How to Enable Agent-to-Agent A2A Communication

What You'll Need

Before enabling A2A communication, ensure you have:

• MoltFlow Business plan with A2A feature enabled — Contact sales if you don't see A2A settings in your dashboard.
• API key with appropriate permissions — You'll need this for programmatic agent communication.
• Basic understanding of REST APIs — A2A involves API calls between agents.

A2A (Agent-to-Agent) is an open protocol that enables AI agents to discover and communicate with each other autonomously. MoltFlow implements the A2A specification, allowing your WhatsApp automation agent to delegate tasks to other AI agents in your ecosystem.

Step 1: Understand the A2A Protocol

The A2A protocol enables autonomous agent collaboration through three core mechanisms:

1. Agent Discovery (Agent Cards)

Every A2A-compatible agent publishes an Agent Card at /.well-known/agent.json. This is a JSON document that describes:

• Agent name and description
• Supported capabilities (e.g., "translate", "classify", "summarize")
• Endpoint URL for task submission
• Authentication requirements (API key, OAuth, etc.)

Example Agent Card:

{
  "name": "MoltFlow WhatsApp Agent",
  "description": "WhatsApp automation with AI-powered responses",
  "version": "3.0",
  "capabilities": [
    "whatsapp.send_message",
    "whatsapp.receive_message",
    "whatsapp.manage_groups",
    "ai.classify_lead",
    "ai.generate_response"
  ],
  "endpoint": "https://apiv2.waiflow.app/a2a/tasks",
  "authentication": {
    "type": "api_key",
    "header": "X-API-Key"
  }
}

Other agents discover MoltFlow by fetching your Agent Card. You discover other agents by fetching theirs.

2. Task-Based Messaging

A2A uses a task-based communication model. Instead of freeform messages, agents send structured task requests:

{
  "task_type": "classify_lead",
  "payload": {
    "text": "Hi, I'm interested in your premium plan. What's the pricing?",
    "context": {
      "sender": "+15551234567",
      "received_at": "2026-02-13T10:30:00Z"
    }
  }
}

The receiving agent processes the task and returns a structured response:

{
  "task_id": "task_abc123",
  "status": "completed",
  "result": {
    "lead_quality": 8,
    "intent": "purchase",
    "urgency": "high",
    "confidence": 0.92
  }
}

3. Trust Levels

Not all agents should have full access to your system. A2A implements trust levels to control what each connected agent can do:

You configure trust levels per agent. Start with basic and upgrade only when you trust the agent's behavior.

Why A2A matters:

• Specialization: Instead of building every capability yourself, delegate to specialized agents (e.g., translation agent, fraud detection agent)
• Composability: Chain multiple agents together (e.g., MoltFlow receives message → sends to classification agent → sends to response generation agent → sends response via WhatsApp)
• Autonomy: Agents collaborate without human intervention, enabling 24/7 automation

Step 2: Configure Your Agent's Discovery Endpoint

MoltFlow automatically publishes an Agent Card for your tenant. To view it:

curl https://apiv2.waiflow.app/.well-known/agent.json

Response:

{
  "name": "MoltFlow",
  "description": "WhatsApp Business automation platform with AI-powered messaging, lead management, and agent-to-agent communication",
  "version": "3.1",
  "capabilities": [
    "whatsapp.send_message",
    "whatsapp.send_bulk",
    "whatsapp.manage_sessions",
    "whatsapp.manage_groups",
    "ai.auto_reply",
    "ai.classify_lead",
    "ai.style_profile",
    "data.export_gdpr",
    "webhooks.deliver"
  ],
  "endpoint": "https://apiv2.waiflow.app/a2a/tasks",
  "authentication": {
    "type": "api_key",
    "header": "X-API-Key",
    "documentation": "https://molt.waiflow.app/docs/api/authentication"
  },
  "contact": {
    "support": "[email protected]",
    "documentation": "https://molt.waiflow.app/docs"
  }
}

Customizing your Agent Card:

While MoltFlow provides a default Agent Card, Business plan customers can customize it:

1. Navigate to Settings > A2A in the dashboard
2. Click "Customize Agent Card"
3. Edit fields: name, description, additional capabilities
4. Click "Save Changes"

Changes are published immediately. Other agents will see your updated Agent Card on their next fetch.

