Method: getExtendedAgentCard

Gets the extended agent card for the authenticated agent.

HTTP request

GET https://ces.googleapis.com/extendedAgentCard

The URL uses gRPC Transcoding syntax.

Query parameters

Parameters
tenant

string

Optional. Tenant ID, provided as a path parameter.

Request body

The request body must be empty.

Response body

A self-describing manifest for an agent. It provides essential metadata including the agent's identity, capabilities, skills, supported communication methods, and security requirements. Next ID: 20

If successful, the response body contains data with the following structure:

JSON representation 
{
  "name": string,
  "description": string,
  "supportedInterfaces": [
    {
      object (AgentInterface)
    }
  ],
  "provider": {
    object (AgentProvider)
  },
  "version": string,
  "capabilities": {
    object (AgentCapabilities)
  },
  "securitySchemes": {
    string: {
      object (SecurityScheme)
    },
    ...
  },
  "securityRequirements": [
    {
      object (SecurityRequirement)
    }
  ],
  "defaultInputModes": [
    string
  ],
  "defaultOutputModes": [
    string
  ],
  "skills": [
    {
      object (AgentSkill)
    }
  ],
  "signatures": [
    {
      object (AgentCardSignature)
    }
  ],
  "documentationUrl": string,
  "iconUrl": string
}
Fields
name

string

Required. A human readable name for the agent. Example: "Recipe Agent"
description

string

Required. A human-readable description of the agent, assisting users and other agents in understanding its purpose. Example: "Agent that helps users with recipes and cooking."
supportedInterfaces[]

object (AgentInterface)

Required. Ordered list of supported interfaces. The first entry is preferred.
provider

object (AgentProvider)

The service provider of the agent.
version

string

Required. The version of the agent. Example: "1.0.0"
capabilities

object (AgentCapabilities)

Required. A2A Capability set supported by the agent.
securitySchemes

map (key: string, value: object (SecurityScheme))

The security scheme details used for authenticating with this agent.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
securityRequirements[]

object (SecurityRequirement)

Security requirements for contacting the agent.
defaultInputModes[]

string

Required. protolint:enable REPEATED_FIELD_NAMES_PLURALIZED The set of interaction modes that the agent supports across all skills. This can be overridden per skill. Defined as media types.
defaultOutputModes[]

string

Required. The media types supported as outputs from this agent.
skills[]

object (AgentSkill)

Required. Skills represent the abilities of an agent. It is largely a descriptive concept but represents a more focused set of behaviors that the agent is likely to succeed at.
signatures[]

object (AgentCardSignature)

JSON Web Signatures computed for this AgentCard.
documentationUrl

string

A URL providing additional documentation about the agent.
iconUrl

string

Optional. A URL to an icon for the agent.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/ces

For more information, see the Authentication Overview.

AgentInterface

Declares a combination of a target URL, transport and protocol version for interacting with the agent. This allows agents to expose the same functionality over multiple protocol binding mechanisms.

JSON representation 
{
  "url": string,
  "protocolBinding": string,
  "tenant": string,
  "protocolVersion": string
}
Fields
url

string

Required. The URL where this interface is available. Must be a valid absolute HTTPS URL in production. Example: "https://api.example.com/a2a/v1", "https://grpc.example.com/a2a"
protocolBinding

string

Required. The protocol binding supported at this URL. This is an open form string, to be easily extended for other protocol bindings. The core ones officially supported are JSONRPC, GRPC and HTTP+JSON.
tenant

string

Tenant ID to be used in the request when calling the agent.
protocolVersion

string

Required. The version of the A2A protocol this interface exposes. Use the latest supported minor version per major version. Examples: "0.3", "1.0"

AgentProvider

Represents the service provider of an agent.

JSON representation 
{
  "url": string,
  "organization": string
}
Fields
url

string

Required. A URL for the agent provider's website or relevant documentation. Example: "https://ai.google.dev"
organization

string

Required. The name of the agent provider's organization. Example: "Google"

AgentCapabilities

Defines optional capabilities supported by an agent.

JSON representation 
{
  "extensions": [
    {
      object (AgentExtension)
    }
  ],
  "streaming": boolean,
  "pushNotifications": boolean,
  "extendedAgentCard": boolean
}
Fields
extensions[]

object (AgentExtension)

A list of protocol extensions supported by the agent.
streaming

boolean

Indicates if the agent supports streaming responses.
pushNotifications

boolean

Indicates if the agent supports sending push notifications for asynchronous task updates.
extendedAgentCard

boolean

Indicates if the agent supports providing an extended agent card when authenticated.

AgentExtension

A declaration of a protocol extension supported by an Agent.

