| Internet-Draft | Agent-SD-JWT | February 2026 |
| Nandakumar & Jennings | Expires 1 September 2026 | [Page] |
This document defines how Selective Disclosure for JWTs (SD-JWT) integrates with Agent-to-Agent (A2A) systems to provide privacy-preserving agent discovery and cryptographically verifiable identity management. It specifies the SD-Card format - an SD-JWT encoding of Agent Cards that enables selective disclosure of agent capabilities, contact information, and operational metadata while maintaining cryptographic integrity and preventing correlation across different interaction contexts.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 1 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The Agent-to-Agent (A2A) specification [A2A-SPEC] defines protocols for autonomous agent discovery and interaction through standardized Agent Cards. Current A2A implementations have following limitations:¶
Information Leakage: Agent Cards expose all capabilities during discovery¶
Weak Authentication: No cryptographic verification of agent identity¶
Static Disclosure: No context-based capability filtering¶
Linkability: Identical presentations enable cross-context tracking¶
This document specifies SD-Card, an SD-JWT [RFC9901] encoding of Agent Cards that addresses these limitations through:¶
Selective Disclosure: Context-specific capability revelation¶
Cryptographic Authentication: Key-bound agent identity verification¶
Unlinkable Presentations: Privacy-preserving multi-context interactions¶
Backward Compatibility: Interoperability with existing A2A implementations¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Agent Card: A JSON metadata document describing an agent's capabilities, identity, and interaction requirements as defined in [A2A-SPEC].¶
SD-Card: An Agent Card encoded as an SD-JWT that enables selective disclosure of agent metadata.¶
Agent Registry: A trusted service that issues and manages SD-Cards for agents within a domain or federation.¶
Discovery Context: A named security context (e.g., "public", "internal", "diagnostic") that determines which claims are disclosed in an SD-Card presentation.¶
Capability Disclosure: The selective revelation of specific agent capabilities based on the requesting entity's authorization and context.¶
Key Binding: Cryptographic proof that the presenter of an SD-Card
possesses the private key corresponding to the public key in the SD-Card's
cnf claim.¶
SD-JWT Media Type: The application/vnd.sd-jwt+json media type is used to
indicate content that contains Selective Disclosure JWT data within JSON
structures. This vendor-specific media type distinguishes SD-JWT presentations
from standard JSON content and signals that the receiver should process the
content using SD-JWT parsing and verification procedures.¶
This document follows SD-JWT [RFC9901] conventions:¶
Base64url encoding for binary data¶
JWS format for signed tokens¶
SHA-256 hashing for selective disclosure¶
Tilde (~) separator for SD-JWT serialization:¶
<Issuer-signed JWT>~<Disclosure 1>~<Disclosure 2>~...<Key Binding JWT>¶
SD-Card enhances Agent-to-Agent (A2A) interactions by providing privacy-preserving agent discovery and cryptographically verifiable agent authentication. SD-Card enables selective disclosure of agent capabilities, skills, and endpoints based on requester authorization and discovery context, unlinkable agent interactions across different contexts, cryptographic integrity of agent metadata, and key binding for authentication that complements transport-layer security.¶
The SD-Card architecture involves four primary components: Agent Registries that issue credentials, Agents that hold and present SD-Cards, Services that agents interact with, and Clients that discover and invoke agents. The following diagram illustrates these relationships and the flow of SD-Card issuance and presentation:¶
+------------------+ +------------------+
| | (1) Register | |
| Agent Registry |<---------------------| Agent |
| (Issuer) | | (Holder) |
| |--------------------->| |
+------------------+ (2) Issue SD-Card +------------------+
| |
| |
| (3) Publish | (4) Present
| Discovery | SD-Card
| Metadata | (Selective)
v v
+------------------+ +------------------+
| | (5) Discover | |
| Client |--------------------->| Service |
| (Verifier) | | (Verifier) |
| |<---------------------| |
+------------------+ (6) Agent Info +------------------+
| ^
| |
+-----------------------------------------+
(7) Invoke Agent via Service
(with Key Binding proof)
The architecture operates as follows:¶
Registration: An Agent registers with an Agent Registry, providing its capabilities, skills, and public key material for key binding.¶
SD-Card Issuance: The Registry issues an SD-Card (SD-JWT) containing
the agent's metadata with selectively disclosable claims. The SD-Card
includes the agent's confirmation key (cnf claim) for holder binding.¶
Discovery Publication: The Registry may publish non-sensitive discovery metadata to enable clients to locate agents matching their requirements.¶
Selective Presentation: When interacting with Services, the Agent presents its SD-Card with only the disclosures relevant to the interaction context. Different contexts receive different subsets of claims.¶
Client Discovery: Clients query the Registry or Services to discover agents with specific capabilities. The discovery response contains only claims appropriate for the discovery context.¶
Agent Information: The discovered agent information is returned to the client, enabling informed decisions about which agent to invoke.¶
Agent Invocation: The Client invokes the Agent through the Service, with the Agent providing a Key Binding JWT to prove possession of the private key corresponding to its SD-Card.¶
This architecture enables privacy-preserving agent discovery while maintaining cryptographic verifiability. Agents control what information they reveal in each context, and verifiers can trust that presented claims are authentic and unmodified.¶
Traditional agent discovery in Agent-to-Agent protocol faces several challenges:¶
Agent Cards expose all capabilities to any entity performing discovery, potentially revealing sensitive operational details.¶
Identical capabilities presented to different verifiers enable tracking across contexts.¶
Without cryptographic verification, Agent Cards can be forged or tampered with during transmission.¶
Attackers can enumerate all agent capabilities by performing discovery, potentially identifying attack vectors.¶
Agents cannot adapt capability disclosure based on the requesting entity's authorization level or intended use case.¶
Allowing agents to selectively disclose their capabilities addresses these challenges through:¶
Agents reveal only capabilities relevant to the specific discovery context or requester authorization level.¶
Different presentations of the same agent to different verifiers cannot be linked, enhancing privacy.¶
Key binding enables strong agent authentication without relying solely on transport security.¶
Multiple context-specific credentials can be issued to the same agent for different use cases.¶
This specification defienes "SD-Card". An SD-Card is an Agent Card encoded as an SD-JWT.¶
The base Agent Card structure follows the A2A specification [A2A-SPEC] but is extended to support selective disclosure. The card consists of three main components:¶
Base Claims: Always disclosed information that establishes the agent's identity, protocol version, and basic metadata¶
Selective Disclosure Claims: A2A-specific information that can be selectively revealed based on the discovery context including skills, interfaces, and provider details¶
Cryptographic Binding: Keys and signatures that ensure authenticity and enable secure agent interactions¶
The Agent Card is represented as a Selective Disclosure JSON Web Token (SD-JWT) that contains both standard A2A Agent Card fields and selective disclosure metadata :¶
{
"iss": "https://registry.example.com",
"sub": "agent:georoute-planner-v1",
"iat": 1704063600,
"exp": 1735685999,
"vct": "urn:ietf:params:oauth:token-type:sd-agent-card",
"_sd_alg": "sha-256",
"_sd": [
"kV7i-VgPK9Qj8vYNJ4L8hFG3cR9ZqX2mE5wC6oA1nBs", // skills
"3sdf8mN2p9uX7L3vE8nGrR5kW6oF4tC9jL7vM2nX8qE", // additionalInterfaces
"8kF2nM3p4uY9L5cG6rT7qW9oR2vX1jE4mN8sC5fH0aZ", // capabilities
"9mH4pL5rZ8wQ2nX7cV6sT3kE1oY0jF9uR4vB6nM8fG2", // securitySchemes
"7kRt2qW5mX9jN4cF7zPsE8nG1vH0oY3lM6xC9fK2bA8", // provider
"5nK3wL8tB4eR9mY2cF6qG7oT1vX0jH3pN4rS8zE5fC6", // defaultInputModes
"2pM8fT4nR6oX3cG7zE9qL5wY1vS0jF6kH2nB8mC4rT9" // defaultOutputModes
],
"protocolVersion": "0.2.9",
"name": "GeoSpatial Route Planner Agent",
"description": "Provides advanced route planning and traffic analysis services",
"version": "1.2.0",
"url": "https://georoute-agent.example.com/a2a/v1",
"cnf": {
"jwk": {
"kty": "EC",
"crv": "P-256",
"x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc",
"y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ"
}
}
}
¶
The following claims are permanently disclosed in the SD-Card:¶
The issuer of the Agent Card (typically an Agent Registry). This establishes the trust anchor for the credential and enables signature verification. The issuer MUST be a resolvable URI that provides access to the issuer's public key material.¶
The unique identifier of the agent within the issuer's namespace. This identifier MUST be stable across different Agent Card issuances for the same logical agent, enabling correlation when authorized while supporting unlinkable presentations through different salt values.¶
The time at which the Agent Card was issued (Unix timestamp).¶
The expiration time of the Agent Card (Unix timestamp).¶
The verifiable credential type, identifying this as an SD-Card Agent Card. This value MUST be "urn:ietf:params:oauth:token-type:sd-agent-card" for compliance with this specification.¶
The human-readable name of the agent.¶
A brief description of the agent's purpose and primary function. This helps users understand the agent's role without revealing sensitive capability details.¶
The version of the agent software.¶
The confirmation key for agent authentication. This public key enables key binding and ensures that only the legitimate agent can present the Agent Card. The key MUST be in JSON Web Key (JWK) format.¶
The following claims are selectively disclosed based on the discovery context:¶
The skills claim contains an array of A2A AgentSkill objects that the agent can perform. Each skill definition follows the A2A specification and includes input/output modes, examples, and metadata for proper integration.¶
"skills": [
{
"id": "route-optimizer-traffic",
"name": "Traffic-Aware Route Optimizer",
"description": "Calculates optimal driving route between locations with real-time traffic",
"tags": ["maps", "routing", "navigation", "directions", "traffic"],
"examples": [
"Plan a route from '1600 Amphitheatre Parkway, Mountain View, CA' to 'San Francisco International Airport' avoiding tolls.",
"{\"origin\": {\"lat\": 37.422, \"lng\": -122.084}, \"destination\": {\"lat\": 37.7749, \"lng\": -122.4194}, \"preferences\": [\"avoid_ferries\"]}"
],
"inputModes": ["application/json", "text/plain"],
"outputModes": [
"application/json",
"application/vnd.geo+json",
"text/html"
]
},
{
"id": "custom-map-generator",
"name": "Personalized Map Generator",
"description": "Creates custom map images based on user-defined points of interest",
"tags": ["maps", "customization", "visualization", "cartography"],
"examples": [
"Generate a map of my upcoming road trip with all planned stops highlighted.",
"Show me a map visualizing all coffee shops within a 1-mile radius of my current location."
