# Creating credentials for the A2A agent

To authenticate calls to the A2A agent, you can use either a Tonic Textual API key or an OAuth2 client.

## Textual API key

If you have a Textual account, then you can use a Textual API key for authentication.

For information on how to generate a Textual API key, go to [Creating and revoking Textual API keys](/textual/tonic-textual-api/textual-api-keys.md).

You then use it in `Authorization: Bearer <api_key>` on any `/a2a` request.

## OAuth2 client

For each external integration, you can register one OAuth2 client.

To register an OAuth2 client, you must have the `ManageA2aOAuthClients` permission, which is included in the built-in Environment Admin role.

### Sending the registration request

To register an OAuth2 client:

```bash
curl -X POST https://<host>/api/v1/a2a/oauth-clients \
  -H "Authorization: Bearer <admin_api_key>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Google Cloud Marketplace",
    "allowedRedirectUris": ["https://marketplace.google.com/oauth/callback"]
  }'
```

### Getting the client secret from the response

The response includes a plaintext `clientSecret`. It is only returned in the response that is only ever returned once.

You must record the client secret value to use in calls to the A2A agent.

If you lose the client secret, you must delete and re-register the client.

### Matching the allowed redirect URIs

Redirect URIs must be absolute `https://` , or `http://` for loopback only.

When you use the client to call the A2A agent, the redirect URI must exactly match the allowed redirect URIs for the client.

### Managing OAuth clients

#### Listing the OAuth clients for your organization

To display the list of the OAuth clients for your organization:

```bash
curl https://<host>/api/v1/a2a/oauth-clients -H "Authorization: Bearer <admin_api_key>"
```

Note that the list of clients does not include any client secrets.

#### Revoking an OAuth client

To revoke an OAuth client:

```bash
curl -X POST https://<host>/api/v1/a2a/oauth-clients/<clientId>/revoke \
     -H "Authorization: Bearer <admin_api_key>"
```

When a client is revoked, all new authorizations are blocked immediately.

Existing access tokens remain valid until they expire.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tonic.ai/textual/textual-integrations/textual-a2a-agent/creating-credentials-for-the-a2a-agent.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.