Skip to slide 1
01 / 42
Vibe Coding A2A · ClawCamp Campfire · 2026-05-18 · Frontier Tower
● live

a workshop on the A2A protocol / one hour / your terminal

Rayyan Zahid · w/ Ivan Linn (Wavv)
> system boot
> loading a2a v1.0.0
> binding mcp · agntcy
● 200 OK · room CAMP
first principles · what it is

A2A IS HOW ONE AGENT ASKS ANOTHER AGENT TO DO SOMETHING.

Two software agents. Each speaks the same lightweight protocol over HTTP. Agent A sends a request. Agent B returns a result. That is the whole point. No SDK lock-in, no shared database, no shared model.

Analogy. If REST is how two services talk, and MCP is how a model talks to its tools, then A2A is how two agents talk to each other. Different agents. Different vendors. Same wire.

why this matters · the stakes

UNTIL A2A, AGENTS COULD NOT FIND EACH OTHER. NOW THEY CAN.

01 · before

Every integration was a private deal.

One vendor wrote a custom adapter for every other vendor they wanted to call. N agents. N squared adapters. The math did not work.

02 · the shift

A2A is an open standard for that wire.

JSON-RPC 2.0 over HTTP. One spec. Every agent that ships an agent card becomes callable by every other agent. Same wire for all of them.

03 · the new shape

Agents become composable.

A scheduling agent calls a search agent calls a payment agent. Different teams. Different stacks. No SDK glue. The protocol is the glue.

the metaphor Before A2A, agents were apps on a phone with no app store. They worked. Nobody could find them. A2A is the directory and the wire at the same time. The web becomes navigable by software, not just by people.

→ a2a-protocol.org · 150+ orgs signed on · April 2026 retro

the win

A2A v1.0.0 SHIPPED.
while you were debugging prompts.

v1.0.0
First stable spec · 2026-03-12
→ github.com/a2aproject/A2A · tag v1.0.0
23,844
GitHub stars (live, fetched today)
→ api.github.com/repos/a2aproject/A2A · 2026-05-18
150+
Organizations supporting the standard
→ Linux Foundation press · 2026-04-09
43
Live agents at a2aregistry.org
→ Independent fetch · 30-min health checks
5
Production SDK languages
→ Python · JS · Java · Go · .NET
ACP
IBM ACP merged INTO A2A · Aug 2025
→ Kate Blair joined A2A TSC
wait, what about MCP?

TWO PROTOCOLS. DIFFERENT JOBS. NOT COMPETITORS.

B says

MCP

"I bring tools to one model."

a model calls functions
vertical: model to its tools
one direction. one principal.
10,000+ servers in the wild
A says

A2A

"I let two agents talk to each other."

an agent calls another agent
horizontal: peer to peer
both directions. two principals.
v1.0.0 March 2026

Most production stacks run both. MCP for tool-use inside one agent. A2A between agents. The next slide shows the full picture.

The Stack: tools, peers, identity

primer · what is a handshake

A HANDSHAKE IS A SHORT SCRIPT TWO PARTIES RUN BEFORE THEY TRUST EACH OTHER.

TCP shakes hands in three packets. TLS shakes hands in four. A2A shakes hands in two HTTP round-trips. First, A reads B's agent card. Then A calls a skill listed on it.

[1]DISCOVER. A fetches a small JSON file from B's well-known URL.
[2]READ. A parses the file, picks the right endpoint and auth.
[3]CALL. A sends a JSON-RPC request to that endpoint.
[4]PAIRED. B replies. The agents now know how to talk.
Compare. TCP: SYN, SYN-ACK, ACK. A2A: GET card, POST skill. Both are short scripts. Both run once. Both build trust before real work happens.

The Handshake

The Handshake

Two well-known files. Two HTTP round-trips.

Source: a2a-protocol.org/latest/topics/agent-discovery · auto-loop · hover to pause
the agent card · anatomy

ONE FILE. CALLABLE BY ANY AGENT.