],
"inputModes": ["application/json"],
"outputModes": [
"image/png",
"image/jpeg",
"application/json",
"text/html"
]
}
]
¶
When converting the skills claim to selective disclosure, the Agent Registry performs the following transformation:¶
Step 1: Generate Salt Value¶
A cryptographically secure random salt is generated for the skills claim:¶
Salt: "_26bc4LT-ac6q2KI6cBW5es"¶
Step 2: Create Disclosure Array¶
The skills claim is packaged into a disclosure array format:¶
[
"_26bc4LT-ac6q2KI6cBW5es",
"skills",
[
{
"id": "route-optimizer-traffic",
"name": "Traffic-Aware Route Optimizer",
"description": "Calculates optimal driving route between locations with real-time traffic",
"tags": ["maps", "routing", "navigation", "directions", "traffic"],
"examples": [
"Plan a route from '1600 Amphitheatre Parkway, Mountain View, CA' to 'San Francisco International Airport' avoiding tolls.",
"{\"origin\": {\"lat\": 37.422, \"lng\": -122.084}, \"destination\": {\"lat\": 37.7749, \"lng\": -122.4194}, \"preferences\": [\"avoid_ferries\"]}"
],
"inputModes": ["application/json", "text/plain"],
"outputModes": [
"application/json",
"application/vnd.geo+json",
"text/html"
]
},
{
"id": "custom-map-generator",
"name": "Personalized Map Generator",
"description": "Creates custom map images based to user-defined points of interest",
"tags": ["maps", "customization", "visualization", "cartography"],
"examples": [
"Generate a map of my upcoming road trip with all planned stops highlighted.",
"Show me a map visualizing all coffee shops within a 1-mile radius of my current location."
],
"inputModes": ["application/json"],
"outputModes": [
"image/png",
"image/jpeg",
"application/json",
"text/html"
]
}
]
]
¶
Step 3: Base64url Encode Disclosure¶
The disclosure array is JSON-serialized and base64url-encoded:¶
WyJfMjZiYzRMVC1hYzZxMktJNmNCVzVlcyIsInNraWxscyIsW3siaWQiOiJyb3V0ZS1vcHRp bWl6ZXItdHJhZmZpYyIsIm5hbWUiOiJUcmFmZmljLUF3YXJlIFJvdXRlIE9wdGltaXplciIs ImRlc2NyaXB0aW9uIjoiQ2FsY3VsYXRlcyBvcHRpbWFsIGRyaXZpbmcgcm91dGUgYmV0d2Vl biBsb2NhdGlvbnMgd2l0aCByZWFsLXRpbWUgdHJhZmZpYyIsInRhZ3MiOlsibWFwcyIsInJv dXRpbmciLCJuYXZpZ2F0aW9uIiwiZGlyZWN0aW9ucyIsInRyYWZmaWMiXSwiZXhhbXBsZXMi OlsiUGxhbiBhIHJvdXRlIGZyb20gJzE2MDAgQW1waGl0aGVhdHJlIFBhcmt3YXksIE1vdW50 YWluIFZpZXcsIENBJyB0byAnU2FuIEZyYW5jaXNjbyBJbnRlcm5hdGlvbmFsIEFpcnBvcnQn IGF2b2lkaW5nIHRvbGxzLiIsIntcIm9yaWdpblwiOiB7XCJsYXRcIjogMzcuNDIyLCBcImxu Z1wiOiAtMTIyLjA4NH0sIFwiZGVzdGluYXRpb25cIjoge1wibGF0XCI6IDM3Ljc3NDksIFwi bG5nXCI6IC0xMjIuNDE5NH0sIFwicHJlZmVyZW5jZXNcIjogW1wiYXZvaWRfZmVycmllc1wi XX0iXSwiaW5wdXRNb2RlcyI6WyJhcHBsaWNhdGlvbi9qc29uIiwidGV4dC9wbGFpbiJdLCJv dXRwdXRNb2RlcyI6WyJhcHBsaWNhdGlvbi9qc29uIiwiYXBwbGljYXRpb24vdm5kLmdlbytq c29uIiwidGV4dC9odG1sIl19LHsiaWQiOiJjdXN0b20tbWFwLWdlbmVyYXRvciIsIm5hbWUi OiJQZXJzb25hbGl6ZWQgTWFwIEdlbmVyYXRvciIsImRlc2NyaXB0aW9uIjoiQ3JlYXRlcyBj dXN0b20gbWFwIGltYWdlcyBiYXNlZCBvbiB1c2VyLWRlZmluZWQgcG9pbnRzIG9mIGludGVy ZXN0IiwidGFncyI6WyJtYXBzIiwiY3VzdG9taXphdGlvbiIsInZpc3VhbGl6YXRpb24iLCJj YXJ0b2dyYXBoeSJdLCJleGFtcGxlcyI6WyJHZW5lcmF0ZSBhIG1hcCBvZiBteSB1cGNvbWlu ZyByb2FkIHRyaXAgd2l0aCBhbGwgcGxhbm5lZCBzdG9wcyBoaWdobGlnaHRlZC4iLCJTaG93 IG1lIGEgbWFwIHZpc3VhbGl6aW5nIGFsbCBjb2ZmZWUgc2hvcHMgd2l0aGluIGEgMS1taWxl IHJhZGl1cyBvZiBteSBjdXJyZW50IGxvY2F0aW9uLiJdLCJpbnB1dE1vZGVzIjpbImFwcGxp Y2F0aW9uL2pzb24iXSwib3V0cHV0TW9kZXMiOlsiaW1hZ2UvcG5nIiwiaW1hZ2UvanBlZyIs ImFwcGxpY2F0aW9uL2pzb24iLCJ0ZXh0L2h0bWwiXX1dXQ¶
Step 4: Calculate SHA-256 Digest¶
A SHA-256 hash is computed over the base64url-encoded disclosure:¶
digest = SHA256(base64url_encode(disclosure_array))
= "kV7i-VgPK9Qj8vYNJ4L8hFG3cR9ZqX2mE5wC6oA1nBs"
¶
Step 5: Include Digest in SD-JWT¶
The digest is included in the _sd array of the Issuer-signed JWT payload:¶
{
"iss": "https://registry.example.com",
"sub": "agent:georoute-planner-v1",
"_sd_alg": "sha-256",
"_sd": [