JSON representation 
{
  "uri": string,
  "description": string,
  "required": boolean,
  "params": {
    object
  }
}
Fields
uri

string

The unique URI identifying the extension.
description

string

A human-readable description of how this agent uses the extension.
required

boolean

If true, the client must understand and comply with the extension's requirements.
params

object (Struct format)

Optional. Extension-specific configuration parameters.

SecurityScheme

Defines a security scheme that can be used to secure an agent's endpoints. This is a discriminated union type based on the OpenAPI 3.2 Security Scheme Object. See: https://spec.openapis.org/oas/v3.2.0.html#security-scheme-object

JSON representation 
{

  // Union field scheme can be only one of the following:
  "apiKeySecurityScheme": {
    object (APIKeySecurityScheme)
  },
  "httpAuthSecurityScheme": {
    object (HTTPAuthSecurityScheme)
  },
  "oauth2SecurityScheme": {
    object (OAuth2SecurityScheme)
  },
  "openIdConnectSecurityScheme": {
    object (OpenIdConnectSecurityScheme)
  },
  "mtlsSecurityScheme": {
    object (MutualTlsSecurityScheme)
  }
  // End of list of possible types for union field scheme.
}
Fields

Union field scheme.

scheme can be only one of the following:
apiKeySecurityScheme

object (APIKeySecurityScheme)

API key-based authentication.
httpAuthSecurityScheme

object (HTTPAuthSecurityScheme)

HTTP authentication (Basic, Bearer, etc.).
oauth2SecurityScheme

object (OAuth2SecurityScheme)

OAuth 2.0 authentication.
openIdConnectSecurityScheme

object (OpenIdConnectSecurityScheme)

OpenID Connect authentication.
mtlsSecurityScheme

object (MutualTlsSecurityScheme)

Mutual TLS authentication.

APIKeySecurityScheme

Defines a security scheme using an API key.

JSON representation 
{
  "description": string,
  "location": string,
  "name": string
}
Fields
description

string

An optional description for the security scheme.
location

string

Required. The location of the API key. Valid values are "query", "header", or "cookie".
name

string

Required. The name of the header, query, or cookie parameter to be used.

HTTPAuthSecurityScheme

Defines a security scheme using HTTP authentication.

JSON representation 
{
  "description": string,
  "scheme": string,
  "bearerFormat": string
}
Fields
description

string

An optional description for the security scheme.
scheme

string

Required. The name of the HTTP Authentication scheme to be used in the Authorization header, as defined in RFC7235 (e.g., "Bearer"). This value should be registered in the IANA Authentication Scheme registry.
bearerFormat

string

A hint to the client to identify how the bearer token is formatted (e.g., "JWT"). Primarily for documentation purposes.

OAuth2SecurityScheme

Defines a security scheme using OAuth 2.0.

JSON representation 
{
  "description": string,
  "flows": {
    object (OAuthFlows)
  },
  "oauth2MetadataUrl": string
}
Fields
description

string

An optional description for the security scheme.
flows

object (OAuthFlows)

Required. An object containing configuration information for the supported OAuth 2.0 flows.
oauth2MetadataUrl

string

URL to the OAuth2 authorization server metadata RFC 8414. TLS is required.

OAuthFlows

Defines the configuration for the supported OAuth 2.0 flows.

JSON representation 
{

  // Union field flow can be only one of the following:
  "authorizationCode": {
    object (AuthorizationCodeOAuthFlow)
  },
  "clientCredentials": {
    object (ClientCredentialsOAuthFlow)
  },
  "implicit": {
    object (ImplicitOAuthFlow)
  },
  "password": {
    object (PasswordOAuthFlow)
  },
  "deviceCode": {
    object (DeviceCodeOAuthFlow)
  }
  // End of list of possible types for union field flow.
}
Fields

Union field flow.

flow can be only one of the following:
authorizationCode

object (AuthorizationCodeOAuthFlow)

Configuration for the OAuth Authorization Code flow.
clientCredentials

object (ClientCredentialsOAuthFlow)

Configuration for the OAuth Client Credentials flow.
implicit
(deprecated)

object (ImplicitOAuthFlow)

Deprecated: Use Authorization Code + PKCE instead.
password
(deprecated)

object (PasswordOAuthFlow)

Deprecated: Use Authorization Code + PKCE or Device Code.
deviceCode

object (DeviceCodeOAuthFlow)

Configuration for the OAuth Device Code flow.

AuthorizationCodeOAuthFlow

Defines configuration details for the OAuth 2.0 Authorization Code flow.

JSON representation 
{
  "authorizationUrl": string,
  "tokenUrl": string,
  "refreshUrl": string,
  "scopes": {
    string: string,
    ...
  },
  "pkceRequired": boolean
}
Fields
authorizationUrl

string

Required. The authorization URL to be used for this flow.
tokenUrl

string

Required. The token URL to be used for this flow.
refreshUrl

string

The URL to be used for obtaining refresh tokens.
scopes

map (key: string, value: string)

Required. The available scopes for the OAuth2 security scheme.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
pkceRequired

boolean

Indicates if PKCE (RFC 7636) is required for this flow. PKCE should always be used for public clients and is recommended for all clients.