The agent card is a single JSON file an agent serves at a well-known URL. It declares the agent's name, version, skills, auth shape, and endpoints. Any peer can fetch it without an account. The card answers "who are you and how do I call you" in one round trip.

$schemaC declares A2A v1 schema URL. Conformance check anchor.
nameB identifies The agent's stable identifier. Match against a registry.
versionSemVer. Older clients fail-soft on minor bumps.
urlB announces Service endpoint. Where calls land.
providerWho runs it. Org name. Contact.
authB authenticates Bearer, OAuth2, device-code (RFC 8628). Format is regex-checkable.
capabilitiesStreaming, push, extended card. Negotiation hints.
skillsB offers Named methods. Input/output modes per skill.
endpointsA calls a2a (peer) + mcp (tools). Same auth scheme.
policyDiscovery mode. License. Telemetry opt-in.

→ Live shape from immersivecommons.com/.well-known/agent-card.json · 17,578 bytes. 14 capabilities. 19 scopes.

the well-known path · discoverability

EVERY AGENT KNOWS WHERE TO LOOK. /.well-known/agent-card.json

Well-known URIs are an old web idea (RFC 8615). A site declares standardised facts about itself at a fixed path under /.well-known/. Apps and browsers can fetch them without coordination. A2A uses the same trick.

[1]Path is fixed. Always /.well-known/agent-card.json. No discovery service needed.
[2]Public. No auth on the card itself. The card declares auth for the skills behind it.
[3]HTTPS. Card integrity rides on TLS plus optional signing (RFC 9421).
[4]One per host. Subdomains can run their own agents independently.

Siblings on the same path. ai-agent.json (richer manifest), mcp.json (tool index), openapi.json (legacy REST). Browsers, search engines, and security scanners check these without asking.

→ Try it now: curl https://www.immersivecommons.com/.well-known/agent-card.json · 17,578 bytes back, no auth needed.

what changed · may 2026

FOUR WEEKS. FOUR FACTS.

→ Each row gets its own slide. Then a working attack. Then two RFCs in plain English.

fact one · 2026-05-07

AGENTS GOT A WALLET.

what shipped

Bedrock AgentCore Payments

  1. AWS added payment primitives to the AgentCore runtime. The runtime is the box that hosts agents inside a VPC.
  2. Two rails attached on day one. Stripe for fiat. Coinbase for stablecoin and the x402 HTTP-402 flow.
  3. An agent inside AgentCore can now pay another agent (or a paid API) without a human in the loop. The runtime carries the credentials.
why it matters

Money is the missing field

A2A's task model already carried inputs, outputs, and state. It did not carry settlement. AgentCore is the first managed runtime where settlement is a peer of those.

Read this as the vendor signal: "agents talk" has been replaced by "agents transact." Every threat in this act assumes there is real money on the wire.

→ aws.amazon.com/blogs/machine-learning · agents-that-transact · 2026-05-07. Echoed by Stripe Link wallet for agents · TechCrunch · 2026-04-30.

fact two · 2026-05-13

x402 IS REAL ENOUGH TO ATTACK.

what x402 is

HTTP 402, finally used

  1. HTTP 402 has sat in the spec since 1997. Nobody shipped it. x402 turns it on. Server returns 402 with a payment challenge. Client pays. Client retries with proof. Server returns 200.
  2. Settlement is on-chain stablecoin (USDC) by default. Facilitators (Coinbase, Cloudflare, Google) clear it. $24M and 100M+ transactions in seven months.
  3. Production-ready enough that arXiv 2605.11781 (Vaziry et al., 2026-05-13) catalogues FIVE distinct attack classes against it.
the five

What the paper found

Replay (re-spend a single signed payment). Race (front-run between pay and serve). Misrouting (facilitator MITM swaps the recipient). Identity-bind drift (agent card swap mid-session). Refund-loop drain (poisoned receipt triggers compensating tx).

None of these break the cryptography. They break the choreography. The fixes live in RFC 9421 signatures, freshness windows, and bound identities. See s2.6.

