Pillar Mini Site · refreshed 2026-05-08 · ~5,200 words

Agent Cards Explained

The load-bearing artefact of the Agent2Agent protocol. A JSON document, published at a well-known URL, signed for trust, consumed by every A2A client. This is the 2026 field guide — what an Agent Card is, what fields it carries, how Signed Agent Cards work, where to publish one, how it compares to OpenAPI / robots.txt / llms.txt / model cards / MCP server descriptors, and which marketplaces have started consuming it.

TL;DR

An Agent Card is a JSON document at a well-known URL. It is the wire format A2A uses for agent discovery: identity, skills, endpoint, supported modalities, authentication schemes, and — in v1.0 — a JWS signature attesting that the card was issued by the domain owner. The default location is https://<host>/.well-known/agent-card.json, the same design pattern as robots.txt for crawlers and llms.txt for LLM-readable site indexes. The closest precedent is the OpenAPI Specification for HTTP APIs and Mitchell et al.'s 2019 Model Cards for model documentation.

What this page does: lays out, in one place, the schema, the signing model, the publishing patterns, the marketplace dimension, and the security considerations. Every claim is backed by a direct quote from the canonical primary source — vendor docs, foundation press releases, regulator publications, peer-reviewed papers — so the argument can be checked. Audience: agent developers, marketplace operators, security architects.

1 What an Agent Card is — and why the protocol needs one

The A2A v1.0 specification describes a world in which agents built on different frameworks, by different vendors, in different organisations, exchange tasks across boundaries. The first problem any cross-vendor protocol has to solve is how does the calling side know what the receiving side can do? A2A's answer is the Agent Card.

"Agents can advertise their capabilities using an 'Agent Card' in JSON format, allowing the client agent to identify the best agent that can perform a task and leverage A2A to communicate with the remote agent."

Concretely, an Agent Card is a JSON document. It has a defined schema. It is published at a stable URL — the well-known URL https://<host>/.well-known/agent-card.json by default. Every A2A-compliant client looks there first when asked to call an agent at a given host. The card declares who the agent is, what it can do, where to reach it, which input and output modes it accepts, how to authenticate, and who issued it.

That much was true in earlier drafts of A2A. What v1.0 adds — and what most of the 2026 conversation about Agent Cards is actually about — is that the card can be cryptographically signed. The receiver does not have to take "I am the marketing agent for example.com" on faith; it can verify a JWS signature against a key bound to the domain owner. Section 3 of this page walks through that mechanism in full.

The mailing-address analogy

The clean mental model is postal mail. The Agent Card is the agent's published mailing address and résumé in one document. The task — A2A's unit of work — is a letter sent to that address. The protocol does not dictate what the receiving agent does with the letter; it dictates what an envelope looks like, where to put the address, and how the post office tracks delivery. The Agent Card is the address book entry the sender consults before posting.

The analogy holds further: a postal address is public, but the contents of the envelope can be encrypted; the post office cannot tell whether you are dispatching a contract or a love letter. The same is true of A2A. The Agent Card publicly advertises that the agent accepts text and structured input on five named skills; the actual task contents flow over JSON-RPC 2.0 with whatever auth the card declared. Discovery is open; conversation is private.

What an Agent Card is not

It is not the agent. The card is metadata. The agent itself is whatever code runs behind the endpoint — a LangGraph plan, a CrewAI crew, a Microsoft Agent Framework workflow, an OpenAI Agents SDK process, an in-house Python service. The card describes; the agent acts. Anthropic's framing of "what an agent is" — a system using LLMs in a loop, with tools, until done — is orthogonal to the card. The card is the public face; the loop is the private implementation.

It is also not a session. Cards are static (or near-static) documents intended to be fetched, cached, and re-validated periodically — closer to a DNS record than to an HTTP response. A card might change every few weeks (new skill added, signing key rotated); it does not change per request.

2 The status of the spec and who is shipping it

A2A was announced by Google in April 2025 and donated to the Linux Foundation in June 2025. The Linux Foundation press release formalised the project transfer with a founding board including Amazon, Cisco, Google, Microsoft, Salesforce, SAP, ServiceNow, and Workday. By April 2026 the project's partners page tracks more than 150 supporting organisations.

"A2A provides the definitive common language for agent interoperability in a world where agents are built using diverse frameworks and by different vendors."

