A2AS Certificate Schema

Complete reference for AI Agent Behavior Specification v0.1.2

Manifest

The manifest anchors behavior declarations with canonical schema reference, identity, validity, and cryptographic bindings.

Manifest

Top-level manifest metadata including schema version, subject, and issued details.

Example:

manifest: 
  version: "0.1.2"
  schema: https://a2as.org/cert/schema
  subject: 
    name: Demo Agent
    source: https://github.com/a2as-org/demo-agent
    branch: main
    commit: c3rt1f13d
    scope: [src/agent.py, src/tools.py]
  issued: 
    by: A2AS.org
    at: "2025-12-30T18:28:50Z"
  signatures: 
    digest: sha256:XXkqv1YNSrR2WEsGNI3fFVrnnApBs7rDjR9i7dGuN5E
    key: ed25519:huQlPA95aJwAQUttLp49lbg4r3hRXvVb_UK3WSHUBWU
    sig: ed25519:CDC-ZPfGofm9aMkmsxvMy6G7oicVysDvCUfcnuafH-PmahTOckgRbmKP-PB85KzU6UfQckvqPr4of_WCTToHAw

Schema:

versionstringrequired

Semantic schema version number

0.1.2
schemastring (URL)required

Canonical schema reference URL

https://a2as.org/cert/schema

Subject

Identity and scope information about the agent being certified.

Example:

subject: 
  name: Demo Agent
  source: https://github.com/a2as-org/demo-agent
  branch: main
  commit: c3rt1f13d
  scope: [src/agent.py, src/tools.py]

Schema:

namestringrequired

Human-readable agent/app name

Demo Agent
sourcestringrequired

Git repository URL

https://github.com/a2as-org/demo-agent
branchstring

Git branch name

main
commitstring

Git commit hash

c3rt1f13d
scopelist[string]required

List of relative file paths

["src/agent.py", "src/tools.py"]

Issued

Issuance information including issuer name and timestamp.

Example:

issued: 
  by: A2AS.org
  at: "2025-12-30T18:28:50Z"

Schema:

bystringrequired

Issuer name (always A2AS.org)

A2AS.org
atstring (RFC3339Z)required

UTC timestamp

2025-12-30T18:28:50Z

Signatures

Cryptographic bindings for certificate verification including digest, key, and signature.

Example:

signatures: 
  digest: sha256:XXkqv1YNSrR2WEsGNI3fFVrnnApBs7rDjR9i7dGuN5E
  key: ed25519:huQlPA95aJwAQUttLp49lbg4r3hRXvVb_UK3WSHUBWU
  sig: ed25519:CDC-ZPfGofm9aMkmsxvMy6G7oicVysDvCUfcnuafH-...

Schema:

digeststringrequired

Hash for the content with algorithm prefix

sha256:XXkqv1YNSrR2WEsGNI3fFVrnnApBs7rDjR9i7dGuN5E
keystringrequired

Public key with algorithm prefix

ed25519:huQlPA95aJwAQUttLp49lbg4r3hRXvVb_UK3WSHUBWU
sigstringrequired

Cryptographic signature

ed25519:CDC-ZPfGofm9aMkmsxvMy6G7oicVysDvCUfcnuafH-...

Capabilities

Declares explicit allowlists for what the agent may do at inference, application, and system layers. Anything not declared is denied by default.

Agents

AI agents with their type, models, tools, MCP, memory, and instructions.

Example:

agents: 
  news_collector: 
    type: instance
    models: [gpt-4o]
    tools: [DuckDuckGoTools]
    mcp: [mcp_gateway]
    memory: [fs_notes]
    params: 
      name: News Collector
      markdown: "true"
      show_tool_calls: "true"
      instructions: [Gather latest articles on the topic.]
  team_lead: 
    type: instance
    models: [gpt-4o]
    tools: [delegation_tool]

Schema:

typestring

Binding type: instance (resolved), factory (unresolved), or class (unresolved)

modelsarray of strings

Values or refs to model IDs

toolsarray of strings

Values or refs to tool IDs

mcparray of strings

Values or refs to MCP IDs

memoryarray of strings

Values or refs to memory IDs

paramsobject

Unregulated additional fields including instructions

Models

Declared AI models with their types, supported modalities, and parameters.