Discovering other agents:

To connect to an external agent, you need its Agent Card URL:

curl https://external-agent.example.com/.well-known/agent.json

If the URL returns a valid Agent Card (matches the A2A schema), you can add the agent to MoltFlow:

1. Navigate to Settings > A2A > Connected Agents
2. Click "Add Agent"
3. Enter the Agent Card URL (e.g., https://external-agent.example.com/.well-known/agent.json)
4. Click "Discover"
5. MoltFlow fetches the Agent Card and displays agent details
6. Click "Add Agent" to save

The agent is now discoverable from within MoltFlow, but it has NO permissions yet. You must configure trust levels (Step 3).

Step 3: Set Trust Levels for Connected Agents

After adding an external agent, configure its trust level:

1. Navigate to Settings > A2A > Connected Agents
2. Find the agent in the list
3. Click the "Trust Level" dropdown
4. Select a trust level:
   • none — Reject all requests (use this to blacklist a misbehaving agent)
   • basic — Read-only (agent can query your capabilities but not submit tasks)
   • standard — Can submit tasks and receive results (most common)
   • full — Can submit tasks AND trigger actions (use with caution)
5. Click "Save"

What each trust level allows:

none (blacklist):

• All requests from this agent return 403 Forbidden
• Use this if an agent is misbehaving (spamming tasks, unauthorized access attempts)

basic (read-only):

• Agent can fetch your Agent Card (GET /.well-known/agent.json)
• Agent can query task status (GET /a2a/tasks/{task_id})
• Agent CANNOT submit new tasks

standard (task submission):

• All permissions from basic
• Agent can submit tasks (POST /a2a/tasks)
• Agent can retrieve task results (GET /a2a/tasks/{task_id}/result)
• Agent CANNOT trigger actions (e.g., cannot send WhatsApp messages on your behalf)

full (elevated permissions):

• All permissions from standard
• Agent can trigger actions (e.g., POST /messages/send with A2A authentication)
• Agent can access sensitive data (e.g., contact lists, message history)
• WARNING: Only grant full trust to agents you control or deeply trust

Principle of least privilege: Start every agent at basic trust. Upgrade to standard once you've verified the agent's behavior. Only grant full trust for agents in your own infrastructure.

Revoking trust: If an agent becomes unresponsive or misbehaves, immediately set its trust level to none. This blocks all future requests without deleting the agent (you can restore trust later).

API-based trust management:

For programmatic trust configuration, use the A2A trust API:

curl -X PUT https://apiv2.waiflow.app/a2a/agents/{agent_id}/trust \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "trust_level": "standard"
  }'

Step 4: Send Tasks Between Agents

Once trust is configured, agents can exchange tasks. Here's how to send a task from an external agent to MoltFlow:

Task submission (external agent → MoltFlow):

curl -X POST https://apiv2.waiflow.app/a2a/tasks \
  -H "X-API-Key: YOUR_MOLTFLOW_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "task_type": "ai.classify_lead",
    "payload": {
      "text": "I need 50 units delivered by Friday",
      "sender_phone": "+15551234567"
    },
    "callback_url": "https://external-agent.example.com/a2a/results"
  }'

Response:

{
  "task_id": "task_abc123",
  "status": "pending",
  "created_at": "2026-02-13T10:45:00Z"
}

Task lifecycle:

1. pending — Task received, queued for processing
2. in_progress — Agent is actively working on the task
3. completed — Task finished successfully, result available
4. failed — Task failed (error details in error field)

Polling for task status:

curl -X GET https://apiv2.waiflow.app/a2a/tasks/task_abc123 \
  -H "X-API-Key: YOUR_MOLTFLOW_API_KEY"

Response (completed task):

{
  "task_id": "task_abc123",
  "status": "completed",
  "result": {
    "lead_quality": 9,
    "intent": "purchase",
    "urgency": "high",
    "budget_signals": ["50 units", "bulk order"],
    "confidence": 0.94
  },
  "completed_at": "2026-02-13T10:45:12Z"
}

Callback notifications (recommended): Instead of polling, provide a callback_url when submitting the task. MoltFlow will POST the result to your callback URL when the task completes:

POST https://external-agent.example.com/a2a/results
Content-Type: application/json

{
  "task_id": "task_abc123",
  "status": "completed",
  "result": {
    "lead_quality": 9,
    "intent": "purchase",
    "urgency": "high",
    "confidence": 0.94
  }
}

Sending tasks from MoltFlow to external agents:

From the MoltFlow dashboard:

1. Navigate to A2A > Send Task
2. Select the target agent from the dropdown
3. Enter the task type (must match one of the agent's capabilities)
4. Enter the payload (JSON object)
5. Click "Submit Task"

The task is sent to the external agent's endpoint. You can monitor progress in the A2A activity log.

