{"id":49755911,"url":"https://github.com/agenticpoa/apoa-a2a","last_synced_at":"2026-05-10T21:27:00.099Z","repository":{"id":352778687,"uuid":"1214896301","full_name":"agenticpoa/apoa-a2a","owner":"agenticpoa","description":"APOA authorization for A2A agent-to-agent communication — scoped delegation tokens, capability attenuation, audit trails","archived":false,"fork":false,"pushed_at":"2026-05-10T19:13:42.000Z","size":675,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-10T20:24:37.514Z","etag":null,"topics":["a2a","agent-to-agent","ai-agents","apoa","authorization","delegation","jwt","security"],"latest_commit_sha":null,"homepage":"https://github.com/agenticpoa/apoa","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/agenticpoa.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-19T07:37:15.000Z","updated_at":"2026-05-10T19:13:44.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/agenticpoa/apoa-a2a","commit_stats":null,"previous_names":["agenticpoa/apoa-a2a"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/agenticpoa/apoa-a2a","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agenticpoa%2Fapoa-a2a","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agenticpoa%2Fapoa-a2a/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agenticpoa%2Fapoa-a2a/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agenticpoa%2Fapoa-a2a/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/agenticpoa","download_url":"https://codeload.github.com/agenticpoa/apoa-a2a/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agenticpoa%2Fapoa-a2a/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32872306,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-10T13:40:02.631Z","status":"ssl_error","status_checked_at":"2026-05-10T13:40:02.145Z","response_time":54,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["a2a","agent-to-agent","ai-agents","apoa","authorization","delegation","jwt","security"],"created_at":"2026-05-10T21:26:59.372Z","updated_at":"2026-05-10T21:27:00.081Z","avatar_url":"https://github.com/agenticpoa.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![APOA on A2A](assets/banner.png)](https://github.com/agenticpoa/apoa)\n\n# @apoa/a2a\n\nAPOA authorization for [A2A](https://github.com/a2aproject/A2A) agent-to-agent communication. Scoped delegation tokens, capability attenuation, audit trails.\n\nA2A handles authentication (who are you?). This package adds authorization (what can you do, on whose behalf, for how long?).\n\n## Install\n\n```bash\nnpm install @apoa/a2a\n```\n\n## Quick Start\n\n### Client: attach an APOA token to an A2A message\n\n```typescript\nimport { attachToken, apoaHeaders } from '@apoa/a2a';\n\nconst message = {\n  messageId: 'msg-001',\n  role: 'user',\n  parts: [{ kind: 'text', text: 'Book me a flight to Helsinki' }],\n};\n\n// Attach token to message metadata (keyed by APOA extension URI)\nattachToken(message, apoaToken.raw);\n\n// Send with APOA extension header\nawait fetch('https://agent.example.com/message:send', {\n  method: 'POST',\n  headers: { 'Content-Type': 'application/json', ...apoaHeaders() },\n  body: JSON.stringify({ jsonrpc: '2.0', id: 1, method: 'SendMessage', params: { message } }),\n});\n```\n\n### Server: verify APOA tokens on incoming messages\n\n```typescript\nimport { createA2AGuard } from '@apoa/a2a';\n\nconst guard = createA2AGuard({\n  key: publicKey,\n  mappings: {\n    'book-flight':    'flights:book',\n    'search-flights': 'flights:search',\n    'cancel-flight':  'flights:cancel',\n  },\n});\n\n// In your A2A agent's message handler:\nconst result = await guard.authorize(incomingMessage, 'book-flight');\nif (!result.authorized) {\n  // Transition task to AUTH_REQUIRED or reject\n}\n```\n\n### Agent Card: declare APOA support\n\n```typescript\nimport { apoaExtension, apoaSkillRequirement } from '@apoa/a2a';\n\nconst agentCard = {\n  name: 'Travel Agent',\n  version: '1.0.0',\n  capabilities: {\n    extensions: [apoaExtension()],\n  },\n  skills: [\n    {\n      id: 'book-flight',\n      name: 'Flight Booking',\n      description: 'Books flights on behalf of the user',\n      securityRequirements: [apoaSkillRequirement(['flights:book'])],\n    },\n  ],\n  // ...\n};\n```\n\n## How It Works\n\n1. Client attaches an APOA token to the A2A message's `metadata`, keyed by the APOA extension URI\n2. Client sends the `A2A-Extensions` header to activate the APOA extension\n3. Server extracts the token from message metadata\n4. Server maps the target skill to an APOA `service:scope` pair\n5. Server verifies: signature, expiration, revocation, scope, constraints, rules\n6. If authorized, the skill executes. If not, the task transitions to `AUTH_REQUIRED` or is rejected\n\n## Skill Mappings\n\n**Simple format:**\n```typescript\ncreateA2AGuard({\n  key: publicKey,\n  mappings: {\n    'book-flight':    'flights:book',\n    'search-flights': 'flights:search',\n  },\n});\n```\n\n**Auto-mapping (no config):**\n```typescript\ncreateA2AGuard({ key: publicKey });\n// book-flight -\u003e book-flight:invoke\n```\n\n## Delegation Across A2A Hops\n\nWhen Agent A delegates a task to Agent B, it can include an attenuated APOA token:\n\n```typescript\nimport { delegate } from '@apoa/core';\nimport { attachToken } from '@apoa/a2a';\n\n// Agent A delegates narrower permissions to Agent B\nconst childToken = await delegate(parentToken, {\n  agent: { id: 'agent-b' },\n  services: [{ service: 'flights', scopes: ['search'] }], // narrower than parent\n}, signingOptions);\n\n// Attach to the A2A message with the delegation chain\nconst message = { messageId: 'msg-002', role: 'user', parts: [{ kind: 'text', text: 'Search for flights' }] };\nattachToken(message, childToken.raw, [parentToken.jti]);\n```\n\nAgent B's server verifies the token and checks the delegation chain for revocation.\n\n## What This Adds to A2A\n\n| Capability | A2A Native | @apoa/a2a |\n|---|---|---|\n| Transport auth (OAuth, API keys) | Yes | N/A (complementary) |\n| Per-task scoped authorization | No (\"implementation-specific\") | Yes |\n| Delegation chains with attenuation | No | Yes |\n| Constraint checking | No | Yes |\n| Hard/soft rules | No | Yes |\n| Cascade revocation | No | Yes |\n| Audit trail | No (recommended, not specified) | Yes |\n\n## Part of the APOA Standard\n\n- [APOA Spec](https://github.com/agenticpoa/apoa/blob/main/SPEC.md)\n- [@apoa/core](https://www.npmjs.com/package/@apoa/core) (TypeScript SDK)\n- [@apoa/mcp](https://www.npmjs.com/package/@apoa/mcp) (MCP integration)\n- [apoa](https://pypi.org/project/apoa/) (Python SDK)\n\n## License\n\nApache-2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fagenticpoa%2Fapoa-a2a","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fagenticpoa%2Fapoa-a2a","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fagenticpoa%2Fapoa-a2a/lists"}