Example:

models: 
  claude-3-sonnet: 
    type: chat
    modality: [text, image, audio, video]
    params: 
      max_tokens: "1024"
  gpt-4o: 
    type: agent
    modality: [text]
    params: 
      temperature: "0.7"
  text-embedding-3: 
    type: embedding
    modality: [text]

Schema:

typestring

Model purpose: chat, agent, tool, or embedding

agentsarray of strings

Values or refs to agent IDs

modalityarray of strings

Supported modalities: text, image, audio, video

paramsobject

Unregulated additional fields

Tools

Tools available to agents and models, with their type and dependencies.

Example:

tools: 
  DuckDuckGoTools: 
    type: class
    agents: [news_collector]
    models: [gpt-4o]
    mcp: [mcp_gateway]
    params: 
      search: "true"
      news: "true"
  file_search: 
    type: function
    models: [text-embedding-3]
    memory: [article_cache]

Schema:

typestring

Tool binding type: decorator, wrapper, function, module, agent, class, or variable

agentsarray of strings

Values or refs to agent IDs

modelsarray of strings

Values or refs to model IDs

mcparray of strings

Values or refs to MCP IDs

memoryarray of strings

Values or refs to memory IDs

paramsobject

Unregulated additional fields

MCP

MCP endpoints for tool integration or gateway services.

Example:

mcp: 
  mcp_cursor: 
    type: network
    url: https://localhost:5000/mcp
    tools: [code_search]
    params: 
      mode: dev
  mcp_gateway: 
    type: network
    url: https://mcp.a2as.org
    agents: [news_collector, summary_writer]
    models: [gpt-4o, claude-3-sonnet]

Schema:

typestring

MCP server type: process or network

urlstring (URL)

MCP endpoint URL

agentsarray of strings

Values or refs to agent IDs

modelsarray of strings

Values or refs to model IDs

toolsarray of strings

Values or refs to tool IDs

paramsobject

Unregulated additional fields including alias and class

Memory

Storage systems for agent memory (runtime, database, vector, cache, or file).

Example:

memory: 
  message_history: 
    type: runtime
    params: 
      max_tokens: "1024"
  user_prefs: 
    type: database
    params: 
      host: postgres.internal
      database: agent_db
      table: user_preferences
  article_cache: 
    type: vector
    params: 
      host: vectordb.local
      index: embeddings
      collection: news_articles

Schema:

typestring

Storage type: runtime, database, vector, cache, or file

paramsobject

Unregulated additional fields

Workflows

Workflow and pipeline definitions with execution types.

Example:

workflows: 
  news_pipeline: 
    type: sequential
    agents: [news_collector, summary_writer]
    tools: [file_search]
    params: 
      steps: [news_collector, summary_writer]

Schema:

typestring

Execution type: sequential or parallel

agentsarray of strings

Participating agents

toolsarray of strings

Available tools

teamsarray of strings

Participating teams

paramsobject

Unregulated additional fields

Teams

Multi-agent team definitions with coordination patterns.

Example:

teams: 
  news_team: 
    type: sequential
    agents: [news_collector, summary_writer]
    models: [gpt-4o, claude-3-sonnet]
    workflows: [news_pipeline]
  legal_team: 
    type: hierarchical
    agents: [legal_researcher, contract_analyst, legal_strategist]

Schema:

typestring

Coordination pattern: handoff, sequential, parallel, or hierarchical

agentsarray of strings

Agent list

modelsarray of strings

Shared models

workflowsarray of strings

Team workflows

paramsobject

Unregulated additional fields

Roles

Role-based access control mapping of models and agents to message roles.

Example:

roles: 
  assistant: 
    type: assistant
    agents: [news_collector]
    models: [gpt-4o]
    instructions: [news_collector]
  system: 
    type: system
    models: [claude-3-sonnet]
    instructions: [system_prompt]

Schema:

typestring

Message role type: system, user, assistant, tool, or function

agentsarray of strings

Values or refs to agent IDs

modelsarray of strings

Values or refs to model IDs

instructionsarray of strings

Role-specific instructions

paramsobject

Unregulated additional fields

Instructions

Instruction text mappings referenced by agents and roles.