"kV7i-VgPK9Qj8vYNJ4L8hFG3cR9ZqX2mE5wC6oA1nBs",
"7iF2sM8kT5nL9pX3cV6zR4qW1eY8oU0jH3vB7nM2kF9"
],
"name": "GeoSpatial Route Planner Agent",
"cnf": { }
}
¶
Step 6: Selective Disclosure¶
When presenting the agent card, the skills disclosure is included only if authorized:¶
<Issuer-signed JWT>~<Skills Disclosure>~<Other Disclosures>~<Key Binding JWT>¶
During verification, the verifier:¶
The additionalInterfaces claim defines alternative transport mechanisms and endpoints for A2A communication as specified in the AgentInterface object structure.¶
The original additionalInterfaces claim in the agent metadata contains:¶
{
"additionalInterfaces": [
{
"url": "https://georoute-agent.example.com/a2a/v1",
"transport": "JSONRPC"
},
{
"url": "https://georoute-agent.example.com/a2a/grpc",
"transport": "GRPC"
},
{
"url": "https://georoute-agent.example.com/a2a/json",
"transport": "HTTP+JSON"
}
]
}
¶
When converting the additionalInterfaces claim to selective disclosure, the Agent Registry performs the following transformation:¶
Step 1: Generate Salt Value A cryptographically secure random salt is generated for the additionalInterfaces claim:¶
Salt: "_26bc4LT-ac6q2KI6cBW5es"¶
Step 2: Create Disclosure Array The additionalInterfaces claim is packaged into a disclosure array format:¶
[
"_26bc4LT-ac6q2KI6cBW5es",
"additionalInterfaces",
[
{
"url": "https://georoute-agent.example.com/a2a/v1",
"transport": "JSONRPC"
},
{
"url": "https://georoute-agent.example.com/a2a/grpc",
"transport": "GRPC"
},
{
"url": "https://georoute-agent.example.com/a2a/json",
"transport": "HTTP+JSON"
}
]
]
¶
Step 3: Base64url Encode Disclosure¶
The disclosure array is JSON-serialized and base64url-encoded:¶
WyJfMjZiYzRMVC1hYzZxMktJNmNCVzVlcyIsImFkZGl0aW9uYWxJbnRlcmZhY2VzIixbeyJ1cmwiOiJodHRwczovL2dlb3JvdXRlLWFnZW50LmV4YW1wbGUuY29tL2EyYS92MSIsInRyYW5zcG9ydCI6IkpTT05SUEMifSx7InVybCI6Imh0dHBzOi8vZ2Vvcm91dGUtYWdlbnQuZXhhbXBsZS5jb20vYTJhL2dycGMiLCJ0cmFuc3BvcnQiOiJHUlBDIn0seyJ1cmwiOiJodHRwczovL2dlb3JvdXRlLWFnZW50LmV4YW1wbGUuY29tL2EyYS9qc29uIiwidHJhbnNwb3J0IjoiSFRUUCtKU09OIn1dXQ¶
Step 4: Calculate SHA-256 Digest¶
A SHA-256 hash is computed over the base64url-encoded disclosure:¶
digest = SHA256(base64url_encode(disclosure_array))
= "3sdf8mN2p9uX7L3vE8nGrR5kW6oF4tC9jL7vM2nX8qE"
¶
Step 5: Include Digest in SD-JWT¶
The digest is included in the _sd array of the Issuer-signed JWT payload:¶
{
"iss": "https://registry.example.com",
"sub": "agent:georoute-planner-v1",
"_sd_alg": "sha-256",
"_sd": [
"3sdf8mN2p9uX7L3vE8nGrR5kW6oF4tC9jL7vM2nX8qE"
]
}
¶
The capabilities claim provides information about the agent's A2A protocol feature support as defined in the AgentCapabilities object.¶
The original capabilities claim in the agent metadata contains:¶
{
"capabilities": {
"streaming": true,
"pushNotifications": true,
"stateTransitionHistory": false,
"extensions": [
{
"name": "advanced-routing",
"version": "1.0",
"description": "Enhanced route optimization with machine learning"
}
]
}
}
¶
When converting the capabilities claim to selective disclosure, the Agent Registry performs the following transformation:¶
Step 1: Generate Salt Value¶
A cryptographically secure random salt is generated for the capabilities claim:¶
Salt: "_26bc4LT-ac6q2KI6cBW5es"¶
Step 2: Create Disclosure Array¶
The capabilities claim is packaged into a disclosure array format:¶
[
"_26bc4LT-ac6q2KI6cBW5es",
"capabilities",
{
"streaming": true,
"pushNotifications": true,
"stateTransitionHistory": false,
"extensions": [
{
"name": "advanced-routing",
"version": "1.0",
"description": "Enhanced route optimization with machine learning"
}
]
}
]
¶
Step 3: Base64url Encode Disclosure¶
The disclosure array is JSON-serialized and base64url-encoded:¶
