a2a cloud
hosted MCP, done right

MCP server hosting with auth built in.

Raw Cloud Run or Vercel hands you a URL and leaves auth, per-tool authorization, an audit trail, and isolation for you to build. a2a cloud hosts your MCP server as a production service: every agent tool becomes an MCP tool automatically, behind an authenticated endpoint, with scoped grants per tool and an Ed25519-signed receipt for every call.

authenticated endpoint · scoped grants · signed receipts

0
auth to build
0%
tools auto-published
0%
signed per call
the problem

A hosted URL is not a hosted MCP server.

Standing an MCP server on generic hosting is the easy 20%. The hard 80% is everything a production tool surface actually needs: authenticating callers, authorizing individual tools, keeping a tamper-evident record of what each tool did, and isolating tools that run untrusted code. On Cloud Run or Vercel that's all yours to design, wire, and keep running. Most teams ship the URL and skip the rest — and then can't answer who called which tool, under what authority.

A shared API key unlocks every tool — no way to scope a caller to one read tool.
Tool calls land in mutable stdout logs, so proving what a tool did is guesswork.
Tools share a container, so a tool running untrusted code shares its blast radius.
MCP server, database, TLS, and DNS are four setup tasks before a single tool is callable.
the a2a way

Deploy the MCP server; the platform brings the rest.

On a2a cloud the MCP endpoint is a first-class output of `a2a deploy`, not a container you hand-harden. Auth, authorization, audit, and isolation are primitives, not follow-up projects.

Agent tools become MCP tools automaticallyAuth on the front doorScoped grants per toolSigned receipt per tool callmicroVM isolation per agentManaged TLS, DNS, and Postgres

Agent tools become MCP tools automatically

Every function you expose on your agent is published as an MCP tool with a generated schema. Write the tool once; it's callable over MCP, the REST/OpenAPI gateway, and A2A without a second definition.

Auth on the front door

The hosted MCP endpoint is authenticated by default. Callers present a short-lived signed token, not a shared secret you paste into a config file and forget to rotate.

Scoped grants per tool

An Ed25519 grant binds exactly which tools a caller may invoke, with an audience and a TTL. A caller that needs one read tool never receives the authority to call the write tools next to it.

Signed receipt per tool call

Each MCP tool invocation returns an Ed25519-signed receipt: caller, arguments, result, cost, and the grant that authorized it. Governed agent execution, not an opaque tool server.

microVM isolation per agent

Each MCP server runs inside a libkrun microVM, not a shared container. A tool that shells out or touches the filesystem is sandboxed at the hypervisor boundary.

Managed TLS, DNS, and Postgres

The endpoint ships with TLS, a stable hostname, and a managed Postgres database wired in. Tools that need to persist state have a database on the first deploy, not the third.

side-by-side

Raw hosting vs. hosted MCP on a2a cloud.

dimension
Cloud Run / Vercel
a2a cloud
auth
Raw Cloud Run or Vercel gives you a URL. You bolt on token verification, key rotation, and a caller identity yourself.
Authenticated MCP endpoint on deploy — short-lived signed tokens and scoped grants, no key-paste config.
authorization
One shared API key grants every tool. A read-only caller can call the destructive tools by accident or design.
Per-tool scoped grants: audience, TTL, and an explicit tool allowlist per caller.
audit
Tool calls land in stdout logs you can edit or lose. Proving what a tool did is guesswork.
Every tool call returns an Ed25519-signed, hash-chained receipt you can verify outside the runtime.
isolation
Tools share a container. A tool that runs untrusted code shares a blast radius with the rest.
libkrun microVM per agent — hypervisor-grade isolation around each MCP server.
wiring
MCP server, database, TLS, and a hostname are four separate setup tasks across two dashboards.
One `a2a deploy` provisions the MCP endpoint, Postgres, TLS, and DNS together.
questions

Frequently asked.

How do I host an MCP server in production?

Point a2a cloud at your agent and run `a2a deploy`. It publishes an authenticated MCP endpoint with TLS and a stable hostname, provisions a managed Postgres database, and exposes every agent tool as an MCP tool. You don't stand up auth, a gateway, or a database separately.

Why not just host an MCP server on Cloud Run or Vercel?

You can — but Cloud Run and Vercel give you a URL and stop there. Authentication, per-tool authorization, a signed audit trail, and sandbox isolation are yours to build and maintain. a2a cloud ships those as platform primitives: signed tokens, scoped grants, Ed25519 receipts, and libkrun microVMs on the first deploy.

Are agent tools exposed as MCP tools automatically?

Yes. Any function you expose on your agent is published as an MCP tool with a generated schema, and the same tool is reachable over the REST/OpenAPI gateway and A2A. You define the capability once instead of maintaining separate MCP, HTTP, and A2A definitions.

How is access to hosted MCP tools controlled?

With scoped grants — Ed25519 permission tokens that bind an audience, a TTL, and an explicit tool allowlist. A caller receives authority for exactly the tools it needs, not a shared key that unlocks the whole server. There is no ambient trust between caller and endpoint.

Can I audit what an MCP tool did?

Every MCP tool call returns an Ed25519-signed receipt covering the caller, the arguments, the result, the cost, and the grant that authorized it. Receipts are hash-chained, so tampering is detectable and a third party can verify the record independently of the tool server.

keep reading

Related guides.

All guides live in the guides index.

ship the tools, keep the proof

Host your MCP server with authority.

a2a cloud deploys any agent and publishes its tools as authenticated MCP tools — with a managed Postgres database, an OpenAPI gateway, TLS, and an Ed25519-signed receipt for every call. Scoped grants replace shared keys. libkrun microVMs isolate every tool. One deploy, a production MCP server with proof.