Example:

instructions: 
  news_collector: 
    - Gather latest articles on the topic.
    - Focus on credible and diverse news sources.
    - Verify information from multiple sources.
  system_prompt: 
    - You are a helpful assistant that generates high-quality, secure, and factual responses.
    - Always cite sources when making factual claims.

Schema:

<instruction_id>array of strings

List of instruction strings

Imports

Symbol/alias mappings to full module paths.

Example:

imports: 
  Agent: google.adk.agents.LlmAgent
  ld: pipeline.load_data
  pp: pipeline.pre_process

Schema:

<import_id>string

Full import path mapped to symbol/alias

Functions

Function calls with type, module paths, arguments, and parameters.

Example:

functions: 
  subprocess.run: 
    type: sync
    module: subprocess
    args: [ls, -la]
    params: 
      capture_output: "true"
  fetch_data: 
    type: async
    module: utils.network
    args: [url]

Schema:

typestring

Function type: sync, async, or generator

modulestring

Absolute module path

argsarray of strings

Positional arguments

paramsobject

Unregulated additional fields

Variables

Variable management with source type and path information.

Example:

variables: 
  A2AS_GATEWAY_TOKEN: 
    type: env
    params: 
      caller: [os.getenv]
      path: [/app/agent/.env]
  OPENAI_API_KEY: 
    type: config
    params: 
      path: [/app/agent/config.yaml]
  PG_RO_PASSWORD: 
    type: vault
    params: 
      path: [/secrets/db/password]

Schema:

typestring

Variable source: env, config, or vault

paramsobject

Unregulated additional fields including caller and path

Files

File system access permissions with type, allowed actions, and patterns.

Example:

files: 
  config.yaml: 
    type: literal
    actions: [read]
    params: 
      path: [config_dir]
      caller: [os.path.join]
  session_path: 
    type: variable
    actions: [delete]
    params: 
      caller: [cleanup_sessions]
      links: [session_id, config.cache_dir]
  ./: 
    type: pattern
    actions: [read]
    params: 
      patterns: ["*.tmp"]
      caller: [glob.glob]

Schema:

typestring

Path resolution type: literal, variable, or pattern

actionsarray of strings

Allowed operations: read, write, delete, exec

paramsobject

Unregulated additional fields including path, caller, links, and patterns

Processes

Process execution permissions including shell commands and syscalls.

Example:

processes: 
  /bin/bash: 
    type: shell
    actions: [exec]
    args: [[-lc, whoami]]
    params: 
      caller: [subprocess.run]
      shell: ["false"]
  execve: 
    type: syscall
    actions: [exec]
    args: [[/bin/bash, -lc, whoami]]
  connect: 
    type: syscall
    actions: [connect]
    args: [[evil.com, "1337"]]

Schema:

typestring

Process type: shell, mcp, or syscall

actionsarray of strings

Process actions: exec, connect

argsarray of arrays

List of invocations (list of lists)

paramsobject

Unregulated additional fields including caller and shell

Networks

Network communications with type, protocols, ports, methods, and endpoints.

Example:

networks: 
  platform.openai.com: 
    type: api
    actions: [get, post]
    urls: [/v1/chat/completions, /v1/images/generations, /v1/embeddings]
    protocols: [https]
    ports: ["443"]
    params: 
      caller: [openai.ChatCompletion.create]
      links: [api_base]
  internal_db: 
    type: database
    actions: [connect]
    protocols: [tcp]
    ports: ["5432"]

Schema:

typestring

Connection type: api, database, router, or internal

actionsarray of strings

Network actions: get, post, put, delete, connect, subscribe

urlsarray of strings

Endpoints or paths

protocolsarray of strings

Used protocols: https, http, tcp, udp, grpc, websocket

portsarray of strings

Numeric port strings

paramsobject

Unregulated additional fields including caller and links