WyJfMjZiYzRMVC1hYzZxMktJNmNCVzVlcyIsImNhcGFiaWxpdGllcyIseyJzdHJlYW1pbmciOnRydWUsInB1c2hOb3RpZmljYXRpb25zIjp0cnVlLCJzdGF0ZVRyYW5zaXRpb25IaXN0b3J5IjpmYWxzZSwiZXh0ZW5zaW9ucyI6W3sibmFtZSI6ImFkdmFuY2VkLXJvdXRpbmciLCJ2ZXJzaW9uIjoiMS4wIiwiZGVzY3JpcHRpb24iOiJFbmhhbmNlZCByb3V0ZSBvcHRpbWl6YXRpb24gd2l0aCBtYWNoaW5lIGxlYXJuaW5nIn1dfV0¶
Step 4: Calculate SHA-256 Digest¶
A SHA-256 hash is computed over the base64url-encoded disclosure:¶
digest = SHA256(base64url_encode(disclosure_array))
= "8kF2nM3p4uY9L5cG6rT7qW9oR2vX1jE4mN8sC5fH0aZ"
¶
Step 5: Include Digest in SD-JWT¶
The digest is included in the _sd array of the Issuer-signed JWT payload:¶
{
"iss": "https://registry.example.com",
"sub": "agent:georoute-planner-v1",
"_sd_alg": "sha-256",
"_sd": [
"8kF2nM3p4uY9L5cG6rT7qW9oR2vX1jE4mN8sC5fH0aZ"
]
}
¶
The securitySchemes claim defines authentication requirements following A2A SecurityScheme format.¶
The original securitySchemes claim in the agent metadata contains:¶
{
"securitySchemes": {
"google": {
"type": "openIdConnect",
"openIdConnectUrl": "https://accounts.google.com/.well-known/openid-configuration"
},
"apiKey": {
"type": "apiKey",
"name": "X-API-Key",
"in": "header"
}
}
}
¶
When converting the securitySchemes claim to selective disclosure, the Agent Registry performs the following transformation:¶
Step 1: Generate Salt Value¶
A cryptographically secure random salt is generated for the securitySchemes claim:¶
Salt: "_26bc4LT-ac6q2KI6cBW5es"¶
Step 2: Create Disclosure Array¶
The securitySchemes claim is packaged into a disclosure array format:¶
[
"_26bc4LT-ac6q2KI6cBW5es",
"securitySchemes",
{
"google": {
"type": "openIdConnect",
"openIdConnectUrl": "https://accounts.google.com/.well-known/openid-configuration"
},
"apiKey": {
"type": "apiKey",
"name": "X-API-Key",
"in": "header"
}
}
]
¶
Step 3: Base64url Encode Disclosure¶
The disclosure array is JSON-serialized and base64url-encoded:¶
WyJfMjZiYzRMVC1hYzZxMktJNmNCVzVlcyIsInNlY3VyaXR5U2NoZW1lcyIseyJnb29nbGUiOnsidHlwZSI6Im9wZW5JZENvbm5lY3QiLCJvcGVuSWRDb25uZWN0VXJsIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tLy53ZWxsLWtub3duL29wZW5pZC1jb25maWd1cmF0aW9uIn0sImFwaUtleSI6eyJ0eXBlIjoiYXBpS2V5IiwibmFtZSI6IlgtQVBJLUtleSIsImluIjoiaGVhZGVyIn19XQ¶
Step 4: Calculate SHA-256 Digest¶
A SHA-256 hash is computed over the base64url-encoded disclosure:¶
digest = SHA256(base64url_encode(disclosure_array))
= "9mH4pL5rZ8wQ2nX7cV6sT3kE1oY0jF9uR4vB6nM8fG2"
¶
Step 5: Include Digest in SD-JWT¶
The digest is included in the _sd array of the Issuer-signed JWT payload:¶
{
"iss": "https://registry.example.com",
"sub": "agent:georoute-planner-v1",
"_sd_alg": "sha-256",
"_sd": [
"9mH4pL5rZ8wQ2nX7cV6sT3kE1oY0jF9uR4vB6nM8fG2"
],
"security": [
{"google": ["openid", "profile", "email"]},
{"apiKey": []}
]
}
¶
The provider claim contains A2A AgentProvider information about the organization that operates the agent.¶
The original provider claim in the agent metadata contains:¶
{
"provider": {
"organization": "Example Geo Services Inc.",
"url": "https://www.examplegeoservices.com"
}
}
¶
When converting the provider claim to selective disclosure, the Agent Registry performs the following transformation:¶
Step 1: Generate Salt Value¶
A cryptographically secure random salt is generated for the provider claim:¶
Salt: "_26bc4LT-ac6q2KI6cBW5es"¶
Step 2: Create Disclosure Array¶
The provider claim is packaged into a disclosure array format:¶
[
"_26bc4LT-ac6q2KI6cBW5es",
"provider",
{
"organization": "Example Geo Services Inc.",
"url": "https://www.examplegeoservices.com"
}
]
¶
Step 3: Base64url Encode Disclosure¶
The disclosure array is JSON-serialized and base64url-encoded:¶
WyJfMjZiYzRMVC1hYzZxMktJNmNCVzVlcyIsInByb3ZpZGVyIix7Im9yZ2FuaXphdGlvbiI6IkV4YW1wbGUgR2VvIFNlcnZpY2VzIEluYy4iLCJ1cmwiOiJodHRwczovL3d3dy5leGFtcGxlZ2Vvc2VydmljZXMuY29tIn1d¶
Step 4: Calculate SHA-256 Digest¶
A SHA-256 hash is computed over the base64url-encoded disclosure:¶
