Creating credentials for the A2A agent

To authenticate calls to the A2A agent, you can use either a Tonic Textual API key or an OAuth2 client.

Textual API key

If you have a Textual account, then you can use a Textual API key for authentication.

For information on how to generate a Textual API key, go to Creating and revoking Textual API keys.

You then use it in Authorization: Bearer <api_key> on any /a2a request.

OAuth2 client

For each external integration, you can register one OAuth2 client.

To register an OAuth2 client, you must have the ManageA2aOAuthClients permission, which is included in the built-in Environment Admin role.

Sending the registration request

To register an OAuth2 client:

curl -X POST https://<host>/api/v1/a2a/oauth-clients \
  -H "Authorization: Bearer <admin_api_key>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Google Cloud Marketplace",
    "allowedRedirectUris": ["https://marketplace.google.com/oauth/callback"]
  }'

Getting the client secret from the response

The response includes a plaintext clientSecret. It is only returned in the response that is only ever returned once.

You must record the client secret value to use in calls to the A2A agent.

If you lose the client secret, you must delete and re-register the client.

Matching the allowed redirect URIs

Redirect URIs must be absolute https:// , or http:// for loopback only.

When you use the client to call the A2A agent, the redirect URI must exactly match the allowed redirect URIs for the client.

Managing OAuth clients

Listing the OAuth clients for your organization

To display the list of the OAuth clients for your organization:

Note that the list of clients does not include any client secrets.

Revoking an OAuth client

To revoke an OAuth client:

When a client is revoked, all new authorizations are blocked immediately.

Existing access tokens remain valid until they expire.