A2AS Certificate Schema

Complete reference for AI Agent Behavior Specification v0.1.1

Manifest

The manifest anchors behavior declarations with canonical schema reference, identity, validity, and cryptographic bindings.

Manifest

Top-level manifest metadata including schema version, subject, and issued details.

Example:

manifest: 
  version: "0.1.0"
  schema: "https://www.a2as.org/cert/schema"
  subject: 
    name: "Demo Agent"
    scope: 
      - "https: //github.com/a2as/demo-agent/AGENT.py"
      - "https: //github.com/a2as/demo-agent/utils.py"
  issued: 
    by: "A2AS.org"
    at: "2025-10-10T00:00:00Z"
  signatures: 
    digest: "sha256:d34db33f..."
    key: "ed25519:MCowBQYDK2..."
    sig: "ed25519:lTTEFxoAb..."

Schema:

versionstringrequired

Schema version number

0.1.0

schemastring (URL)required

Canonical schema URL

https://www.a2as.org/cert/schema

Subject

Identity and scope information about the agent being certified.

Example:

subject: 
  name: "Demo Agent"
  scope: 
    - "https: //github.com/a2as/demo-agent/AGENT.py"
    - "https: //github.com/a2as/demo-agent/utils.py"

Schema:

namestringrequired

Human-readable agent/app name

Demo Agent

scopearray of stringsrequired

List of analyzed files (full paths)

["https://github.com/a2as/demo-agent/AGENT.py"]

Issued

Issuance information including issuer name and timestamp.

Example:

issued: 
  by: "A2AS.org"
  at: "2025-10-10T00:00:00Z"

Schema:

bystringrequired

Issuer name (always A2AS.org)

A2AS.org

atRFC3339Z timestamprequired

Issuance timestamp

2025-10-10T00:00:00Z

Signatures

Cryptographic bindings for certificate verification including digest, key, and signature.

Example:

signatures: 
  digest: "sha256:d34db33f..."
  key: "ed25519:MCowBQYDK2..."
  sig: "ed25519:lTTEFxoAb..."

Schema:

digeststringrequired

Hex-encoded hash with algorithm prefix

sha256:d34db33f...

keystringrequired

Public key with algorithm prefix

ed25519:MCowBQYDK2...

sigstringrequired

Cryptographic signature

ed25519:lTTEFxoAb...

Capabilities

Declares explicit allowlists for what the agent may do at inference, application, and system layers. Anything not declared is denied by default.

Roles

Role-based access control mapping of models and agents to roles (assistant, system, tool, user).

Example:

roles: 
  assistant: 
    models: ["gpt-4o"]
    agents: ["news_collector"]
  system: 
    models: ["claude-3-sonnet"]

Schema:

<role_type>object

Role type: assistant, system, tool, or user

modelsarray of strings

References to keys under models section (at least one of models or agents required)

agentsarray of strings

References to keys under agents section (at least one of models or agents required)

Instructions

Top-level instruction mappings (note: instructions are typically embedded within agents).

Example:

instructions: 
  news_collector: 
    - "Gather latest articles on the topic."
    - "Focus on credible and diverse news sources."
  claude-3-sonnet: 
    - "You are a helpful assistant that generates high-quality, secure, and factual responses."
  agentic_pipeline: 
    - "Collect recent news and summarize them for end-user presentation."

Schema:

<key>array of stringsrequired

Key references model, agent, or pipeline. Contains instruction text.

Models

Declared AI models with their types, supported modalities, and parameters.

Example:

models: 
  claude-3-sonnet: 
    type: "chat"
    modality: ["text", "image", "audio", "video"]
    params: 
      max_tokens: 1024
  gpt-4o: 
    type: "agent"
    modality: ["text"]
    params: 
      temperature: 0.7
  text-embedding-3: 
    type: "embedding"
    modality: ["text"]

Schema:

typestringrequired

Model purpose: chat, agent, tool, or embedding

modalityarray of stringsrequired

Supported modalities: text, image, audio, video

paramsobject

Debug collection for unregulated, auto-extracted fields

Agents

AI agents with their models, tools, memory, and instructions.

Example:

agents: 
  news_collector: 
    models: ["gpt-4o"]
    tools: ["DuckDuckGoTools"]
    instructions: ["news_collector"]
    memory: ["fs_notes"]
    params: 
      name: "News Collector"
      role: "Collects recent news articles on the given topic"
      markdown: true
      show_tool_calls: true
  summary_writer: 
    models: ["claude-3-sonnet"]
    tools: ["Newspaper4kTools"]
    memory: ["fs_notes"]
    params: 
      name: "Summary Writer"
      role: "Summarizes collected news articles"
      markdown: true
      show_tool_calls: true

Schema:

modelsarray of stringsrequired

References to models keys

toolsarray of strings

References to tools keys

memoryarray of strings

References to memory keys

instructionsarray of strings

References to instructions keys

paramsobject

Debug collection for auto-extracted fields

Tools

Tools available to agents and models, with their dependencies.

Example:

tools: 
  DuckDuckGoTools: 
    models: ["gpt-4o"]
    agents: ["news_collector"]
    params: 
      search: true
      news: true
  file_search: 
    models: ["text-embedding-3"]
    memory: ["article_cache"]

Schema:

modelsarray of strings

References to models keys (at least one of models or agents required)

agentsarray of strings

References to agents keys (at least one of models or agents required)

memoryarray of strings

References to memory keys

paramsobject

Debug collection for auto-extracted fields

MCP

MCP endpoints for tool integration or gateway services.

