Give your AI agent a frontend.
Your agent is an API. The people who use it expect a chat window. Standing that up usually means a second repo, a second deploy, a second host, and a cross-origin auth headache. a2a cloud hosts a React/Vite frontend packed alongside the agent — same domain, same auth gateway, TLS included — so the whole agent app, UI and all, ships in one deploy.
one deploy · same domain · one auth model
An agent API isn't something a person can use.
You built an agent and exposed it as an endpoint. Now someone wants to actually use it, and an endpoint isn't a product — it needs a UI. The default path is to spin up a separate frontend on another host, give it its own auth, configure CORS between two origins, and keep a web server running just to serve the chat. Two deploys, two things to secure, two places for the record to drift.
Pack the UI with the agent and deploy once.
a2a treats the frontend as part of the whole agent app: a React/Vite UI hosted on the same domain, guarded by the same gateway, and served over the same scale-to-zero infrastructure as the agent it talks to.
Packed with the agent
Drop a React or Vite app next to your agent and one deploy ships both. The UI travels with the agent as part of the whole agent app — no second repo, no second pipeline, no second host.
Hosted on the same domain
The frontend is served from the same domain as the agent's API, so there's no cross-origin dance, no separate CDN to configure, and no CORS you have to hand-tune.
Wired to the auth gateway
The UI authenticates through the same Keycloak-backed OpenAPI gateway that guards the agent. Users log in once; the frontend calls the agent under a scoped grant, not an exposed API key.
Talks to your agent's API
The frontend calls the agent through its OpenAPI gateway — the same authenticated endpoint any client uses. Your chat UI is just a first-class consumer of the agent's own API.
TLS and scale-to-zero included
TLS is terminated for you, and the frontend rides the same scale-to-zero infrastructure as the agent. No always-on web server to keep the UI online, no cert to renew.
Receipts behind the chat
Every message the UI sends becomes an agent run with an Ed25519-signed receipt. The chat is friendly; the record behind it is verifiable — don't trust the agent, trust the receipt.
Separate frontend deploy vs. a2a.
Frequently asked.
How do I give my AI agent a frontend?
On a2a cloud, put a React or Vite app alongside your agent and deploy once. The frontend is built and hosted on the same domain as the agent, wired to the same auth gateway, and served over TLS — so your agent ships with a hosted chat UI without a separate frontend deploy.
Can I host a chat UI for my agent without a separate deploy?
Yes. That's the point — the frontend is packed with the agent, so one deploy produces both the agent's API and its UI. There's no second repo, pipeline, or host, and no cross-origin configuration because the UI and API share a domain.
How does the frontend authenticate to the agent?
Through the same Keycloak-backed OpenAPI gateway that guards the agent. Users log in once and the frontend calls the agent under a scoped grant rather than an exposed API key, so the UI and the agent share one identity and authorization model.
What framework does the hosted frontend use?
A standard React/Vite frontend — you build the UI you want and a2a hosts it alongside the agent. The frontend simply calls the agent's OpenAPI gateway, so it's a first-class consumer of the same authenticated API any client would use.
Is there a record of what the agent did per chat message?
Yes. Each message the UI sends becomes an agent run that returns an Ed25519-signed, hash-chained receipt covering inputs, tool calls, outputs, cost, and the grant that authorized it. The chat is easy to use; the record behind every message is verifiable.
Related guides.
All guides live in the guides index.
Ship the agent and its UI together.
a2a cloud deploys any agent — LangGraph, OpenAI Agents SDK, CrewAI, or custom — and ships it with a managed Postgres database, an MCP server, an API, a frontend, and an Ed25519-signed receipt for every run. Scoped grants, no ambient production access. One deploy, the whole agent app, with proof.