not to depend on DNS, <code>did:ethr</code> uses Ethereum as the trust model.</p> <h3> About <code>did:ethr</code> </h3> <ul> <li> <strong>Trust model</strong>: Ethereum blockchain</li> <li> <strong>Flexibility</strong>: Endpoints can be updated later</li> <li> <strong>Suited for</strong>: Dynamic agents, cross-domain scenarios</li> </ul> <h3> Setup example </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createAgentDIDService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">a2a-did</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">service</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">createAgentDIDService</span><span class="p">([</span><span class="dl">'</span><span class="s1">ethr</span><span class="dl">'</span><span class="p">]);</span> <span class="kd">const</span> <span class="nx">identity</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">service</span><span class="p">.</span><span class="nf">createIdentity</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ethr</span><span class="dl">'</span><span class="p">,</span> <span class="na">agentId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">blockchain-agent</span><span class="dl">'</span><span class="p">,</span> <span class="na">config</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ethr</span><span class="dl">'</span><span class="p">,</span> <span class="na">network</span><span class="p">:</span> <span class="dl">'</span><span class="s1">sepolia</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Testnet</span> <span class="na">rpcUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://sepolia.infura.io/v3/YOUR_INFURA_KEY</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">DID:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">identity</span><span class="p">.</span><span class="nx">did</span><span class="p">);</span> <span class="c1">// → did:ethr:sepolia:0x1234567890abcdef...</span> </code></pre> </div> <h3> Agent Card resolution flow </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────┐ │ did:ethr:... │ └────────┬────────┘ │ 1. DID Resolution ↓ ┌─────────────────────────┐ │ DID Document │ │ { │ │ "service": [{ │ │ "type": "A2AAgentCard", │ "serviceEndpoint": │ │ "ipfs://Qm..." │ │ }] │ │ } │ └────────┬────────────────┘ │ 2. IPFS Fetch ↓ ┌─────────────────────────┐ │ Agent Card │ │ { │ │ "a2a_endpoint": │ │ "https://agent.../a2a"│ │ } │ └─────────────────────────┘ </code></pre> </div> <h3> Resolving DID → A2A endpoint </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">resolveA2AEndpoint</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">a2a-did</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// One-step resolution</span> <span class="kd">const</span> <span class="nx">endpoint</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">resolveA2AEndpoint</span><span class="p">(</span><span class="dl">'</span><span class="s1">did:ethr:sepolia:0x123...</span><span class="dl">'</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">A2A Endpoint:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">endpoint</span><span class="p">);</span> <span class="c1">// → https://agent.example.com/a2a</span> <span class="c1">// Now you can communicate</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">endpoint</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">signedMessage</span><span class="p">)</span> <span class="p">});</span> </code></pre> </div> <p>Design rationale:</p> <ul> <li> <code>did:ethr + IPFS + HTTPS</code> keeps identity/metadata on tamper-resistant paths while using HTTPS for actual communication</li> <li>This is a pragmatic hybrid: blockchain for identity, HTTPS for compatibility with existing infrastructure</li> <li>Future iterations could support P2P addresses (e.g., <code>/ip4/.../tcp/.../p2p/...</code>)</li> </ul> <h2> Comparing <code>did:web</code> vs <code>did:ethr</code> </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>did:web</th> <th>did:ethr</th> </tr> </thead> <tbody> <tr> <td><strong>Trust model</strong></td> <td>HTTPS/TLS (Web PKI)</td> <td>Ethereum blockchain</td> </tr> <tr> <td><strong>Setup complexity</strong></td> <td>Lower (HTTPS server)</td> <td>Moderate (RPC access needed)</td> </tr> <tr> <td><strong>Resolution speed</strong></td> <td>Faster (HTTPS)</td> <td>Slower (blockchain + IPFS)</td> </tr> <tr> <td><strong>Tamper resistance</strong></td> <td>Moderate (DNS/HTTPS dependent)</td> <td>Higher (blockchain guarantees)</td> </tr> <tr> <td><strong>Operational cost</strong></td> <td>Low (existing infrastructure)</td> <td>Low for reads, gas for writes</td> </tr> <tr> <td><strong>Recommended use</strong></td> <td>Company agents, stable domains</td> <td>Dynamic agents, cross-domain</td> </tr> </tbody> </table></div> <p>The choice depends on your threat model and infrastructure preferences.</p> <h2> Summary </h2> <p>This post explored a DID-based approach for A2A Protocol authentication:</p> <ul> <li>✅ Agent authentication without central pre-registration</li> <li>✅ Cryptographic verification using JWS</li> <li>✅ Working examples for <code>did:web</code> and <code>did:ethr</code> </li> <li>✅ Compatible with existing A2A implementations (works alongside <code>@a2a-js/sdk</code>)</li> </ul> <h3> Limitations and next steps </h3> <p>This is an experimental library (v0.1.x) focused on exploring the core authentication concept. Production use would require:</p> <ul> <li>More robust key management guidance</li> <li>Performance optimizations (caching, etc.)</li> <li>Additional security considerations</li> </ul> <p>I'm working on a full-stack demo to show how this might work in a complete application. Feedback and suggestions are very welcome!</p> <h2> Feedback appreciated 🙏 </h2> <p>This is an experimental approach, and I'd love to hear your thoughts:</p> <ul> <li>💬 <a href="https://github.com/humuhimi/a2a-did/discussions" rel="noopener noreferrer">GitHub Discussions</a> - Questions, ideas, feedback</li> <li>🐛 <a href="https://github.com/humuhimi/a2a-did/issues" rel="noopener noreferrer">GitHub Issues</a> - Bug reports</li> <li>🌟 <a href="https://github.com/humuhimi/a2a-did" rel="noopener noreferrer">GitHub Repository</a> - Code and documentation</li> </ul> <h2> References </h2> <ul> <li><a href="https://www.npmjs.com/package/a2a-did" rel="noopener noreferrer">a2a-did on npm</a></li> <li><a href="https://github.com/a2aproject/A2A" rel="noopener noreferrer">A2A Protocol Specification</a></li> <li><a href="https://www.w3.org/TR/did-core/" rel="noopener noreferrer">W3C DID Core Specification</a></li> </ul> agents javascript security web3