a2a cloud
eliminate keys, don't rotate them

Scoped grants for AI agents, not shared keys.

An agent with a shared API key holds standing, all-or-nothing access to everything behind it — and about 90% of agents run over-privileged. a2a cloud replaces the key with a scoped grant: an Ed25519 token that binds an audience, a TTL, and the exact files and tools it unlocks. The fix isn't rotating keys faster. It's removing the key.

audience · TTL · file + tool scope · no ambient trust

0%
agents over-privileged
0
secrets leaked 2025 (M)
0
standing access granted
the problem

The shared API key is the vulnerability, not the leak.

Give an agent an API key and you've given it standing, all-or-nothing authority that outlives every task it was minted for. Keys sprawl into env vars, config files, and repos; roughly 90% of agents end up over-privileged relative to what they actually do; and in 2025 alone tens of millions of secrets leaked publicly. Rotation is a treadmill — you're always one forgotten key behind. The problem isn't that keys leak. It's that a leaked key grants everything.

A shared key is all-or-nothing: the agent inherits every permission the key was ever given.
Keys are long-lived and sprawl into logs, env vars, and repos where they quietly leak.
~90% of agents are over-privileged — they hold far more authority than their tasks require.
Rotation is reactive and perpetual; you find out a key leaked after it's already been used.
the a2a way

Mint authority per task. Bind it. Expire it.

On a2a cloud, authority is a scoped grant — a cheap-to-mint Ed25519 token issued at the moment of need, carrying exactly the scope the task requires and nothing more. Scoped authority, no standing access.

A grant is not a keyAudience-boundTime-boxed by TTLFile and tool scopedBound into the receiptMinted per task, not per app

A grant is not a key

A scoped grant is an Ed25519-signed permission token, not a secret to guard. It carries its own authority — audience, TTL, and the exact tools and files it unlocks — so there's nothing to leak that grants standing access.

Audience-bound

A grant names the agent it was minted for. Present it to a different audience and it's rejected. A stolen grant can't be replayed against a service it was never issued to.

Time-boxed by TTL

Every grant expires. Authority is a bounded window measured in minutes, not a key that lives in an env var until someone remembers to rotate it — which is usually never.

File and tool scoped

A grant enumerates exactly which tools it may call and which files it may touch. An agent that needs to read one file and call one tool gets precisely that — least privilege by construction, not by policy doc.

Bound into the receipt

Each run's Ed25519-signed receipt records the grant it acted under. Authority and action are joined in the evidence, so you can prove not just what happened but under what scoped authority it was permitted.

Minted per task, not per app

Grants are cheap to mint, so authority is issued per task at the moment of need. The agent holds narrow, short-lived authority for the job in front of it — never the broad, permanent access a shared key hands out.

side-by-side

Shared keys vs. scoped grants.

dimension
shared API key
scoped grant
the credential
A shared API key: a long-lived secret that grants standing access to everything behind it.
A scoped grant: a signed token carrying its own bounded authority, not a secret to protect.
scope
One key, all-or-nothing. The agent gets every permission the key was ever provisioned with.
Audience, TTL, and an explicit file and tool allowlist — exactly the authority the task needs.
lifetime
Keys live until someone rotates them. In practice they outlive the project and leak into logs and repos.
Grants expire by TTL. Leaked authority is dead within minutes, not indefinitely valid.
if it leaks
A leaked key is full standing access until detected and rotated — the basis of most breaches.
A leaked grant is scoped, audience-bound, and expiring — its blast radius is a sliver.
provability
Logs rarely record which key authorized an action, so you can't prove the authority behind it.
The signed receipt binds the grant to the action — provable scoped authority per run.
questions

Frequently asked.

What are scoped grants for AI agents?

A scoped grant is an Ed25519-signed permission token that binds an audience, a TTL, and an explicit file and tool scope. Instead of handing an agent a shared API key with standing access, you mint a grant that permits exactly the tools and files the task requires, for a bounded window. It's least privilege enforced cryptographically, with no ambient trust.

Why stop giving agents API keys?

A shared API key is a long-lived secret with all-or-nothing, standing access — and studies find roughly 90% of agents run over-privileged, while millions of secrets leaked publicly in 2025. Rotation is a treadmill you always fall behind on. Scoped grants remove the key entirely: a leaked grant is audience-bound, tool-scoped, and expiring, so there's little to steal and less to lose.

How is a scoped grant different from a short-lived API key?

A short-lived key is still a secret with whatever scope it was provisioned with — it just expires sooner. A scoped grant carries its authority explicitly: it names its audience, enumerates the exact tools and files it unlocks, and expires by TTL. The reframe is eliminating keys, not rotating them faster.

How do scoped grants enforce least privilege?

Each grant enumerates the specific tools it may invoke and the specific files it may touch, bound to one audience for one bounded window. An agent that needs one read tool receives authority for that tool only — not the write tools beside it. Least privilege is a property of the token, not a policy someone hopes is being followed.

Can I prove which authority an agent acted under?

Yes. Every run produces an Ed25519-signed receipt that records the grant it acted under alongside the inputs, outputs, and result. Authority and action are joined in tamper-evident evidence, so an auditor can verify not just what the agent did but the scoped authority that permitted it.

keep reading

Related guides.

All guides live in the guides index.

no ambient trust

Give agents scope, not keys.

a2a cloud deploys any agent and governs it with scoped grants instead of shared API keys — Ed25519 tokens binding audience, TTL, and file and tool scope. Every run is Ed25519-signed and records the grant it acted under, so scoped authority is provable. Managed Postgres, MCP, API, and auth ship with the deploy. Least privilege by construction.