A2A vs. MCP
MCP - vertical integration (agent → tools), defines how agents connect to internal tools & data sources,
A2A - horizontal integration (agent ↔︎ agent), defines how agents communicate with each other across organizational boundaries.
Example: an HR agent delegates interview scheduling via A2A to a Calendar agent, which then uses MCP locally to call its calendar tool, and returns the completed artifact back over A2A. Production agents commonly speak both.
MCP (Model Context Protocol) (created by Anthropic, now under the Linux Foundation)
Vertical integration: how agent talks to tools, context, APIs, resources (data sources, docs, images). Host apps typically connect to many servers simultaneously and uses the client as the isolation boundary between them. The host (AI app - Claude Desktop, IDE, agent runtime) spawns one or more MCP clients, each maintaining a 1:1 stateful connection to one MCP server. MCP servers expose three primitives (aka tools and resources):
Tools — model-controlled: the LLM decides when to call them (executable functions with JSON Schema signatures).
Resources — app-controlled: context/data (files, docs, DB records) that the host application decides to inject.
Prompts — user-controlled: reusable prompt templates the user explicitly selects (e.g., slash commands).
The distinction based on "who controls invocation" is the exact design philosophy behind how MCP servers expose capabilities to clients.
Other aspects:
Client-side primitives: MCP protocol is bidirectional - servers can request things from clients too — sampling (server asks the host's LLM to generate a completion, so the server doesn't need its own model/API key), elicitation (server asks the user for additional input mid-operation — MCP's analog of A2A's input-required state), roots (client tells the server which filesystem/URI scopes it may operate in).
Transport: MCP is typically request/response and streaming (e.g. JSON-RPC 2.0 over Streamable HTTP) and is about tool invocation, context injection, and structured data flow. Transports: stdio for local servers running as subprocesses (no network for desktop integrations), and Streamable HTTP for remote servers.
Authorization: remote MCP servers use OAuth 2.1 (host obtains user consent; server validates tokens). MCP Registry provides discovery & metadata for publicly available servers.
A2A calls between agents that, internally, may each use MCP to access their own tools.
Security issues: prompt injection via tool results (a tool returns text that hijacks the model), tool poisoning (malicious tool descriptions that manipulate model behavior), and confused deputy (server acts with the host's authority on attacker-supplied instructions). Mitigations - human-in-the-loop approval for destructive tools, allowlisted servers, and output sanitization.
Sources: YouTube link, modelcontextprotocol.io, github.com/modelcontextprotocol.
A2A Protocol (created by Google, now Linux Foundation-governed)
Terminology: user => client agent (A2A client) <=> remote agent (A2A server). How multiple agents talk to each other - peer-to-peer communication between or horizontal integration of agents. Steps:
Discovery - client finds a remote agent using its json agent card - typically fetched from a well-known; it describes the agent, what it can do (skills), how to talk to it, and what authentication it requires.
Authentication - based on security scheme from same agent card.
Communication - a) client talks to remote using JSON RPC 2.0 protocol over HTTPS, b) client sends tasks to remote agent who completes them [using tools] and who can request additional information, c) finally, remote agent communicates task completion and sends generated artifacts (doc, image, structured data) to client, d) streaming can be used over SSE if a task is long + push notifications (webhooks) are used for very long-running or disconnected scenarios where holding an SSE connection open isn't practical.
Task are stateful objects with lifecycle states - pending, in-progress (working), completed, failed, input-required (task pauses until client sends more context) and rejected/canceled. Long-running, multi-turn task management - A2A's core contribution vs. plain RPC call.
Modality agnosticism - message objects composed of Parts — parts can contain text, images, structured data, or other formats.
A2A preserves privacy because remote agents don’t disclose anything about their inner workings (memory, tools, or proprietary logic) + interaction is based on established standards/protocols. A remote agent is a black box exposing only its card and task interface.
Source: https://www.youtube.com/watch?v=Tud9HLTk8hg, a2a-protocol.org, github.com/a2aproject/A2A.