Agents calling agents need to authenticate each other. The user identity model (OAuth, OIDC) was designed for humans logging in. The right model for agent-to-agent is workload identity — SPIFFE/SPIRE, cert-based service identity, signed claims.
Why not OAuth-for-agents
OAuth bearer tokens get stolen. Agents make many calls per second; OAuth refresh cycles add latency. OAuth's primary trust unit is 'user authorized X to act on their behalf' — that's necessary but not sufficient for cross-org A2A.
SPIFFE / SPIRE
Workload identity for software. Each agent has a cryptographic identity bound to its deployment context. SPIRE issues short-lived certs (SVID) provable via mTLS. Standard in service meshes; applies cleanly to agents.
Signed capability claims
Beyond identity: 'this agent is authorized to spend up to $X', 'this agent can read documents in project Y'. Sign capability tokens with the user's authorization. Receiving agent verifies signature and scope before acting.
Cross-organization trust
Within one org: SPIFFE federation between trust domains. Across orgs: federation agreements + signed delegation. Hard problem; mostly unsolved at standards level in 2026. Bilateral arrangements dominate.
Operational implications
Cert rotation (short-lived = frequent rotation, less blast radius if compromised). Identity in logs and traces (who called whom). Revocation lists when trust is broken. Each is operational work; budget for it.