AdCP server whose registered tools this adapter exposes over A2A.
OptionalauthenticateAuthenticate an inbound A2A request. Transport-level auth runs
before AdcpServer.invoke() so the framework pipeline sees a
verified authInfo. Return null (or throw) to reject.
Seller-supplied agent-card identity fields. Required.
OptionaltaskA2A task store. Defaults to the SDK's InMemoryTaskStore.
Persistent deployments should supply a durable implementation
(e.g. a Postgres-backed TaskStore).
OptionalloggerOptional logger. Falls back to console.
Options for createA2AAdapter.
Auth posture.
authenticate(req)runs BEFORE the tool handler sees the request. Return anAdcpAuthInfoto let the pipeline proceed with that principal; returnnull(or throw) to reject. A rejection currently surfaces as a generic JSON-RPC-32000server error — the@a2a-js/sdkdoesn't yet expose a typed authentication-failed code for theUserBuilderpath. Production deployments SHOULD wire upstream middleware (e.g.express-jwt) to reject with a proper HTTP 401 / WWW-Authenticate challenge before the request reachesjsonRpcHandler. Theauthenticateoption here is a last-line-of-defense guard, not the primary auth surface.Agent-card
securitySchemes. TheagentCard.securitySchemesyou provide is served verbatim at/.well-known/agent-card.json— only put non-secret discovery data there (token endpoint, scopes, OIDC issuer URL). Never paste client secrets, private JWKS, or internal URLs into the card. The SDK doesn't schema-validatesecuritySchemesat boot (v0 check is required-field presence only), so a hand-crafted malformed entry will ship as-written.Omitting
authenticatemakes the adapter anonymous — handlers seectx.authInfo === undefined, matchingserve({ authenticate: undefined }).