digest = SHA256(base64url_encode(disclosure_array))
= "7kRt2qW5mX9jN4cF7zPsE8nG1vH0oY3lM6xC9fK2bA8"
¶
Step 5: Include Digest in SD-JWT¶
The digest is included in the _sd array of the Issuer-signed JWT payload:¶
{
"iss": "https://registry.example.com",
"sub": "agent:georoute-planner-v1",
"_sd_alg": "sha-256",
"_sd": [
"7kRt2qW5mX9jN4cF7zPsE8nG1vH0oY3lM6xC9fK2bA8"
]
}
¶
The defaultInputModes and defaultOutputModes claims specify supported content types for A2A message interactions.¶
The original defaultInputModes and defaultOutputModes claims in the agent metadata contain:¶
{
"defaultInputModes": ["application/json", "text/plain"],
"defaultOutputModes": ["application/json", "image/png"]
}
¶
When converting the defaultInputModes and defaultOutputModes claims to selective disclosure, the Agent Registry performs the following transformation:¶
Step 1: Generate Salt Value¶
A cryptographically secure random salt is generated for the input/output modes claims:¶
Salt: "_26bc4LT-ac6q2KI6cBW5es"¶
Step 2: Create Disclosure Arrays¶
Each claim is packaged into separate disclosure array formats:¶
[ "_26bc4LT-ac6q2KI6cBW5es", "defaultInputModes", ["application/json", "text/plain"] ]¶
[ "_26bc4LT-ac6q2KI6cBW5es", "defaultOutputModes", ["application/json", "image/png"] ]¶
Step 3: Base64url Encode Disclosures¶
The disclosure arrays are JSON-serialized and base64url-encoded:¶
WyJfMjZiYzRMVC1hYzZxMktJNmNCVzVlcyIsImRlZmF1bHRJbnB1dE1vZGVzIixbImFwcGxpY2F0aW9uL2pzb24iLCJ0ZXh0L3BsYWluIl1d¶
WyJfMjZiYzRMVC1hYzZxMktJNmNCVzVlcyIsImRlZmF1bHRPdXRwdXRNb2RlcyIsWyJhcHBsaWNhdGlvbi9qc29uIiwiaW1hZ2UvcG5nIl1d¶
Step 4: Calculate SHA-256 Digests¶
SHA-256 hashes are computed over the base64url-encoded disclosures:¶
digest_input = SHA256(base64url_encode(defaultInputModes_disclosure))
= "5nK3wL8tB4eR9mY2cF6qG7oT1vX0jH3pN4rS8zE5fC6"
digest_output = SHA256(base64url_encode(defaultOutputModes_disclosure))
= "2pM8fT4nR6oX3cG7zE9qL5wY1vS0jF6kH2nB8mC4rT9"
¶
Step 5: Include Digests in SD-JWT¶
The digests are included in the _sd array of the Issuer-signed JWT payload:¶
{
"iss": "https://registry.example.com",
"sub": "agent:georoute-planner-v1",
"_sd_alg": "sha-256",
"_sd": [
"5nK3wL8tB4eR9mY2cF6qG7oT1vX0jH3pN4rS8zE5fC6",
"2pM8fT4nR6oX3cG7zE9qL5wY1vS0jF6kH2nB8mC4rT9"
]
}
¶
Additional A2A Agent Card metadata for documentation and extended capabilities.¶
"iconUrl": "https://georoute-agent.example.com/icon.png", "documentationUrl": "https://docs.examplegeoservices.com/georoute-agent/api", "supportsAuthenticatedExtendedCard": true¶
Agent Cards are issued by trusted Agent Registries, the details of the which are out of scope of this specification¶
Agent Registration: The agent registers with the Agent Registry, providing its capabilities, endpoints, and authentication information. This includes submitting detailed metadata about the agent's functions, operational requirements, and security capabilities.¶
Identity Verification: The Agent Registry verifies the agent's identity and authorization to claim the specified capabilities.¶
Agent Card Creation: The Agent Registry creates an SD-JWT Agent Card containing the agent's metadata with appropriate claims marked for selective disclosure. The registry determines which claims should be selectively disclosable based on authorization, privacy policies and security requirements.¶
Batch Issuance: Multiple Agent Cards with different disclosure configurations may be issued for different discovery contexts. This enables the same agent to interact in various contexts while maintaining privacy and unlinkability.¶
Example issuance request based on HTTP POST method with bearing token is shown below:¶
POST /agents/register HTTP/1.1
Host: registry.example.com
Content-Type: application/json
Authorization: Bearer <registry_auth_token>
{
"agent_id": "ai-assistant-v2",
"name": "AI Assistant Agent",