The reference implementation, JSON Schemas, and TypeScript types live at github.com/a2aproject/A2A; the spec at a2a-protocol.org/latest/specification/. Both Microsoft Agent Framework v1.0 and Google's Agent Development Kit ship A2A clients and servers; AWS Bedrock AgentCore Runtime hosts A2A endpoints; Salesforce Agentforce integrates A2A out of the box; Google Vertex AI Agent Builder exposes Model Garden through A2A. Adoption breadth is no longer the question; the question is depth of cross-vendor production deployments — and that is still early per Gartner's Hype Cycle for Agentic AI 2026 (17% deployed, 60%+ planning) and McKinsey's State of AI 2025 (23% scaling agentic AI in at least one function; only 39% reporting any EBIT impact).

The relevance for this page is that the Agent Card schema itself is now stable enough to design against. v1.0 fixed the field set; subsequent revisions will add — not break — fields. If you are building an A2A client or server in 2026 you can safely treat the v1.0 card schema as your contract.

3 The Agent Card schema — what is in the JSON

The v1.0 Agent Card is structured into four logical groups: identity, capabilities, auth, and provenance. The detailed walk-through lives on the companion page Agent Card Anatomy; this section is the index-level summary.

3.1 Identity fields

3.2 Capability fields

3.3 Auth fields

The deliberate alignment with OpenAPI 3.x security schemes is one of the cleanest design decisions in the spec: existing infrastructure for issuing, validating, and rotating Bearer / OAuth / mTLS credentials Just Works for A2A. There is no new auth scheme to learn.

3.4 Provenance fields

A minimum viable Agent Card has name, description, url, protocolVersion, and one skill. A production-grade card adds capabilities flags, security schemes, signatures, and an icon. The Agent Card Anatomy companion page walks through a complete sample card field-by-field.

4 Signed Agent Cards — provenance for the agents economy

The single largest change in v1.0 is that Agent Cards can carry cryptographic signatures. The signature is a JWS — JSON Web Signature, RFC 7515 — applied over the canonicalised card body. Multiple signatures are allowed (a card might be signed both by the agent's host and by a third-party attestor).

The verification flow is direct. The receiver fetches the card from the well-known URL, extracts the signatures array, locates the signing key via either an embedded x5c certificate chain or a jwks_uri declared elsewhere on the host (typically /.well-known/jwks.json), validates the JWS, and checks that the key is bound to the domain serving the card. No central registry is involved; the trust root is DNS plus TLS plus a key the operator publishes.

Why signing matters — three concrete attacks the spec defends against

Impersonation. Without a signature, any host can publish a card claiming to be the marketing agent for example.com. With a signature bound to example.com's published key, only the actual operator of example.com can produce a valid card for that domain.

In-flight tampering. A man-in-the-middle that compromises a CDN or a corporate proxy could rewrite an Agent Card in transit. JWS over the canonicalised body makes any modification detectable.

Stale claims. Signing keys must rotate. The spec recommends short signing-key lifetimes and explicit JWKS expiry headers, so a card cached in the wild does not remain valid indefinitely after a key compromise. Operators run multiple active keys in parallel for a rotation window.

What signing does not solve

Signing solves identity attestation — who issued this card. It does not solve delegated authorisation — what the agent is authorised to do on whose behalf. That second problem is the explicit subject of NIST CAISI's 2026 work and the IETF AAuth draft.

"CAISI is establishing the first US government program dedicated explicitly to interoperability and security standards for agentic AI systems."

The IETF AAuth draft proposes an ID-JAG (ID JWT-Authorization Grant) flow that adds the missing primitive: an attestable, scope-bound token the calling agent carries in addition to a Signed Agent Card, encoding "I am acting on behalf of user U from organisation O with scopes S, time-boxed to T, and you can verify this against organisation O's issuer."

The Microsoft Entra Agent ID service launched in May 2025 is the first enterprise identity service to treat agents as first-class principals (not borrowed user identities). Entra Agent ID integrates with Conditional Access and Privileged Identity Management and validates Signed Agent Cards as part of agent enrolment. Where Entra Agent ID is the runtime principal, the Signed Agent Card is the public document; together they cover identity attestation. Cross-domain delegation is still pending AAuth.

