Skill

agent-to-agent-auth

Enforces SPIFFE/SPIRE plus mTLS for authenticating agent-to-agent communication. Use when designing or reviewing multi-agent system security.

security

authentication

npx claudepluginhub redhatproductsecurity/prodsec-skills --plugin prodsec-skills

Popularity

Stars

Forks

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/prodsec-skills:agent-to-agent-auth

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

Agent-to-agent communication MUST follow the service-to-service recommendation and implement SPIFFE/SPIRE+mTLS.

SKILL.md

57 lines · ~529 tokens

Similar Skills

service-to-service-mtls

Enforces SPIFFE/SPIRE plus mTLS for service-to-service authentication. Use when designing, building, or reviewing authentication between services, workloads, or machines in AI systems.

prodsec-skills

a2a-authentication

Implements A2A authentication schemes—API keys, Bearer tokens, OAuth 2.0, OpenID Connect, mutual TLS—for securing agent-to-agent communication and Agent Card security declarations.

8 tools

a2a-multi-agent

multi-agent-trust

Detects insecure agent-to-agent calls lacking authentication, authorization, or permission scoping in multi-agent pipelines. Reviews and fixes inter-agent trust boundaries.

soundcheck

Stats

LanguagePython

Stars28

Forks2

MaintenanceExcellent

Last CommitMay 20, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Stats

Actions

Help us improve

Share bugs, ideas, or general feedback.

Agent-to-Agent Authentication

Security Requirement

Agent-to-agent communication MUST follow the service-to-service recommendation and implement SPIFFE/SPIRE+mTLS.

Why SPIFFE/SPIRE for Agent-to-Agent

Agents are software workloads, making SPIFFE the natural identity framework

No credentials exchanged over the network (SPIRE handles attestation and certificate issuance)

Mutual authentication ensures both agents verify each other's identity

Short-lived X.509 certificates (SVIDs) are automatically rotated

Each agent gets a unique SPIFFE ID that can be used for authorization decisions

Architecture

Agent A Agent B │ │ ├── SPIFFE ID: ├── SPIFFE ID: │ spiffe://domain/agent/a │ spiffe://domain/agent/b │ │ ├── Gets SVID from SPIRE Agent ├── Gets SVID from SPIRE Agent │ │ └── mTLS connection ────────────→└── Validates Agent A's SVID (presents SVID) (presents own SVID)

SPIFFE ID Convention for Agents

Use a consistent SPIFFE ID naming convention:

spiffe://<trust-domain>/agent/<agent-type>/<instance-id>

Examples:

spiffe://example.com/agent/data-analyst/prod-01

spiffe://example.com/agent/code-reviewer/staging-02

Implementation Checklist

Deploy SPIRE server and agents for the agent infrastructure

Configure agents to obtain SVIDs from the SPIRE agent

Implement mTLS for all agent-to-agent communication

Extract peer agent's SPIFFE ID from the TLS certificate for authorization

Define authorization policies based on SPIFFE IDs (which agents can communicate)

Monitor SVID rotation and certificate expiration