Example use case: You receive a WhatsApp message from a potential customer. MoltFlow sends the message content to an AI classification agent to determine lead quality. The classification agent returns a score (1-10). If the score is ≥8, MoltFlow automatically assigns the lead to your sales team via CRM integration.

Step 5: Monitor Agent Communication Logs

MoltFlow logs all A2A activity for debugging and compliance:

1. Navigate to A2A > Activity Log
2. Filter by:
   • Agent (inbound tasks vs outbound tasks)
   • Task type
   • Status (completed, failed, pending)
   • Date range

Each log entry includes:

• Timestamp (UTC)
• Direction (inbound from agent X, or outbound to agent Y)
• Task type (e.g., ai.classify_lead)
• Status (pending, in_progress, completed, failed)
• Response time (how long the task took)
• Error details (if failed)

Key metrics to monitor:

• Success rate: What percentage of tasks complete successfully?
• Response time: How long does each agent take to process tasks?
• Failure patterns: Are specific agents failing consistently?

Debugging failed tasks: If a task fails, click the task ID in the activity log to see:

• Full request payload (what was sent)
• Error message (why it failed)
• Agent response (if the agent returned an error)

Common failure reasons:

• Authentication failed: API key invalid or missing permissions
• Task type not supported: Agent doesn't support the requested capability
• Timeout: Agent took too long to respond (default timeout: 30 seconds)
• Rate limited: You exceeded the agent's rate limits

Compliance and auditing: A2A logs satisfy compliance requirements for:

• GDPR Article 30: Records of processing activities (when data is shared with external agents)
• SOC 2: Audit trail of inter-system communications
• ISO 27001: Security event logging

All A2A logs are retained for 90 days on Business plan.

Security Considerations

A2A introduces inter-agent communication, which requires careful security controls:

1. Authentication: All A2A communication is authenticated via API keys. Never share API keys with untrusted agents. Rotate API keys quarterly or after any suspected compromise.

2. Trust levels: Use the principle of least privilege. Grant basic trust by default, upgrade to standard only for verified agents, grant full trust only for agents you control.

3. Audit logs: Review A2A activity logs weekly. Look for:

• Unexpected task types (may indicate an agent is probing for vulnerabilities)
• High failure rates (may indicate misconfiguration or malicious activity)
• Unusual response times (may indicate a compromised agent)

4. Rate limiting: MoltFlow applies rate limits to A2A endpoints (100 tasks per minute per agent). If an agent exceeds this limit, it receives 429 Too Many Requests. This prevents runaway automation and abuse.

5. Payload validation: MoltFlow validates all task payloads against a schema. If a payload contains unexpected fields or invalid data types, the task is rejected with 400 Bad Request. This prevents injection attacks.

6. Trust revocation: If you suspect an agent is compromised, immediately revoke its trust (set to none). Investigate the activity log to determine if any sensitive data was exposed.

Best practices:

• Review connected agents monthly — remove unused agents
• Rotate API keys quarterly
• Monitor trust levels — avoid granting full trust unless absolutely necessary
• Configure callback URLs over HTTPS only (no HTTP)
• Implement your own rate limiting on inbound tasks (Business plan feature)

Troubleshooting

Agent not discoverable:

• Verify the Agent Card URL is correct (try fetching it in your browser)
• Check that the agent is serving the Agent Card at /.well-known/agent.json
• Ensure the Agent Card is valid JSON (use a JSON validator)

"Trust denied" errors:

• Check the agent's trust level in Settings > A2A > Connected Agents
• If trust level is none, upgrade to at least basic
• Verify the API key has appropriate permissions (A2A task submission requires a2a:submit scope)

Tasks timing out:

• Check the target agent's health (is it online and responding?)
• Increase the task timeout (default 30s) if the agent legitimately needs more time
• Verify network connectivity between MoltFlow and the target agent

Authentication failures:

• Verify the API key is correct (check for typos)
• Ensure the API key is included in the correct header (X-API-Key for MoltFlow)
• Check that the API key hasn't expired or been revoked

Task stuck in "pending":

• Check MoltFlow's Celery worker status (tasks are processed asynchronously)
• Verify the task queue isn't backed up (Settings > System > Queue Status)
• If the queue is clear but task is still pending, contact support (may be a processing bug)

What's Next?

Now that you've enabled A2A communication, explore these related guides:

• REST API Quick Start — Build integrations with MoltFlow's REST API
• Set Up Team Access with Role-Based Permissions — Control which team members can manage A2A settings
• Set Up Webhooks for Real-Time Notifications — Receive events from MoltFlow in real time

Need help? Contact support at [email protected] or visit our A2A documentation.