5 Agent Card vs OpenAPI vs robots.txt vs llms.txt vs model cards vs MCP descriptors

The Agent Card pattern is not new. It inherits from a lineage of well-known machine-readable advertisement files that has been accumulating since the mid-1990s. Understanding where the Agent Card differs from each precedent is the fastest way to grasp what it is for.

Artefact What it advertises Where it lives Standardisation Closest to Agent Card
Agent Card An A2A agent's identity, skills, modalities, auth, signatures /.well-known/agent-card.json + marketplace registries A2A v1.0 (Linux Foundation, 2026)
OpenAPI 3.x An HTTP API's endpoints, operations, schemas, security Conventional path (often /openapi.json); no IETF well-known OpenAPI Initiative (Linux Foundation) Closest precedent — endpoint-oriented where Agent Card is capability-oriented
robots.txt (RFC 9309) A site's crawl policy for automated clients /robots.txt (de-facto since 1994; RFC since 2022) IETF RFC 9309 (Sept 2022) Same well-known control file design pattern
llms.txt An LLM-readable index of a site's content /llms.txt (proposed) Howard / Answer.AI proposal (Sept 2024); not yet standardised Same well-known LLM-facing design pattern
Model Cards (Mitchell 2019) An ML model's training data, metrics, intended use, ethical considerations Vendor-specific (often a model registry README) Academic convention; widely adopted by Hugging Face, Google, Anthropic Same capability-advertisement document framing for ML artefacts
MCP server descriptor An MCP server's resources, prompts, tools, tasks Returned in the initialize handshake — not a published file MCP 2025-11-25 spec (Linux Foundation, 2025) Same JSON Schema lineage; handshake-time not well-known-time

What Agent Card borrows from each precedent

From OpenAPI: the JSON Schema vocabulary for security schemes, the field naming conventions, the principle that a single document at a stable URL fully describes the contract.

"Model cards are short documents accompanying trained machine learning models that provide benchmarked evaluation in a variety of conditions… and disclose the context in which models are intended to be used."

From Model Cards: the capability-and-context framing — name, intended use, evaluation, limitations. An Agent Card's skills array is the moral equivalent of a Model Card's "intended use cases" plus benchmarks; its tags field is the moral equivalent of "intended domains."

From robots.txt: the well-known path convention. Agents that need to find other agents at a host benefit from the same predictable location pattern that crawlers benefit from when checking a site's policy. RFC 9309 standardised robots.txt 28 years after de-facto adoption; A2A wisely did not wait.

From llms.txt: the recognition that machine-readable site content benefits from a canonical, human-curated index file. llms.txt is the LLM-facing equivalent for site content; Agent Card is the agent-facing equivalent for capability.

What Agent Card differs from each precedent in

Versus OpenAPI: Agent Card is task-oriented (skills, modalities, delegation) where OpenAPI is endpoint-oriented (paths, methods, schemas). An A2A agent typically exposes one HTTP endpoint behind a card that advertises ten skills; OpenAPI would describe one endpoint, the Agent Card describes the ten capabilities a planner agent can choose between.

Versus MCP server descriptors: MCP servers advertise capabilities through the initialize handshake at connection time — there is no published well-known artefact. The MCP 2026 Roadmap notes the design choice explicitly:

"The Tasks primitive shipped as an experimental feature and early production use has surfaced gaps including retry semantics when a task fails transiently, and expiry policies for how long results are retained after completion."

MCP capability discovery is dynamic and per-session; A2A capability discovery is static and per-document. The two protocols sit at different layers and made the right call for their respective layers — MCP for tool integration where the host is configured out-of-band, A2A for agent integration where the caller fetches the card cold.

Versus robots.txt + llms.txt: Agent Card is signed; robots.txt and llms.txt are not. The threat models differ — a malicious robots.txt can be ignored by a misbehaving crawler, but a malicious Agent Card actively misrepresents an agent's identity to a paying client. Cryptographic provenance is not a luxury in A2A's setting.

Versus model cards: Model Cards are documentation; Agent Cards are runtime contracts. Reading a Model Card tells you whether to trust a model for a task; reading an Agent Card tells you how to call an agent for a task. The lineage is intellectual; the operational role is different.