→ Vaziry et al. arXiv:2605.11781 · cs.CR · 2026-05-13. Paired with Vaziry et al. arXiv:2507.19550 (ledger-anchored agent identities).

fact three · 2026-05-15

THE ENTERPRISE FLIP. RAMP INDEX.

methodology

Ramp's enterprise card-spend index

  1. Ramp issues corporate cards to ~30,000 US businesses. They publish an index that buckets card transactions by AI vendor.
  2. The index is recurring spend, not press releases. It captures who is actually being paid month over month by finance teams.
  3. On 2026-05-15 Anthropic's share of that index crossed OpenAI's for the first time. Business Insider broke it. HN top-of-front-page for a day.
why this is in act II

Adoption is the threat surface

Spec maturity matters less than who deploys it. Anthropic crossing OpenAI on Ramp means the most-cited frontier model in production right now ships with Claude Code, Skills, MCP, and Managed Agents. Each is a native A2A vector.

Paired with: Anthropic + SpaceX Colossus compute deal (2026-05-06, $5 to $10B per year), Claude Platform on AWS GA (2026-05-11), Managed Agents launch (2026-05-07).

→ Business Insider · Ramp Index · 2026-05-15. CNBC · SpaceX deal · 2026-05-06. AWS What's New · Claude Platform · 2026-05-11.

not so fast · a concrete attack

BYZANTINE CARD SWAP. THREE STAGES.

01 · DISCOVER attacker scrapes /.well-known/agent-card.json copies skills + auth scheme 02 · IMPERSONATE publishes counterfeit card on typosquat domain stale link or poisoned directory 03 · EXFILTRATE caller's tasks route to attacker outputs look plausible trust degrades silently

→ Habler et al. Building A Secure Agentic AI Application Leveraging Google's A2A Protocol · ACSAC Workshops 2025 · DOI 10.1109/ACSACW69556.2025.00043. Corroborated by Anbiaee et al. arXiv:2602.11327 (12 protocol-level risks, creation/operation/update phases). Fix is on the next slide.

defense layer 01 · the signature

RFC 9421. SIGN THE REQUEST, NOT JUST THE TOKEN.

analogy

A wax seal on a sealed envelope

A Bearer token is the envelope. Anyone who steals the envelope can resend it. RFC 9421 melts a wax seal across the envelope flap and the writing inside. If anyone forwards or replays, the seal breaks.

Concretely, the caller signs a covering set of fields (method, authority, target-uri, content-digest, created timestamp) with Ed25519. The peer verifies the signature against a published public key. Sixty-second freshness window kills replay.

Used by Cloudflare Web Bot Auth and now by IC's agent card. The same standard the browser-bot world adopted to authenticate AI crawlers.

what's on the wire
REQUEST HEADERS POST /api/a2a HTTP/1.1 Host: peer.example.com Authorization: Bearer agt_•••• Content-Digest: sha-256=:••••: Signature-Input: sig1=("@method" "@authority" "@target-uri" "content-digest");created=•••; keyid="agent-ed25519";alg="ed25519"

→ RFC 9421 · HTTP Message Signatures. Layer 01 of IC's defense stack. Same signature scheme Habler et al. recommend in their s2.5 mitigation.

defense layer 02 · the device code

RFC 8628. A LOGIN FLOW FOR AGENTS WITHOUT BROWSERS.

analogy

The smart-TV Netflix login

You can't type on a smart TV. So Netflix shows a short code, you open netflix.com/tv on your phone, type the code, and the TV is logged in. RFC 8628 is exactly that, written down.

Agents are the smart TV. They have no browser, no keyboard, no password manager. They ask the auth server for a device code, hand the human a URL plus a code, then poll until the human approves. No password ever touches the agent.

This is why A2A v1.0.0 retired implicit-flow and password-grant OAuth and shipped device-code + PKCE as the standard. The agent never gets a long-lived secret. It gets a scoped token, revocable, auditable.

the choreography
AGENT AUTH SERVER HUMAN 01 · /device_authorization 02 · device_code + user_code 03 · "open this URL, type this code" 04 · approve 05 · poll · poll · poll 06 · scoped token

→ RFC 8628 · OAuth 2.0 Device Authorization Grant. A2A v1.0.0 ships device-code + PKCE by default. Layer 02 of IC's defense stack.

the invisible win

The protocol won by becoming invisible plumbing. Payments and identity now own the conversation.