"description": "General purpose AI assistant",
"version": "2.1.0",
"public_key": {
"kty": "EC",
"crv": "P-256",
"x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc",
"y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ"
},
"disclosure_contexts": [
{
"context": "public",
"disclose": ["skills", "endpoints", "operational_info"]
},
{
"context": "internal",
"disclose": ["skills", "endpoints", "operational_info",
"provider", "security_context"]
},
{
"context": "diagnostic",
"disclose": ["operational_info", "provider"]
}
]
}
¶
This section describes the protocols and mechanisms for discovering agents:¶
The well-known URI discovery mechanism is extended to support SD-JWT Agent Cards:¶
GET /.well-known/agent.json HTTP/1.1 Host: agent.example.com Accept: application/vnd.sd-jwt+json¶
The application/vnd.sd-jwt+json media type indicates that the client accepts
responses containing Selective Disclosure JWT data formatted as JSON. In the
examples below, the "agent_card" field contains an SD-JWT formatted according
to the Agent Card Structure defined in Section 3.1.¶
The response contains an SD-JWT Agent Card with context-appropriate disclosures.¶
HTTP/1.1 200 OK
Content-Type: application/vnd.sd-jwt+json
{
"agent_card": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJod...~WyJzYWx0I
iwibmFtZSIsIkFJIEFzc2lzdGFudCJd~WyJzYWx0MiIsImVuZHBvaW50cyIsW3sibmFtZSI6InByaW1h
cnkiLCJ1cmwiOiJodHRwczovL2FnZW50LmV4YW1wbGUuY29tL2FwaS92MSJ9XV0~"
}
¶
For privacy-sensitive discovery, the agent MAY require authentication before revealing the Agent Card:¶
GET /.well-known/agent.json HTTP/1.1 Host: agent.example.com Authorization: Bearer <discovery_token> Accept: application/vnd.sd-jwt+json¶
Agent Registries support discovery with context-based selective disclosure. In the example below, an agent is discovered based on the skill "route-optimizer-traffic".¶
POST /agents/discover HTTP/1.1
Host: registry.example.com
Content-Type: application/json
Authorization: Bearer <registry_access_token>
{
"query": {
"skills": ["route-optimizer-traffic"],
"availability": "24/7"
},
"context": "public",
"max_results": 10
}
¶
Discovery can be performed with different contexts to control the level of information disclosure:¶
Minimal information suitable for public discovery, including basic skills and public endpoints.¶
Additional operational details for internal organizational use.¶
Detailed technical information for troubleshooting and monitoring.¶
Inter-organizational discovery with appropriate trust relationships.¶
The same agent may present different Agent Cards for different contexts while maintaining unlinkability between presentations.¶
The A2A protocol and SD-Card operate at the agent-to-agent communication layer, while Model Context Protocol (MCP) [MCP-SPEC] addresses agent-to-tool interactions. These protocols are complementary:¶
A2A/SD-Card: Agent discovery, identity, and capability negotiation¶
MCP: Tool discovery, invocation, and context management¶
When an agent discovered via SD-Card utilizes MCP for tool access, the following security considerations apply:¶
The SD-Card's security context does not automatically propagate to MCP tool invocations¶
Separate authorization may be required for tool access¶
Audit logs SHOULD correlate A2A interaction IDs with MCP sessions¶
+--------------------------------------------------+ | Application Layer | | (Agent Business Logic, Task Orchestration) | +--------------------------------------------------+ | A2A Protocol | MCP Protocol | | (Agent Discovery, | (Tool Discovery, | | Identity, Delegation) | Invocation, Context) | +--------------------------------------------------+ | Transport Layer (TLS 1.3+) | +--------------------------------------------------+¶
SD-Card enables secure agent discovery and authentication, after which