6 The Agent Card discovery flow — end to end

The canonical discovery flow in A2A v1.0 has six steps. The flow is pure HTTPS — no GRPC, no custom transport, no centralised registry — which is why every framework can implement it in a few hundred lines of code.

  1. Resolve. The calling agent has a host (marketing.example.com) and wants to discover an agent there. It fetches https://marketing.example.com/.well-known/agent-card.json.
  2. Fetch. Plain HTTPS GET. The response is the JSON Agent Card. Standard caching headers apply.
  3. Validate signatures. The caller extracts the signatures array, locates the JWKS endpoint (typically /.well-known/jwks.json), validates each JWS, and verifies that the signing key is bound to marketing.example.com. Unsigned cards may be accepted in development; production callers should reject them.
  4. Match capabilities. The caller iterates over skills, matching tags, descriptions, and input/output modes against the task it needs delegated. A reasoner-grade caller can use the LLM itself to choose; a deterministic caller can match against a pre-built mapping.
  5. Authenticate. The caller selects one of the declared securitySchemes and obtains the appropriate credential — Bearer token, OAuth client-credentials grant, mTLS certificate, or API key — through whatever issuer the operator has configured.
  6. Submit task. A JSON-RPC 2.0 tasks/send call to the url declared in the card. From here the A2A task lifecycle takes over (submitted → working → input-required → completed/failed/canceled).

Three publishing patterns observed in 2026

Pattern A — Well-known URI (the spec default). The agent host serves the card at /.well-known/agent-card.json. This is the design A2A inherits from RFC 9309 and is mandatory for spec-compliant deployments. Every A2A-aware client looks here first.

"This document specifies and extends the 'Robots Exclusion Protocol'… by which service owners can control how content served by their services may be accessed, if at all, by automatic clients known as crawlers."

Pattern B — Marketplace registry. The same JSON is also indexed in vendor catalogs. Salesforce AgentExchange launched March 2025 as a public marketplace for Agentforce-compatible agents; Google Agentspace indexes A2A endpoints across an enterprise; AWS Bedrock AgentCore exposes a marketplace of deployable agents; Microsoft Copilot Studio surfaces an agent gallery. In each case the marketplace consumes the same Agent Card JSON the host serves at the well-known URL — the marketplace is a registry over the canonical artefact, not a replacement for it.

Pattern C — Ad-hoc inline reference. A planner agent that already knows a peer's well-known URL can pass it inline when bootstrapping — useful for private fleets that do not publish to the open web. The card is fetched from a private intranet; the rest of the flow is unchanged. Many enterprise deployments in 2026 are pattern C even when patterns A and B are technically supported.

Caching and freshness

Cards are intended to be cached. Standard HTTP caching headers (Cache-Control, ETag) apply; the spec recommends a default cache lifetime in the order of hours. Cards that change frequently — a card whose skills array is dynamically generated from a per-tenant configuration — should declare short TTLs and signal updates via If-Modified-Since. Marketplace registries typically poll the well-known URL hourly to daily.

The full sample of card discovery and validation lives on the Agent Card Anatomy companion page, including a complete worked example with code.

7 The marketplace dimension — Agent Cards as catalog entries

The well-known URL is a sufficient discovery mechanism for two agents that already know about each other. It is not sufficient for the broader question every operator eventually asks: which agents exist, what do they cost, and which one should I delegate this task to? The 2026 answer to that question is the agent marketplace, and the unit of inventory is the Agent Card.

The first wave of marketplaces

Each of these marketplaces consumes the same canonical artefact: an Agent Card. The marketplace adds discovery (search, tag matching, partner attestation), commercial metadata (pricing, terms), and reviews; the underlying contract — the JSON document at the well-known URL — is unchanged. This is the design pattern the W3C calls "one document, many surfaces."

Why a marketplace needs Signed Cards

A marketplace operating without Signed Cards is a marketplace that cannot tell its users "this listing was issued by the vendor whose name appears on it." The single most important security property a public marketplace can advertise is that its listings are not impersonations. Salesforce AgentExchange, Google Agentspace, AWS AgentCore Marketplace, and Microsoft Copilot Studio agent gallery all rely on Signed Agent Cards as the trust root for listings. Unsigned listings are restricted to private or sandbox tiers.

