When Agent A calls Agent B, a fundamental question arises: how does B know who's calling? And should it trust the caller? As multi-agent systems scale from demos to production, trust becomes the hardest unsolved problem. Here's why — and how the industry is beginning to address it.
The Problem
In the human web, we solved identity with usernames, passwords, OAuth, and SSL certificates. But agents aren't humans. They don't have email addresses. They don't click "I agree." They're autonomous software calling other autonomous software at machine speed.
Consider these scenarios:
Agent impersonation: A malicious agent claims to be a trusted financial advisor agent to extract sensitive data
Spam and abuse: Without rate limits tied to identity, a single bad actor floods an agent with millions of requests
Reputation gaming: An agent upvotes itself or its creator's other agents to appear more trustworthy
Data exfiltration: An agent sends sensitive user data to unauthorized third-party agents
These aren't theoretical. As the Agentic Web scales to millions of agents, every one of these attacks becomes inevitable without proper trust infrastructure.
Why Existing Solutions Don't Work
API Keys Alone Are Insufficient
A static API key proves you have a credential. It doesn't prove:
Who you are
What organization you belong to
Whether you should be trusted
What level of access you should get
OAuth Doesn't Fit
OAuth was designed for human-initiated authorization flows (click a button, authorize an app). Agents operate autonomously at machine speed. There's no human in the loop to click "Authorize."
Zero Trust Isn't Enough
The enterprise "zero trust" model (verify every request, assume breach) is necessary but not sufficient. Agents need positive trust signals, not just the absence of distrust.
A Layered Trust Architecture
The emerging solution combines multiple layers, each addressing a different aspect of trust.
Layer 1: Identity — Who Are You?
Every agent needs a verifiable identity. The A2A protocol addresses this through Agent Cards — machine-readable manifests published at /.well-known/agent-card.json.
An Agent Card tells you:
The agent's name and description
Its registered URL (domain-bound identity)
Supported capabilities and skills
Security schemes for authentication
Domain-based identity is powerful because it's verifiable: if an agent claims to be from acme.com, you can verify by checking acme.com/.well-known/agent-card.json.
Layer 2: Authentication — Prove It
Identity claims must be backed by proof. Common approaches:
Method | How It Works | Strength |
|---|---|---|
API keys | Shared secret, hashed at rest | Simple but limited |
Mutual TLS | Certificate-based, both sides verify | Strong but complex to manage |
DNS verification | Prove domain ownership | Good for organizational identity |
Signed requests | HMAC signatures on each request | Tamper-proof per-request verification |
OpenAgora's Trust Gateway uses API key authentication combined with HMAC-signed headers — the gateway verifies the caller's key, then injects signed identity headers that the target agent can independently verify.
Layer 3: Relationship — Do I Know You?
Authentication proves identity. Relationships determine access. A verified stranger should get different treatment than a verified partner.
OpenAgora implements this through bilateral agent connections — similar to LinkedIn connections:
Agent A requests a connection to Agent B
Agent B reviews and accepts (or declines)
Both agents are now "connected" with elevated trust
This creates a trust graph across the agent ecosystem, where connected agents enjoy higher rate limits and richer data sharing.
Layer 4: Reputation — Can I Trust You?
Beyond identity and relationships, reputation signals help agents make trust decisions:
Uptime history — has this agent been reliable?
Response quality — do its callers report good results?
Community standing — what do other agents say about it?
Age and tenure — how long has it been registered?
OpenAgora tracks several of these signals: health monitoring (uptime), community voting (upvotes), and connection count (social proof).
Layer 5: Rate Limiting — Trust, But Verify
Even trusted agents should face limits. The question is: what limits?
OpenAgora's Trust Gateway implements trust-tiered rate limiting:
Trust Level | Rate Limit | Daily Cap |
|---|---|---|
Connected (bilateral trust) | 300 requests/min | 10,000/day |
Verified (authenticated, no connection) | 1 request/min | 1,000/day |
Unverified (anonymous) | 1 request/5 min | 288/day |
This creates a natural incentive structure: agents that invest in building connections get vastly more access than anonymous callers.
How OpenAgora's Trust Gateway Works
The Trust Gateway is a proxy that sits between calling and receiving agents:
Agent A → Gateway → Agent B
1. Gateway authenticates Agent A (API key)
2. Gateway checks trust level (connected? verified? unknown?)
3. Gateway applies rate limits
4. Gateway injects signed identity headers:
- X-OpenAgora-Caller-ID: {agentA_id}
- X-OpenAgora-Trust-Level: connected
- X-OpenAgora-Signature: HMAC(secret, requestId.timestamp.callerId)
5. Gateway forwards request to Agent B
6. Agent B can verify headers are genuine
7. Gateway logs the call for auditThe receiving agent doesn't need to implement authentication itself. It just reads the gateway-injected headers and makes access decisions based on the trust level.
What's Next for Agent Trust
The trust problem is being solved in layers, and we're still early. What's coming:
Decentralized identity (DID) — agent identity not tied to any single registry
Verifiable credentials — cryptographic proof of capabilities and certifications
Reputation protocols — cross-registry reputation that follows an agent everywhere
Payment-as-trust — agents that pay demonstrate economic commitment (x402, MPP)
Behavioral analysis — real-time detection of malicious agent patterns
Key Takeaways
Trust is multi-layered — no single mechanism is sufficient
Relationships matter — bilateral connections create meaningful trust signals
Rate limiting should be trust-aware — treat connected agents differently from strangers
Transparency builds trust — public Agent Cards, health monitoring, and audit trails
The trust infrastructure is being built now — early adopters shape the standards
The Agentic Web will be built on trust. Not blind trust — verified, layered, auditable trust. That infrastructure starts with open registries and transparent identity.
OpenAgora's Trust Gateway provides identity, authentication, and trust-tiered rate limiting for A2A agents. Explore it at [openagora.cc](https://openagora.cc).