agents may use MCP for accessing tools and external resources. The
interaction_id from the Key Binding JWT SHOULD be included in MCP
requests for audit correlation.¶
This specification registers the following media type with IANA:¶
application¶
vnd.sd-jwt+json¶
N/A¶
N/A¶
binary (JSON)¶
See Security Considerations section of this document¶
N/A¶
This document¶
A2A agent discovery systems, agent registries, and agent clients that support selective disclosure of agent capabilities¶
N/A¶
This specification registers the following verifiable credential type in the "OAuth URI" registry:¶
This specification does not define new JWT claims but uses existing claims as defined in [RFC9901] and standard JWT claims from [RFC7519]¶
SD-Card implementations MUST implement token binding mechanisms to prevent stolen credential misuse. Implementations SHOULD support DPoP [RFC9449] for application-level proof-of-possession when presenting SD-Cards outside the key binding JWT mechanism.¶
The Key Binding JWT already provides replay protection through:¶
iat (issued-at) timestamps with short validity windows¶
aud (audience) binding to specific verifiers¶
sd_hash binding to specific SD-JWT presentations¶
Optional nonce values for additional freshness¶
Verifiers MUST reject Key Binding JWTs with:¶
In multi-agent workflows, identity verification becomes critical. The architecture aligns with WIMSE [WIMSE-ARCH] principles for workload identity:¶
Agent Attestation: The cnf claim provides cryptographic proof
that the presenter possesses the corresponding private key¶
Issuer Trust: The Agent Registry's signature establishes a trust anchor. Verifiers MUST validate the issuer's signature using pre-established trust relationships¶
Claim Integrity: Selective disclosure digests ensure that disclosed claims have not been modified since issuance¶
When agents delegate tasks to sub-agents, the following security properties MUST be maintained:¶
Delegation Chains: Use OAuth 2.0 Token Exchange [RFC8693] to create constrained tokens for sub-agents with reduced scope¶
Audit Trail: Each delegation SHOULD include an interaction_id
that enables tracing across agent invocations¶
Scope Limitation: Sub-agents MUST NOT receive broader permissions than the delegating agent possesses¶
Human Oversight: For sensitive operations, delegation chains SHOULD support human-in-the-loop approval mechanisms¶
SD-Card's selective disclosure mechanism prevents unwanted correlation:¶
Following NIST AI RMF [NIST-AI-RMF] principles for trustworthy AI:¶
Agent operators SHOULD:¶
SD-Card provides application-layer security that complements, but does not replace, transport-layer security:¶
TLS Required: All SD-Card exchanges MUST occur over TLS 1.3 or later as recommended in [RFC9700]¶
Defense in Depth: Key binding provides protection even if transport security is compromised¶
Channel Binding: Implementations MAY bind presentations to the TLS session for additional protection against token export attacks¶
Agent Registries (issuers) have significant security responsibilities:¶
Key Protection: Issuer signing keys MUST be protected using hardware security modules (HSMs) or equivalent protection¶
Revocation: Issuers SHOULD implement revocation mechanisms for compromised SD-Cards. This MAY include:¶
Audit Logging: Issuers MUST maintain audit logs of all SD-Card issuances including agent identity, disclosed claims, and issuance timestamps¶
This specification mandates support for:¶
ES256 (ECDSA with P-256 and SHA-256) as the minimum required algorithm¶
SHA-256 for selective disclosure hashing¶
Implementations SHOULD be prepared to support additional algorithms as they become standardized. Post-quantum cryptographic algorithms for JOSE/COSE are under active development and implementations SHOULD plan for migration paths.¶
{backmatter}¶