→ synthesis · recon-news, May 2026. zero new posts about agent-card schema. all the news is about money.

act III · build · what a lab is

THREE LABS LIVE. TWO TO GO HOME WITH.

A lab is a copy.paste action with a visible result. You run a command, you see a real API answer. Labs 01, 02, 03 happen here in the room (about 15 minutes total). Labs 04 and 05 are scaffolds you clone at home (a FastAPI MCP server and an x402 paywall worker).

→ every lab links to a runnable page under /lab. open one in a second tab. follow along.

lab 01 · setup · probe an agent.native venue
A · you B · immersivecommons

PROBE IC.three curls. zero auth. three layers of the discovery contract.

3 minterminal · follow the 307
Open Lab
  • curl ‑sL https://immersivecommons.com/.well‑known/agent‑card.json | jq '.name, .version, (.capabilities | length)'
  • curl ‑sL https://immersivecommons.com/.well‑known/ai‑agent.json | jq '.recovery | keys'
  • curl ‑sL https://immersivecommons.com/.well‑known/mcp.json | jq '.url, .transport, (.tools | length)'

→ apex redirects to www (307). pass -L or you will see 15 bytes of nothing. this is PITFALL P29.

lab 01 · result · here is the agent.card

THREE URLS. ONE PRODUCT. ONE FETCH EACH.

immersivecommons.com · /.well‑known · live 200 · application/json
$ curl -sL https://immersivecommons.com/.well-known/agent-card.json | jq
{
  "$schema": "https://a2a-protocol.org/schemas/agent-card/v1.json",
  "name": "immersive-commons-floor10",
  "version": "1.15.0",
  "endpoints": {
    "a2a": "https://www.immersivecommons.com/api/a2a",
    "mcp": "https://www.immersivecommons.com/api/mcp",
    "feedback": "https://www.immersivecommons.com/api/agent/feedback"
  },
  "auth": {
    "type": "bearer",
    "format": "agt_<base64url-32bytes>",
    "signup": {
      "kind": "rfc8628-device-code",
      "start_url": ".../api/agent/signup/start",
      "poll_url":  ".../api/agent/signup/poll"
    }
  },
  "capabilities": [ 14 entries ... ]
}
name immersive‑commons‑floor10

Stable agent identity. The string an agent registry indexes on.

endpoints.a2a /api/a2a

Where peer agents POST JSON.RPC envelopes (agent/info, tasks/send).

endpoints.mcp /api/mcp

Where MCP clients (Claude Desktop, Cursor) hit tools/call.

auth.signup rfc8628.device.code

No copy.paste. Agent prints a code, human signs in elsewhere, token mints.

capabilities (14) highlights, membership, leaderboard, events, headsets, signal...

The tool surface. Each one is a verb an agent can call.

resilience.feedback_url /api/agent/feedback

Self.healing loop. Agent reports schema drift, operator fixes.

→ 17,578 bytes. 14 capabilities. 19 scopes. one fetch. this is what production discovery looks like in 2026.

lab 02 · setup · call a public MCP tool
A · you B · ic_signal_get_latest

HIT THE MCP.streamable.http. JSON.RPC body. zero auth. Claude Desktop or curl.

5 minPOST · application/json + text/event‑stream
Open Lab
  • curl ‑sN ‑X POST https://www.immersivecommons.com/api/mcp \
  •   ‑H 'Content‑Type: application/json' \
  •   ‑H 'Accept: application/json, text/event‑stream' \
  •   ‑d '{"jsonrpc":"2.0","id":3,"method":"tools/call",
  •       "params":{"name":"ic_signal_get_latest","arguments":{}}}'

→ set Accept to BOTH types. the server picks one. parse both. PITFALL P36.

lab 02 · result · here is the SIGNAL latest issue

ONE POST. REAL DATA. NO TOKEN.

