Google AP2 Explained — Agent-to-Agent Authorization
As multi-agent systems become more common, a specific problem surfaces: how does one agent authorize another to act on its behalf, in a verifiable and scoped way? That’s the problem Google’s AP2 protocol addresses.
Here’s an honest explainer — what AP2 is, how it works, what it covers, and where it leaves off.
What Is Google AP2?
AP2 — Agent Protocol for Authorization — is Google’s proposed standard for agent-to-agent authorization delegation. It defines how an agent (or a user) can grant another agent specific, scoped permissions to act on its behalf, in a way that can be verified by third-party services.
The core problem it solves: in a multi-agent system, a sub-agent that acts on behalf of an orchestrator needs to prove to external services that it has legitimate authorization. Without a standard for this, you end up with brittle, custom solutions — shared credentials, API key delegation, or simply no authorization chain at all.
AP2 is modeled on the delegation patterns that exist in human-facing authorization (OAuth, PKCE, OIDC), but redesigned for the agent context: where the grantor may itself be an automated agent, delegations may be nested, and permissions need to be time-bounded and task-scoped.
How AP2 Works
The AP2 flow is roughly:
- Grantor (orchestrator agent or user) defines a delegation: what permissions to grant, to which agent, under what conditions
- Delegation token is issued — a signed, verifiable credential that encodes the grant
- Grantee agent presents the delegation token when acting on behalf of the grantor
- Relying party (the service being called) verifies the token chain and accepts or rejects the action
This is similar to OAuth’s code flow, but adapted for agent-native use cases: the “user” granting permissions might itself be an agent, the scope is defined per-task rather than per-application, and the delegation may be several hops deep.
A simplified trust chain:
User → grants → Orchestrator Agent
└── grants (scoped) → Research Sub-Agent
└── grants (scoped) → Writing Sub-Agent
└── grants (scoped) → Delivery Sub-Agent
Each sub-agent presents its delegation credential to external services.
External service verifies the full chain before accepting the action.The “scoped” part matters. AP2 is designed so that delegations can be narrowly defined — “you’re authorized to read documents but not delete them” — rather than handing over full credentials.
What AP2 Covers
| Capability | AP2 Status |
|---|---|
| Agent-to-agent delegation | Core use case |
| Scoped permissions per delegation | Yes |
| Verifiable credential chain | Yes |
| Time-bounded grants | Yes |
| Nested delegations (multi-hop) | Yes, within spec |
| User-to-agent authorization | Yes |
| Revocation of delegations | In spec |
AP2 handles the trust and authorization layer well. If you’re building a system where agents need to act on behalf of other agents — and those actions need to be verifiable by third parties — AP2 is the right protocol to track.
What AP2 Doesn’t Cover
AP2 is intentionally scoped to authorization. It doesn’t solve adjacent problems.
Account and identity provisioning. AP2 assumes agents already have identities. It handles how those identities delegate to each other — not how they’re created or maintained. You still need an account layer for each agent.
Payments. AP2 handles permission delegation, not payment. If an agent needs to pay for a service it’s authorized to use, AP2 doesn’t touch that transaction. The payment layer is separate.
Tool access. AP2 doesn’t provision or manage access to specific tools (search, LLM, image gen). It handles whether an agent is authorized to act — not what tools it has available.
Billing and cost attribution. No concept of IOU balances, spending limits, or per-call billing exists in AP2. That’s out of scope.
Identity persistence. AP2 delegation tokens are task-scoped and time-bounded. Persistent agent identity — an account that exists across sessions and tasks — is not what AP2 manages.
AP2 and ATXP: Different Layers
AP2 and ATXP operate at different, complementary layers of the agent stack.
| Layer | Handled By |
|---|---|
| Agent account creation and identity | ATXP |
| Agent email address | ATXP |
| Tool access (search, LLM, browse, etc.) | ATXP |
| Pay-per-use billing and IOU tokens | ATXP |
| Spending limits per agent | ATXP |
| Agent-to-agent permission delegation | AP2 |
| Verifiable authorization chains | AP2 |
| Scoped grants for external services | AP2 |
An agent built with ATXP (for identity, tools, and billing) could participate in an AP2 delegation chain (for authorization to act on behalf of another agent). The two don’t conflict — they address different problems.
The cleaner way to think about it: ATXP gives each agent the account it needs to exist and operate. AP2 defines the rules by which agents authorize each other. You need both layers for a complete multi-agent architecture.
What to watch: AP2’s adoption outside Google’s own services will determine how useful it is in practice. Authorization standards only work when the relying parties support them. Google has the distribution to drive adoption, but the ecosystem uptake is still being established.
See also: Google UCP Explained · How to build a multi-agent system with ATXP · Agent payments and identity
ATXP handles the account and billing layer every agent needs. Run npx atxp to provision an agent account in under a minute.