The economic settlement gap

What the Agent Card schema does not include is pricing or settlement. v1.0 says nothing about how much a skill costs to invoke or how the calling and receiving organisations settle revenue. AgentsBooks treats this as the Shares primitive — substrate-level, out of scope for the wire protocol. Gartner's 2026 Hype Cycle places "agentic billing" at the Innovation Trigger; McKinsey's 2025 State of AI finds that workflow redesign is the biggest EBIT lever of agentic AI — both reinforcing that the protocol is the enabler, not the performer. The marketplace metadata layered on top of the Agent Card is where pricing and settlement live in 2026; the protocol stays clean.

The arXiv survey framing

"Two complementary communication protocols — the Model Context Protocol, which standardizes how agents access external tools and contextual data, and the Agent-to-Agent protocol, which governs peer coordination, negotiation, and delegation — establish an interoperable communication substrate that enables scalable, auditable, and policy-compliant reasoning across distributed agent collectives."

The marketplace is not the protocol's job — it is the substrate's. The Agent Card is what the substrate exposes to the marketplace. The protocol stays small and stable; the marketplace layer competes on discovery quality, commercial terms, and trust attestation.

8 Security considerations and the gaps v1.0 does not close

Identity attestation is solved for the host; many adjacent problems are not. Operators deploying A2A in 2026 should plan for four named threat vectors and the explicit gaps the spec acknowledges.

8.1 Threat vectors documented in 2026

Impersonation. Mitigated by Signed Agent Cards and JWKS validation. OWASP's LLM Top 10 and the OWASP Agentic AI Security project explicitly enumerate agent impersonation as an emerging threat category for 2025–2026 deployments.

Capability spoofing. A signed card can still declare skills the underlying agent does not actually implement — signing attests who issued the card, not that the agent performs the skill. Calling agents must treat skill descriptions as advertised, not guaranteed; production deployments validate via test invocations, vendor attestation, or marketplace-level functional verification.

Stale or revoked cards. JWKS endpoints must publish key rotation events; cards cached in marketplaces or by callers must be re-validated against fresh keys. The spec recommends short signing-key lifetimes and overlapping rotation windows. Operators that ignore this end up with valid-looking cards signed by compromised or expired keys.

Cross-domain delegation. The largest acknowledged gap. When agent A in organisation O acts on behalf of user U calling agent B in organisation O′, neither OAuth 2.1 nor OIDC currently provides a standard way to carry the agent's scoped permissions across the boundary. The IETF AAuth draft proposes the missing extension; it is not yet RFC. NIST CAISI names this as a foundational standards gap.

8.2 What goes wrong in practice

Three failure modes recur in real deployments. First, operators publish cards with overly broad skills declarations and discover that calling agents take them at their word — a card that says "I can do KYC" gets routed real KYC workloads it cannot actually handle. Second, signing keys are deployed once and never rotated, leaving the trust root brittle to compromise. Third, marketplaces accept unsigned cards in their public tier and end up shipping impersonated listings.

Each has a known fix: write conservative skill descriptions, automate key rotation, refuse unsigned cards in production tiers. The spec gives you the primitives; the operational discipline is yours.

8.3 The honest framing — what the protocol does not deliver

The skeptic case, taken seriously, comes from Gary Marcus's 2026 essay:

"Despite all the hype, agents didn't turn out to be reliable."

The Agent Card does not make the agent it describes more reliable. It makes the agent's contract more legible — what skills are claimed, what auth applies, who attested the claim. A clean contract is the precondition for measuring reliability over time, attaching SLAs to skills, and routing around degraded agents. A card-less agent fleet cannot do any of those things; a card-equipped fleet can. That is what the spec actually delivers, and it is more useful than the marketing makes it sound.

9 How Agent Cards compose with the AgentsBooks substrate

AgentsBooks names eight primitives every agentic firm needs: Identity, Brain, Heart, Memory, Control, Knowledge, Friends, Shares. Agent Cards live in the Friends primitive — agent-to-agent — and reinforce three of the other primitives directly:

The composition is the point. A protocol that solved Friends but ignored the other seven would force every firm to re-implement them. A substrate that solved the other seven but ignored Friends would lock the firm into a single vendor. The 2026 settlement is open protocols at Friends, the substrate everywhere else — what we call "complete, not compete."