POST /api/mcp · tools/call · ic_signal_get_latest 200 · jsonrpc 2.0
{
  "jsonrpc": "2.0",
  "id": 3,
  "result": {
    "content": [
      {
        "type": "text",
        "text": {
          "slug": "issue-008-2026-05-12",
          "title": "Signal #008 · the protocol that won",
          "published_at": "2026-05-12T16:00:00Z",
          "stories": [
            { "headline": "A2A v1.0 ships", "score": 94 },
            { "headline": "MCP 37.tool surface live", "score": 88 },
            { "headline": "x402 crosses $24M", "score": 81 }
          ],
          "story_count": 7
        }
      }
    ],
    "isError": false
  }
}
jsonrpc + id "2.0" · id 3

JSON.RPC envelope. id echoes your request so concurrent calls reconcile.

result.content[] type: "text"

MCP wraps everything in a content array. type can be text, image, resource.

isError false

JSON.RPC errors live in the body, NOT the HTTP status. 200 can still be an error.

payload shape slug, title, stories[], story_count

The tool's own schema. Five public ic_signal_* tools, no auth, all the same shape.

→ status 200 + body.error means failure. naive clients miss this and treat all errors as success. (proposed P38.)

lab 03 · setup · render your own card
A · you becomes B · your agent

MAKE A CARD.copy the template. fill in five fields. serve at /.well‑known/agent‑card.json.

7 mintemplate · live JSON · agentify audit
Open Lab
  • cp ~/.claude/skills/agentify/templates/agent‑card.json.template public/.well‑known/agent‑card.json
  • # edit five fields:
  • name: my‑first‑agent
  • version: 0.1.0
  • endpoints.a2a: https://my‑domain.com/api/a2a
  • skills: [ "hello", "list_things" ]
  • auth.type: "none"   # public discovery is intentional. P21.

→ omit auth and you publish a public.by.default agent. set it on purpose, even to "none". PITFALL P21.

lab 03 · result · the audit jumps

ZERO TO EIGHT IN ONE COMMIT. YOU ARE NOW TOP 50%.

public/.well‑known/agent‑card.json CC‑BY‑SA‑4.0
{
  "$schema": "https://a2a-protocol.org/spec/agent-card/v1",
  "name": "my-first-agent",
  "version": "0.1.0",
  "description": "First agent. Friday demo.",
  "url": "https://my-domain.com",
  "provider": {
    "name": "Your Name",
    "url": "https://linkedin.com/in/you"
  },
  "auth": { "type": "none" },
  "capabilities": [
    {
      "name": "hello",
      "description": "Returns a greeting.",
      "method": "GET",
      "url": "https://my-domain.com/api/hello"
    },
    {
      "name": "list_things",
      "description": "Returns a list of things.",
      "method": "GET",
      "url": "https://my-domain.com/api/things"
    }
  ],
  "endpoints": {
    "a2a": "https://my-domain.com/api/a2a"
  },
  "policy": { "discoveryMode": "public", "license": "CC-BY-SA-4.0" }
}

agentify audit · 30 point preview

  1. 01. agent‑card.json
  2. 04. llms.txt + robots.txt
  3. 05. markdown content‑negotiation
  4. 06. JSON‑LD / schema.org
  5. 09. content‑signal headers
  6. 12. accessibility tree
  7. 13. WebMCP exposure
  8. 14. A2A endpoint declared
  9. 02. mcp.json
  10. 03. ai‑agent.json
  11. 10. MCP server
  12. 11. SKILL.md
  13. 16. observability
  14. 17. memory layer
  15. 22. signed‑request enforcement
  16. 25. recovery block
  17. 26‑30. AET scenarios

score: 0 / 30  →  8 / 30. average public site: 38 / 100. nothing above 70.

→ 8 free points in 5 minutes. labs 04 + 05 take you past 17. (CF April 2026 study.)

lab 04 + 05 · run these at home

TWO TEMPLATES. YOU LEAVE WITH BOTH.

