Signature status

A2A and UCP share bearer-token authentication, but they do not share the same signing behavior today. The live A2A route authenticates callers with OAuth access tokens or API keys; it does not currently validate Request-Signature headers or sign A2A responses.

What to use for A2A auth

Use a workspace-scoped bearer token. Public read-styleSendMessage skills can run without auth, but cart, checkout, task lookup, listing, cancelation, subscriptions, and push config management require OAuth or API-key auth.

1POST /api/a2a HTTP/1.12Host: aly.store3Content-Type: application/json4A2A-Version: 1.05Authorization: Bearer aly_oauth_...6 7{8  "jsonrpc": "2.0",9  "id": "req_1",10  "method": "SendMessage",11  "params": {12    "message": {13      "messageId": "msg_1",14      "role": "ROLE_USER",15      "parts": [16        {17          "mediaType": "application/json",18          "data": {19            "skill": "cart-management",20            "action": "create",21            "site_slug": "acme"22          }23        }24      ]25    }26  }27}

Where signing exists today

UCP checkout routes do support optional, non-blocking request-signature validation and signed responses. If an A2A task returns a UCP checkout complete_url, sign that UCP request when you need cryptographic agent identity on the checkout step. See Signed intents.

Agent card signatures

Aly's A2A type model has room for agent-card signatures, but the current platform and store cards do not emit a signed card or JWKS pointer. Discover capabilities from supportedInterfaces,capabilities, securitySchemes, and skills.

Recommended client behavior

1. Use HTTPS and fetch /.well-known/agent-card.json from the store host.
2. Use the card's supportedInterfaces URL for A2A calls.
3. Send Authorization: Bearer aly_oauth_... or Authorization: Bearer aly_... for authenticated skills and task routes.
4. Do not block on missing A2A response signatures.
5. Apply UCP request signing only when calling UCP routes that document signed-intent support.