Example:

mcp: 
  mcp_cursor: 
    type: "tool"
    url: "https://localhost:5000/mcp"
    provider: "cursor-mcp"
    params: 
      mode: "dev"
  mcp_gateway: 
    type: "gateway"
    url: "https://mcp.a2as.org"
    models: ["gpt-4o", "claude-3-sonnet"]
    agents: ["news_collector", "summary_writer"]
    provider: "a2as-mcp"

Schema:

typestringrequired

MCP role: tool or gateway

urlstring (URL)required

MCP endpoint URL

providerstring

MCP provider name

modelsarray of strings

Models using this MCP

agentsarray of strings

Agents using this MCP

paramsobject

Debug collection

Workflows

Workflow and pipeline definitions with execution types.

Example:

workflows: 
  rag_chain.invoke: 
    type: "sequential"
    steps: []
  workflow.add_node: 
    type: "parallel"
    steps: []
  task_service.get_tasks: 
    type: "parallel"
    steps: []

Schema:

typestringrequired

Execution type: sequential or parallel

stepsarray

Workflow steps (typically empty)

Teams

Multi-agent team definitions with orchestration patterns.

Example:

teams: 
  team: 
    agents: 
      - "legal_researcher"
      - "contract_analyst"
      - "legal_strategist"
    orchestration: "sequential"

Schema:

agentsarray of stringsrequired

Agent list

orchestrationstringrequired

Coordination pattern: sequential, parallel, or hierarchical

Streaming

Streaming endpoint configurations.

Example:

streaming: 
  streaming: 
    type: "response"
  download_file: 
    type: "response"
  main: 
    type: "response"

Schema:

typestringrequired

Streaming type: response, data, or events

paramsobject

Additional streaming parameters

Memory

Storage systems for agent memory (database, file, vector, in-memory, or cache).

Example:

memory: 
  user_prefs: 
    type: "database"
    #    provider: "postgres"
    params: 
      host: "postgres.internal"
      database: "agent_db"
      table: "user_preferences"
      user: "agent"
  fs_notes: 
    type: "file"
    #    provider: "csv"
    params: 
      path: "/data/notes.csv"
  article_cache: 
    type: "vector"
    #    provider: "qdrant"
    params: 
      host: "vectordb.local"
      index: "embeddings"
      collection: "news_articles"

Schema:

typestringrequired

Storage type: database, file, vector, in-memory, or cache

providerstring

Engine or format name (e.g., qdrant, redis)

paramsobject

Additional configuration parameters

Imports

Symbol/alias mappings to full module paths.

Example:

imports: 
  Agent: google.adk.agents.LlmAgent
  ld: pipeline.load_data
  pp: pipeline.pre_process

Schema:

<symbol_or_alias>stringrequired

Full dotted import path (e.g., google.adk.agents.LlmAgent)

Functions

Function calls with module paths, arguments, and parameters.

Example:

functions: 
  subprocess.run: 
    module: "subprocess"
    args: ["ls", "-la"]
    params: 
      capture_output: true
  transformers.pipeline: 
    module: "transformers"
    params: 
      task: "text-generation"
      model: "mistralai/Mixtral-8x7B-Instruct-v0.1"

Schema:

modulestringrequired

Absolute module path

argsarray of strings

Positional arguments

paramsobject

Debug collection for named parameters

Secrets

Secret management with source type and path information.

Example:

secrets: 
  A2AS_GATEWAY_TOKEN: 
    type: "env"
    path: /app/agent/.env
  OPENAI_API_KEY: 
    type: "config"
    path: /app/agent/config.yaml
  PG_RO_PASSWORD: 
    type: "vault"
    path: /secrets/db/password

Schema:

typestringrequired

Secret source: env, config, or vault

pathstringrequired

File path, mount point, or vault location

Files

File system access permissions with allowed actions and patterns.

Example:

files: 
  /app/agent/config.yaml: 
    actions: ["read"]
  /var/log/app/app.log: 
    actions: ["write"]
  /app/cache/temp/sessions/: 
    actions: ["delete"]
    patterns: ["*.tmp"]

Schema:

actionsarray of stringsrequired

Allowed operations: read, write, delete, exec

patternsarray of strings

Glob patterns (only for directories), e.g., *.tmp, *.log

Networks

Network communications with protocols, ports, methods, and endpoints.

Example:

networks: 
  platform.openai.com: 
    protocols: ["https"]
    ports: ["443"]
    methods: ["get", "post"]
    urls: 
      - "/v1/chat/completions"
      - "/v1/images/generations"
      - "/v1/embeddings"
  internal_db: 
    protocols: ["tcp"]
    ports: ["5432"]

Schema:

protocolsarray of strings

Used protocols: https, http, tcp, udp

portsarray of strings

Numeric port strings

methodsarray of strings

HTTP verbs: get, post, put, delete

urlsarray of strings

Endpoints or path patterns

Processes

Process execution permissions with executable names/paths and arguments.

Example:

processes: 
  /bin/bash: 
    actions: ["exec"]
    args: ["-lc", "whoami"]
  /usr/bin/curl: 
    actions: ["exec"]
    args: ["-sS", "https://ipinfo.io/ip"]

Schema:

actionsarray of stringsrequired

Process actions: exec

argsarray of strings

Positional arguments

Syscalls

Low-level system call permissions.

Example:

syscalls: 
  execve: 
    actions: ["exec"]
    args: ["/bin/bash", "-lc", "whoami"]
  connect: 
    actions: ["connect"]
    args: ["evil.com", "1337"]

Schema:

actionsarray of stringsrequired

Syscall actions: exec, connect, etc.

argsarray of strings

Positional arguments