B serves
FastAPI MCP server
/templates/fastapi‑mcp/

Streamable.http transport. Bearer auth. Five seed tools. Deploy to Render or Fly in one command. Wires into the agentify scaffold. Local probe at /.well‑known/mcp.json the moment uvicorn boots.

Open Lab
A pays B verifies
x402 paywall worker
/templates/x402‑worker/

Cloudflare Worker. Returns 402 with a payment quote. Verifies USDC on Base via Coinbase facilitator. Settles. Returns 200 + the asset. Economic gating IS auth for agents.paying.agents.

Open Lab

→ x402 itself processed $24M in 100M+ transactions, May 2025 to Dec 2025. live, not vapor.

native frameworks · if you already ship one of these

A2A IS ALREADY THERE.

Google ADK LangGraph CrewAI LlamaIndex Semantic Kernel AutoGen AWS Bedrock AgentCore Azure AI Foundry Google Agent Engine Copilot Studio LangSmith Server

→ ADK: from google.adk.a2a.utils.agent_to_a2a import to_a2a · LangGraph: langgraph‑api ≥ 0.4.21 · agent card at /a2a/{assistant_id}.

setup · retrieval.augmented generation in plain english

WHAT IS RAG?

Two steps. First the model retrieves relevant passages from your data (docs, tickets, code, papers). Then it generates an answer grounded in those passages. The model still writes the prose, but the facts come from your index, not its training set.

stage 1 · RETRIEVE find the passages. QUERY ? [ INDEX ] your docs vectors · BM25 · ranks

retrieve: a question goes in. similarity + keyword search ranks the top.k passages out of your private corpus.

stage 2 · GENERATE write the answer. [ PASSAGES ] top 5 passages + cites passages + prompt [ MODEL ] writes

generate: passages + question + system prompt → model. answer cites the passages, not its training memory.

→ why bother? the model gets your private data without retraining. and you get citations, so you can verify.

why agentic RAG · the gap classic retrieval misses

WHY AGENTIC?

Classic RAG is one shot. Ask, retrieve, answer. But real questions are messy. The first retrieval often misses. Sometimes you need to refine the query, retrieve from a different index, or reason across multiple passages. That work belongs to agents, not to a single ranker.

when

retrieval needs a second pass.

the first pass returned 5 passages, none of them about 2026. the reasoner detects the gap and asks the retriever to widen the date filter.

when

one model can't hold all the context.

retriever ranks. reasoner synthesizes. composer cites. each is a smaller agent with its own card, called via A2A, parallelizable.

when

you want auditable hops.

every inter.agent message is a JSON.RPC envelope with an id. you can replay the conversation. you can verify the citation chain.

when

the indexes are owned by different teams.

retriever.A owns the legal corpus. retriever.B owns the engineering wiki. one orchestrator fans the query out. A2A makes the seams legible.

→ next slide: the swarm in motion. retriever → reasoner → composer, each one its own agent card.

AGENTIC RAG × A2A · slide 15

RAG isn't a tool.
It's a swarm.

? Query Response [ AGENT-A ] Retriever -Agent /.well-known/agent-card.json [ AGENT-B ] Reasoner -Agent /.well-known/agent-card.json [ AGENT-C ] Composer -Agent /.well-known/agent-card.json POST /a2a { "query": ... } POST /a2a { "query": ... } POST /a2a { "query": ... } result · passages[5] { "rank": "bm25+colbert" } jsonrpc · "refine_query" { "gap": "no 2026 sources" } id=2 · loopback result · synthesis { "claims": 7, "cites": 12 } clarify? id=3 200 OK { "answer": ... }

SRCarXiv:2501.09136 · 2505.02279 · 2505.03864 · 2508.01332 · 2507.19550 · 2602.11327 · 2605.06285 — agentic-RAG × A2A intersection · each arrow is a JSON-RPC envelope · each box has its own agent-card.

production receipts · this is already revenue

FIVE VERTICALS. ONE STANDARD.

hospitality
11
Hotels on agents.inhotel.io

A2A-card-discoverable. Live concierge agents. Booking + upsell. Each property publishes its own agent-card.

