Skip to content

[0.7] DPoP enforcement on all A2A endpoints #136

Open
Open
[0.7] DPoP enforcement on all A2A endpoints#136
Labels
P0Critical: - major vulnerability - major bug - app down - within hourstrack-securityTrack label for Agentic Era
Milestone
Agentic Era
@Raulgooo

Description

@Raulgooo
Raulgooo
opened on May 7, 2026

Release

0.7 — A2A Auth Layer

Objective

Every A2A call carries DPoP proof.

Problem

  • A2A calls may use bearer tokens
  • No proof-of-possession for A2A

Fix

  1. Enforce DPoP on all A2A endpoints
  2. RequireDPoPMiddleware on A2A routes
  3. Return use_dpop_scheme if missing

Files

  • internal/api/a2a_handlers.go
  • internal/api/router.go

Acceptance Criteria

  • All A2A endpoints require DPoP
  • Missing proof → 401 use_dpop_scheme
  • Tests for DPoP enforcement

Metadata

Metadata

Assignees

No one assigned

    Labels

    P0Critical: - major vulnerability - major bug - app down - within hourstrack-securityTrack label for Agentic Era

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions