All field notes

Model Context Protocol · Agent2Agent · AI architecture

MCP vs. A2A: Which Agent Protocol Do You Need?

A practical architecture guide to using MCP for tools and context, A2A for peer-agent work, and both without collapsing their trust boundaries.

Published
Updated
Reading time
7 minutes

MCP and A2A solve different connection problems.

  • Model Context Protocol (MCP) connects an AI application to tools, resources, and prompt templates.
  • Agent2Agent (A2A) connects independent agent systems that communicate, delegate stateful work, and return artifacts.

They are complementary. An A2A agent may use MCP internally to reach a database or ticket system. An MCP server does not become a peer agent merely because a model calls it.

Compare the actual responsibilities

QuestionMCPA2A
Primary relationshipHost/client to capability serverAgent client to remote agent
DiscoveryTools, resources, prompts after connectionAgent Card describing identity, skills, endpoints, and security
Unit of workTool/resource/prompt requestMessage or stateful Task
Long-running stateExperimental Tasks utility existsTask lifecycle is a core concept
DeliverableTool result or resource contentArtifact composed of typed Parts
Conversation groupingClient/session-specificcontextId groups related interactions
Transportstdio or Streamable HTTPBindings such as JSON-RPC, gRPC, and HTTP+JSON
Best fitGive an agent access to a systemDelegate work to an autonomous peer

The definitions come from the MCP server specification and the current A2A specification. Both protocols evolve, so pin the version you implement instead of relying on a vendor’s unversioned summary.

Choose MCP for capabilities inside a host

Suppose a coding assistant needs to search your issue tracker. The host wants a narrow search_issues tool, a read-only project resource, and perhaps a user-invoked triage prompt. MCP describes those primitives and lets a client discover and call them.

The MCP server should not decide the agent’s broader goal. It should enforce the issue tracker’s authentication, authorization, validation, and rate limits. The host decides whether a model sees or calls the tool.

Good MCP use cases include:

  • querying a database through a bounded semantic operation;
  • reading a versioned runbook;
  • creating a preview for a ticket or deployment;
  • exposing local filesystem operations to an IDE host; and
  • adapting an existing service into model-usable tools.

Build the server and client as separate trust boundaries.

Choose A2A for independent agents

Now suppose a customer-support agent needs a specialist logistics agent operated by another team. The logistics agent has its own model, tools, policies, deployment, and task state. The caller should not reach through that boundary to micromanage internal tools. It should ask for an outcome and receive progress and artifacts.

A2A models that interaction with several core objects:

  • an Agent Card advertises capabilities, skills, interfaces, and security schemes;
  • a Message carries communication between roles;
  • a Task represents stateful work with an ID and status;
  • an Artifact is an output produced by the agent; and
  • Parts carry text, files, or structured data within messages and artifacts.

The A2A key concepts make an important distinction: messages are communication; artifacts are the durable products of work. Do not hide a generated report in a chat-status string if a typed artifact is the real deliverable.

Good A2A use cases include:

  • delegating claims review to a specialist agent;
  • asking a remote research agent for a cited report;
  • tracking a task that waits on external systems or human input;
  • streaming progress from a long-running agent; and
  • collaborating across teams without sharing internal tool topology.

Use both in a layered architecture

A system that uses both can stay simple if ownership is explicit:

Customer-support agent
  │
  ├── MCP client ──► CRM MCP server
  │                    └── narrow customer tools
  │
  └── A2A client ──► Logistics agent
                       ├── task state and artifacts
                       └── MCP client ──► shipment MCP server

The support agent uses MCP when it owns the reasoning and needs a CRM capability. It uses A2A when the logistics agent owns an outcome. The logistics agent may use MCP privately, but its callers see its skills and task contract rather than its internal tool list.

This boundary reduces coupling. The shipment service can change tools without changing the A2A contract, and the logistics agent can change its implementation without giving the support host direct credentials.

A decision procedure that avoids protocol theater

Ask these questions in order:

1. Who owns the goal?

If the current host owns the goal and only needs an operation, use MCP or an ordinary API. If a remote system accepts and manages a delegated goal, A2A may fit.

2. Does the remote side need a task lifecycle?

If request/response is enough, do not add a state machine. If work can be submitted, run for minutes, wait for input, stream updates, or return several artifacts, A2A’s Task model is useful.

MCP also has an experimental Tasks utility for deferred results. That helps a tool call last longer; it does not by itself provide peer-agent discovery, skills, and collaboration semantics.

3. Is the remote side independently operated?

Cross-team or cross-organization ownership strengthens the case for an agent contract. Inside one codebase, a typed function, queue, or workflow engine is often easier to operate than a network agent protocol.

4. What is the smallest stable contract?

Expose a business outcome, not internal reasoning. “Produce a shipment exception report for these order IDs” is a more stable A2A skill than “call tracking, then think, then call warehouse.” For MCP, prefer get_shipment_status(order_id) over a generic HTTP proxy.

Keep authorization boundaries separate

Discovery metadata is not authorization in either protocol.

For MCP:

  • authenticate the client connection;
  • authorize every tool against the active principal and tenant;
  • do not pass server tokens through model context; and
  • isolate tool results from other connected servers.

For A2A:

  • authenticate every request using the scheme described by the Agent Card;
  • send credentials in protocol-defined HTTP headers, not inside messages;
  • authorize access to each task and artifact by the requesting principal;
  • prevent one user from guessing another user’s taskId or contextId; and
  • validate URLs and files to prevent SSRF and unsafe content handling.

The A2A specification’s security section treats Agent Cards, messages, task IDs, and push-notification endpoints as attack surfaces. A public Agent Card can help discovery, but it should not contain secrets.

Version and compatibility strategy

Both sides should make supported versions explicit.

MCP negotiates a protocol version during initialization. A client and server must finish that lifecycle before ordinary operations. A2A uses a version header and versioned interface expectations; the current specification recommends major/minor compatibility rules.

In production:

  1. pin the spec and SDK versions in source control;
  2. run contract tests against every supported peer;
  3. reject unknown major versions;
  4. tolerate additive optional fields within the supported rules;
  5. snapshot discovery documents and schemas; and
  6. deploy compatibility changes before enabling new features.

Do not infer support from a product name. Verify the handshake, binding, authentication scheme, and object shapes you actually use.

Common architecture mistakes

Making every function an agent

An agent protocol adds discovery, state, security, failure, and observability work. Keep deterministic internal operations as functions or services.

Exposing internal tools over A2A

This couples callers to the remote agent’s implementation and can leak privileges. Publish outcome-oriented skills and artifacts instead.

Using MCP as a job queue

If the real requirement is durable scheduling, retries, and human pauses, use a workflow system. Protocol tasks describe interactions; they do not eliminate operational state management.

Trusting discovered descriptions

Tool descriptions and Agent Cards are input supplied by another system. Pin or review them, validate URLs, and never let discovery metadata override local policy.

Forwarding entire transcripts

Share the smallest task context. Full transcripts amplify privacy exposure, prompt injection, irrelevant tokens, and cross-agent confusion.

The practical recommendation

Start with ordinary functions inside one process. Add MCP when a host needs a standard capability boundary. Add A2A when an independently owned agent needs to advertise skills and own stateful delegated work. Combine them only at a clean layer boundary.

That yields an architecture you can explain in terms of ownership, identity, state, and artifacts—not simply the number of agent acronyms it uses.

Sources and freshness notes

This comparison was checked on July 18, 2026 against the MCP 2025-11-25 specification, the MCP lifecycle, the current A2A specification, and A2A discovery guidance. Recheck both specifications before implementing version negotiation or experimental task features.