a2aregistry.org
supply chain
SAP × NVIDIA

Specialized agents on SAP S/4HANA. Logistics handoff via A2A. Co-announced GTC 2026.

blogs.nvidia.com
financial
PayPal · Adyen · Mastercard

AP2 + A2A. 60+ orgs at the April 2026 launch. Mandate proofs of consent before any agent settles.

linuxfoundation.org
insurance
Salesforce · ServiceNow

Cross-vendor claim handoff. Each carrier publishes its own card. Adjusters never see the other vendor's UI.

salesforce.com
IT ops
Cisco AGNTCY

75+ orgs. Kubernetes ops agents. Production deploys at SoftServe × Webex, Swisscom.

agntcy.org

→ LF April 2026 retro. Azure AI Foundry, Amazon Bedrock AgentCore, Google Cloud all carry A2A in their runtimes.

explainer · the payment rail

WHAT IS x402?

HTTP 402 · since 1997 · revived 2025

A status code finally got a job. HTTP 402 sat dormant for 28 years. In 2025 Coinbase turned it into the wire for agent-to-agent payments.

Think of a vending machine that returns a price tag instead of a drink when you swipe an empty card. Tap again with funds, drink falls out. Same request. No login. No invoice.

An agent calls a tool. Server answers 402 with a quote. Agent pays USDC on Base via a Coinbase facilitator. Same request retries. Server returns 200 plus the asset. The whole exchange takes one round trip. No accounts. No checkout flow. No human in the loop.

GET /tool 402 + quote USDC on Base 200 + asset

→ $24M processed in 100M+ transactions, May to Dec 2025. Facilitators: Coinbase, Cloudflare, Google. Stripe shipped Base x402 USDC in Feb 2026.

explainer · the identity rail

WHAT IS ERC-8004?

Ethereum mainnet · live Jan 2026

A trust contract for agents that aren't people. ERC-8004 puts agent identity, reputation, and validation onchain. Three registries. One standard.

Think of a passport stamped by every customs officer it has met. The passport lives on a public wall. Anyone can read the stamps before letting the agent through their door.

Trustless agents need three things from each other. Who are you. What have you done. Did your last claim verify. ERC-8004 gives each of those a contract on Ethereum mainnet. The signed A2A agent-card now points at an onchain anchor. The same identity travels across organizations without a federation deal.

Identity + Reputation + Validation signed agent-card

→ Vaziry, Garzon, Küpper. arXiv:2507.19550. Ledger-anchored AgentCards on Ethereum mainnet, live since January 2026. Zero academic papers cite ERC-8004 directly yet. We cite the spec.

what's next · economics

AGENTS GET WALLETS.

settlement
A2A × x402

HTTP 402 returns a price quote. The agent pays USDC on Base via the Coinbase facilitator. Server returns 200 with the asset. No accounts. No invoices. No checkout.

→ Vaziry et al. arXiv:2507.19550

identity
ERC-8004

Trustless agents on Ethereum mainnet. Identity plus Reputation plus Validation. Live since Jan 2026. Pairs with A2A's signed agent cards.

→ Vaziry x402 paper. Ledger-anchored cards

directory
AGNTCY OASF

Cisco-led. Content-addressed agent records. OCI/ORAS artifact distribution. Sigstore provenance. Discovery you can actually pin.

→ Muscariello et al. arXiv:2509.18787

→ AP2 authorizes via consent mandates. x402 settles the rails. ERC-8004 identifies the chain. AGNTCY pins the directory. Four layers, one substrate.

explainer · the directory layer

WHAT IS AGNTCY?

Kademlia DHT · OCI/ORAS · Sigstore

Cisco's answer to the "where do agents live" question. AGNTCY is the directory + group-comms layer that sits over A2A and MCP, not against them.

Think of npm for agents, signed by Sigstore. Each record is content-addressed, so the address IS the hash, so tampering breaks the link. Pin it, and discovery becomes reproducible.

