Scoped grants for AI agents, not shared keys.
An agent with a shared API key holds standing, all-or-nothing access to everything behind it — and about 90% of agents run over-privileged. a2a cloud replaces the key with a scoped grant: an Ed25519 token that binds an audience, a TTL, and the exact files and tools it unlocks. The fix isn't rotating keys faster. It's removing the key.
audience · TTL · file + tool scope · no ambient trust
The shared API key is the vulnerability, not the leak.
Give an agent an API key and you've given it standing, all-or-nothing authority that outlives every task it was minted for. Keys sprawl into env vars, config files, and repos; roughly 90% of agents end up over-privileged relative to what they actually do; and in 2025 alone tens of millions of secrets leaked publicly. Rotation is a treadmill — you're always one forgotten key behind. The problem isn't that keys leak. It's that a leaked key grants everything.
Mint authority per task. Bind it. Expire it.
On a2a cloud, authority is a scoped grant — a cheap-to-mint Ed25519 token issued at the moment of need, carrying exactly the scope the task requires and nothing more. Scoped authority, no standing access.
A grant is not a key
A scoped grant is an Ed25519-signed permission token, not a secret to guard. It carries its own authority — audience, TTL, and the exact tools and files it unlocks — so there's nothing to leak that grants standing access.
Audience-bound
A grant names the agent it was minted for. Present it to a different audience and it's rejected. A stolen grant can't be replayed against a service it was never issued to.
Time-boxed by TTL
Every grant expires. Authority is a bounded window measured in minutes, not a key that lives in an env var until someone remembers to rotate it — which is usually never.
File and tool scoped
A grant enumerates exactly which tools it may call and which files it may touch. An agent that needs to read one file and call one tool gets precisely that — least privilege by construction, not by policy doc.
Bound into the receipt
Each run's Ed25519-signed receipt records the grant it acted under. Authority and action are joined in the evidence, so you can prove not just what happened but under what scoped authority it was permitted.
Minted per task, not per app
Grants are cheap to mint, so authority is issued per task at the moment of need. The agent holds narrow, short-lived authority for the job in front of it — never the broad, permanent access a shared key hands out.
Shared keys vs. scoped grants.
Frequently asked.
What are scoped grants for AI agents?
A scoped grant is an Ed25519-signed permission token that binds an audience, a TTL, and an explicit file and tool scope. Instead of handing an agent a shared API key with standing access, you mint a grant that permits exactly the tools and files the task requires, for a bounded window. It's least privilege enforced cryptographically, with no ambient trust.
Why stop giving agents API keys?
A shared API key is a long-lived secret with all-or-nothing, standing access — and studies find roughly 90% of agents run over-privileged, while millions of secrets leaked publicly in 2025. Rotation is a treadmill you always fall behind on. Scoped grants remove the key entirely: a leaked grant is audience-bound, tool-scoped, and expiring, so there's little to steal and less to lose.
How is a scoped grant different from a short-lived API key?
A short-lived key is still a secret with whatever scope it was provisioned with — it just expires sooner. A scoped grant carries its authority explicitly: it names its audience, enumerates the exact tools and files it unlocks, and expires by TTL. The reframe is eliminating keys, not rotating them faster.
How do scoped grants enforce least privilege?
Each grant enumerates the specific tools it may invoke and the specific files it may touch, bound to one audience for one bounded window. An agent that needs one read tool receives authority for that tool only — not the write tools beside it. Least privilege is a property of the token, not a policy someone hopes is being followed.
Can I prove which authority an agent acted under?
Yes. Every run produces an Ed25519-signed receipt that records the grant it acted under alongside the inputs, outputs, and result. Authority and action are joined in tamper-evident evidence, so an auditor can verify not just what the agent did but the scoped authority that permitted it.
Related guides.
All guides live in the guides index.
Give agents scope, not keys.
a2a cloud deploys any agent and governs it with scoped grants instead of shared API keys — Ed25519 tokens binding audience, TTL, and file and tool scope. Every run is Ed25519-signed and records the grant it acted under, so scoped authority is provable. Managed Postgres, MCP, API, and auth ship with the deploy. Least privilege by construction.