10 What to build on top — guidance for an agentic firm

If you are running more than three agents and at least one of them needs to be addressable from outside your codebase, an Agent Card is now the answer. The build-vs-buy guidance for 2026:

FAQs

What is an Agent Card in one sentence?

An Agent Card is a JSON document — published at a well-known URL such as https://<host>/.well-known/agent-card.json — that declares an A2A agent's identity, capabilities, skills, supported input/output modes, endpoint, authentication schemes, and (in v1.0) a JWS signature attesting that the card was actually issued by the domain owner.

Why does the A2A protocol need Agent Cards?

A2A is decentralised by design: there is no central registry of agents. A calling agent that wants to delegate work to a remote agent has to discover what the remote agent can do, how to reach it, and how to authenticate — without coupling itself to a vendor-specific catalog. The Agent Card is the wire format for that discovery: one JSON document, one well-known URL, one signature. The same design pattern as robots.txt for crawlers and OpenAPI for HTTP APIs.

What is a Signed Agent Card and why does it matter?

A Signed Agent Card carries one or more JWS-format cryptographic signatures over the JSON body, attesting that the card was issued by the entity controlling the domain (or a delegated key). Without a signature, any host could publish a card claiming any capability; with a signature, the receiver verifies the JWS against a JWKS endpoint bound to the domain owner — directly, without a centralised registry. This is the difference between "I claim to be the marketing agent for example.com" and "I am cryptographically attested to be the marketing agent for example.com."

How does an Agent Card differ from an OpenAPI spec?

OpenAPI describes an HTTP surface — endpoints, operations, request/response schemas. An Agent Card describes a delegable agent — skills (named units of capability), modalities, security model, identity. They share JSON Schema lineage and the Agent Card deliberately reuses OpenAPI 3.x security schemes. But OpenAPI is endpoint-oriented; Agent Card is task-oriented. An A2A agent often exposes one HTTP endpoint behind a card that advertises ten skills.

How does an Agent Card differ from an MCP server descriptor?

MCP servers advertise their capabilities through the initialize handshake at connection time — there is no published well-known artefact. Agent Cards are published documents at a stable URL, designed to be fetched, cached, and signed independently of any active session. MCP is a tool-discovery protocol where the host configures the server out-of-band; A2A is an agent-discovery protocol where the caller fetches the card cold.

Where do agents publish their cards?

Three patterns are common in 2026. Well-known URI: every A2A-compliant host serves /.well-known/agent-card.json (the spec-defined default). Marketplace registry: the same JSON is also indexed in vendor catalogs like Salesforce AgentExchange, Google Agentspace, AWS AgentCore Marketplace, and Microsoft Copilot Studio agent gallery. Ad-hoc reference: an agent can pass its own card URL inline when bootstrapping a peer, useful for private fleets that do not publish to the open web.

What are the security considerations for Agent Cards?

Four named threat vectors. Impersonation: an unsigned card can claim any identity — Signed Agent Cards mitigate this. Capability spoofing: a card can declare skills the agent does not actually implement — calling agents must treat skill descriptions as advertised, not guaranteed. Expired or revoked cards: signing keys must rotate; the receiver must validate JWKS freshness. Cross-domain delegation: the card attests who the agent is, not what it is authorised to do on whose behalf — the gap IETF AAuth and NIST CAISI explicitly target.

Does AgentsBooks publish Agent Cards for substrate-managed agents?

Yes, where relevant. AgentsBooks is an OS, not a wrapper, so the Friends primitive — agent-to-agent and agent-to-tool — speaks the open protocols. An AgentsBooks-managed agent that needs to be reachable from outside the substrate publishes a Signed Agent Card at the customer's chosen domain; the substrate handles JWS signing, key rotation, and JWKS publishing. The card is the wire format; the substrate provides the seven other primitives the protocol does not cover.

How does Microsoft Entra Agent ID relate to Agent Cards?

Entra Agent ID is a runtime principal — an identity object Entra manages alongside users and applications, with Conditional Access and Privileged Identity Management. The Signed Agent Card is the public document the agent publishes at the well-known URL. Entra Agent ID validates the card during agent enrolment; the card declares the auth schemes the runtime expects. The two pair cleanly: the card is the wire format, the principal is the runtime object.