ClientCredentialsOAuthFlow

Defines configuration details for the OAuth 2.0 Client Credentials flow.

JSON representation 
{
  "tokenUrl": string,
  "refreshUrl": string,
  "scopes": {
    string: string,
    ...
  }
}
Fields
tokenUrl

string

Required. The token URL to be used for this flow.
refreshUrl

string

The URL to be used for obtaining refresh tokens.
scopes

map (key: string, value: string)

Required. The available scopes for the OAuth2 security scheme.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

ImplicitOAuthFlow

Deprecated: Use Authorization Code + PKCE instead.

JSON representation 
{
  "authorizationUrl": string,
  "refreshUrl": string,
  "scopes": {
    string: string,
    ...
  }
}
Fields
authorizationUrl

string

The authorization URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS
refreshUrl

string

The URL to be used for obtaining refresh tokens. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS.
scopes

map (key: string, value: string)

The available scopes for the OAuth2 security scheme. A map between the scope name and a short description for it. The map MAY be empty.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

PasswordOAuthFlow

Deprecated: Use Authorization Code + PKCE or Device Code.

JSON representation 
{
  "tokenUrl": string,
  "refreshUrl": string,
  "scopes": {
    string: string,
    ...
  }
}
Fields
tokenUrl

string

The token URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS.
refreshUrl

string

The URL to be used for obtaining refresh tokens. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS.
scopes

map (key: string, value: string)

The available scopes for the OAuth2 security scheme. A map between the scope name and a short description for it. The map MAY be empty.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

DeviceCodeOAuthFlow

Defines configuration details for the OAuth 2.0 Device Code flow (RFC 8628). This flow is designed for input-constrained devices such as IoT devices, and CLI tools where the user authenticates on a separate device.

JSON representation 
{
  "deviceAuthorizationUrl": string,
  "tokenUrl": string,
  "refreshUrl": string,
  "scopes": {
    string: string,
    ...
  }
}
Fields
deviceAuthorizationUrl

string

Required. The device authorization endpoint URL.
tokenUrl

string

Required. The token URL to be used for this flow.
refreshUrl

string

The URL to be used for obtaining refresh tokens.
scopes

map (key: string, value: string)

Required. The available scopes for the OAuth2 security scheme.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

OpenIdConnectSecurityScheme

Defines a security scheme using OpenID Connect.

JSON representation 
{
  "description": string,
  "openIdConnectUrl": string
}
Fields
description

string

An optional description for the security scheme.
openIdConnectUrl

string

Required. The OpenID Connect Discovery URL for the OIDC provider's metadata.

MutualTlsSecurityScheme

Defines a security scheme using mTLS authentication.

JSON representation 
{
  "description": string
}
Fields
description

string

An optional description for the security scheme.

SecurityRequirement

Defines the security requirements for an agent.

JSON representation 
{
  "schemes": {
    string: {
      object (StringList)
    },
    ...
  }
}
Fields
schemes

map (key: string, value: object (StringList))

A map of security schemes to the required scopes.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

StringList

protolint:disable REPEATED_FIELD_NAMES_PLURALIZED A list of strings.

JSON representation 
{
  "list": [
    string
  ]
}
Fields
list[]

string

The individual string values.

AgentSkill

Represents a distinct capability or function that an agent can perform.

JSON representation 
{
  "id": string,
  "name": string,
  "description": string,
  "tags": [
    string
  ],
  "examples": [
    string
  ],
  "inputModes": [
    string
  ],
  "outputModes": [
    string
  ],
  "securityRequirements": [
    {
      object (SecurityRequirement)
    }
  ]
}
Fields
id

string

Required. A unique identifier for the agent's skill.
name

string

Required. A human-readable name for the skill.
description

string

Required. A detailed description of the skill.
tags[]

string

Required. A set of keywords describing the skill's capabilities.
examples[]

string

Example prompts or scenarios that this skill can handle.
inputModes[]

string

The set of supported input media types for this skill, overriding the agent's defaults.
outputModes[]

string

The set of supported output media types for this skill, overriding the agent's defaults.
securityRequirements[]

object (SecurityRequirement)

Security schemes necessary for this skill.

AgentCardSignature

AgentCardSignature represents a JWS signature of an AgentCard. This follows the JSON format of an RFC 7515 JSON Web Signature (JWS).

JSON representation 
{
  "protected": string,
  "signature": string,
  "header": {
    object
  }
}
Fields
protected

string

Required. Required. The protected JWS header for the signature. This is always a base64url-encoded JSON object.
signature

string

Required. The computed signature, base64url-encoded.
header

object (Struct format)

The unprotected JWS header values.