A2A handles peer talk. MCP handles tool access. Neither tells you where the next agent lives. AGNTCY's Open Agent Schema Framework wraps both, ships records over a Kademlia DHT with OCI/ORAS distribution, signs everything with Sigstore. 75+ orgs joined by July 2025. Five LF formative members. Already in production at SoftServe × Cisco Webex and Swisscom.

A2A + MCP AGNTCY OASF signed, pinned, discoverable

→ Muscariello, Pandey, Polic. arXiv:2509.18787. LF members: Cisco, Dell Technologies, Google Cloud, Oracle, Red Hat. Donated to Linux Foundation 2025-07-29.

our work · exhibit a · the venue

IMMERSIVE COMMONS.

An agent-native venue at Floor 10. Humans walk in. Agents call in. Same building.

40MCP tools
7A2A skills
24scopes
8628RFC device-code
9421RFC signed responses

immersivecommons.com. Live. The QR on the GO FORTH slide gets you a guest pass.

our work · exhibit b · the defender

LOBSTERHONEY. A HONEYPOT FOR AGENTS.

Malicious agents are coming. We build sweet, sticky places for them to land. Then we audit who showed up.

what it is
Verified-defender tier

Honeypots positioned as legitimate agent-discoverable surfaces. When a hostile agent crawls them, we record the agent-card it presents, the calls it makes, and the patterns it leaves. Audit reports go to operators who need the receipts.

why it matters
Same tier as CrowdStrike

The Habler ACSAC paper, BlockA2A, the Anbiaee threat model. Every major 2025+ security paper says A2A's discovery layer is the attack surface. We answer with infrastructure, not a whitepaper. Applying to Anthropic CVP and OpenAI TAC as a defender.

lobsterhoney.com. Co-founded with Kevin and Michalis. Brand v1.0 shipped 2026-04-21.

our work · exhibit c+d · the maker plus the auditor

SKEW + AGENTIFY.

Two halves of the same fix. Skew makes pages that read to agents. Agentify tells you how close yours already is.

exhibit c · the maker
Skew

Supply-side flip. The CC-PRO design engine, weaponized for landing pages that agents can actually parse. Schema.org. JSON-LD. /llms.txt. /.well-known/agent-card.json. Designers stop sloppfooding the agent.

skew.site
exhibit d · the auditor
agentify

25-point readiness audit. Claude skill. Point it at a repo. It scores you, plans the missing layers, scaffolds the templates, verifies the deploys, registers you on the agentic web. Discovery + execution + trust in one pass.

isitagentready.com

→ both publish their own /.well-known/agent-card.json. you can call them right now.

recursive proof · this deck is callable

THIS DECK PUBLISHES ITS OWN CARD.

→ live, right now. an A2A client could call this deck and ask which slide is on screen. agents have already been here.

the cut · what A2A doesn't solve yet

THE PROTOCOL WORKS.
THE INCENTIVES DON'T.

There is no shared lexicon for what an agent is allowed to want.

A protocol is a contract. An agent without a budget is a bug.

go forth

SIX QRs. SIX MOVES.

QR code to linkedin.com/in/rayyanzahid
LinkedIn
linkedin.com/in/rayyanzahid · connect
QR code to immersivecommons.com guest signup
IC Join
become a guest at floor10 · agent-native venue
QR code to AI weekly dispatch
Signal
weekly AI dispatch · 5-agent SAOT
QR code to this deck
This Deck
vibe-coding-a2a.vercel.app · recursive grab
QR code to VCN #36
VCN #36
Build Your Own A2A Endpoint · June 10
QR code to isitagentready.com
agentify
isitagentready.com · 25-point audit
thanks

BUILT TONIGHT.
WITH YOU.

musicIvan Linn · Wavv. Open-source music AI. Musica large music model.

venueFrontier Tower. Floor 10. The room you are sitting in.

cohortClawCamp. The campfire.

stackA2A protocol. MCP. AGNTCY. RFC 8628. RFC 9421.

deckThis deck. One file. Callable by agents. Open the dev tools.

YOUR MOVE.

→ Rayyan Zahid · vibe-coding-a2a.vercel.app · 2026-05-18 · room CAMP