The invitation

Open protocols at Friends; substrate everywhere else. The Agent Card is the wire format that makes the rest possible — the load-bearing JSON document that turns an opaque endpoint into a discoverable, signed, contractable agent. Most service firms in 2026 will not implement A2A from scratch; they will run on a substrate that publishes Cards correctly, signs them automatically, and rotates keys on a calendar. AgentsBooks is one such substrate; the broader point is that the architectural decision is now genuinely open.

Updated 2026-05-08. Built per the build-authority-property workflow. Research sprint: methodology & bibliography.

Sources cited on this page

  1. A2A Protocol — Specification (v1.0). a2a-protocol.org/latest/specification/ — accessed 2026-05-08. In force
  2. Google Developers — Announcing the Agent2Agent Protocol. developers.googleblog.com/en/a2a-a-new-era-of-agent-interoperability/ — accessed 2026-05-08
  3. Linux Foundation — Launches the Agent2Agent Protocol Project. linuxfoundation.org press release — accessed 2026-05-08
  4. github.com/a2aproject/A2A — reference implementation, JSON schemas, TypeScript types. github.com/a2aproject/A2A — accessed 2026-05-08
  5. A2A Project — Partners. a2a-protocol.org/latest/community/partners/ — accessed 2026-05-08
  6. Mitchell et al., Model Cards for Model Reporting (arXiv:1810.03993). arxiv.org/abs/1810.03993 — accessed 2026-05-08. Foundational, 2019
  7. RFC 9309 — Robots Exclusion Protocol. rfc-editor.org/rfc/rfc9309.html — accessed 2026-05-08. In force
  8. llms.txt — proposal (Howard, Answer.AI, Sept 2024). llmstxt.org — accessed 2026-05-08. Emerging 2024–2026
  9. OpenAPI Specification 3.1.0. spec.openapis.org/oas/v3.1.0.html — accessed 2026-05-08. In force
  10. Model Context Protocol — Specification (2025-11-25). modelcontextprotocol.io/specification/2025-11-25 — accessed 2026-05-08. In force
  11. MCP Blog — The 2026 MCP Roadmap. blog.modelcontextprotocol.io/posts/2026-mcp-roadmap/ — accessed 2026-05-08
  12. Microsoft — Announcing Microsoft Entra Agent ID. techcommunity.microsoft.com — accessed 2026-05-08. Emerging 2025–2026
  13. Salesforce — AgentExchange launch. salesforce.com press release — accessed 2026-05-08
  14. Salesforce — Agentforce A2A integration with Google Cloud. salesforce.com press release — accessed 2026-05-08
  15. Google Cloud — Agentspace and Agent Builder. cloud.google.com/products/agent-builder — accessed 2026-05-08
  16. Google — Agent Development Kit (ADK). google.github.io/adk-docs/ — accessed 2026-05-08
  17. AWS — Bedrock AgentCore Runtime. docs.aws.amazon.com/bedrock-agentcore — accessed 2026-05-08
  18. NIST CAISI — AI Agent Standards Initiative. nist.gov/caisi/ai-agent-standards-initiative — accessed 2026-05-08
  19. NIST — Announcing the AI Agent Standards Initiative. nist.gov/news-events/news/2026/02 — accessed 2026-05-08
  20. IETF — AAuth (draft-rosenberg-oauth-aauth-00). ietf.org/archive/id/draft-rosenberg-oauth-aauth-00.html — accessed 2026-05-08
  21. OWASP — Top 10 for Large Language Model Applications. owasp.org/www-project-top-10-for-large-language-model-applications/ — accessed 2026-05-08
  22. Gartner — Hype Cycle for Agentic AI 2026. gartner.com/en/articles/hype-cycle-for-agentic-ai — accessed 2026-05-08
  23. McKinsey QuantumBlack — The state of AI in 2025 (Nov 2025). mckinsey.com — accessed 2026-05-08
  24. arXiv:2601.13671 — Orchestration of Multi-Agent Systems. arxiv.org/abs/2601.13671 — accessed 2026-05-08
  25. Anthropic — Building Effective Agents. anthropic.com/research/building-effective-agents — accessed 2026-05-08
  26. Marcus, G. — Six (or seven) predictions for AI 2026. garymarcus.substack.com — accessed 2026-05-08. Contested

Full bibliography with refresh cadence and freshness flag definitions: methodology page.