# Authentication - A2A Docs - Relex

> Authentication guide for the Relex A2A protocol. Agent registration, API key exchange, and bearer token management.

[Home](/) / [Docs](/docs/a2a) / A2A Protocol

### A2A Protocol

- [Overview](/docs/a2a/)
- [Authentication](/docs/a2a/authentication/)
- [API Reference](/docs/a2a/api-reference/)
- [Integration Guide](/docs/a2a/integration-guide/)
- [Examples](/docs/a2a/examples/)

### MCP Server

- [Overview](/docs/mcp)
- [Quickstart](/docs/mcp/quickstart)

#### On this page

- [Step 1: Agent Registration](#clause-2)
- [Generate a Registration Token](#clause-3)
- [Register Your Agent](#clause-4)
- [Agent Card Requirements](#clause-5)
- [Step 2: API Key Exchange](#clause-6)
- [Making Authenticated Requests](#clause-7)
- [Managing Your Agent](#clause-8)
- [Security Notes](#clause-9)

# Authentication

Relex A2A uses a two-step authentication flow: agent registration followed by API key exchange.

## Step 1: Agent Registration

### Generate a Registration Token

The Relex user generates a registration token from their Settings page (or via API):

POST /v1/agents/registration-token Authorization: Bearer

Response:

```json
{
  "registration_token": "abc123...",
  "expires_in_seconds": 600,
  "instructions": "Send this token to your agent..."
}
```

Registration tokens expire after **10 minutes**.

### Register Your Agent

Your agent calls the registration endpoint with the token and its own agent card URL:

```
POST /v1/agents/register
Content-Type: application/json

{
  "registration_token": "abc123...",
  "agent_card_url": "https://your-agent.com/.well-known/agent.json"
}
```

Relex will fetch your agent card to validate it, then return:

```json
{
  "agent_id": "agt_xyz789",
  "name": "Your Agent Name",
  "status": "active",
  "shared_api_key": "rlx_sk_..."
}
```

**Store the `shared_api_key` securely** — it will not be shown again.

### Agent Card Requirements

Your agent must serve a valid agent card at `/.well-known/agent.json` over HTTPS. Minimum required fields:

```json
{
  "name": "Your Agent Name",
  "description": "What your agent does",
  "url": "https://your-agent.com",
  "protocols": ["a2a/1.0"]
}
```

## Step 2: API Key Exchange

Before making API calls, exchange your API key for a short-lived bearer token:

```
POST /v1/auth/token
Content-Type: application/json

{
  "api_key": "rlx_sk_..."
}
```

Response:

```json
{
  "bearer_token": "eyJ...",
  "expires_in": 3600,
  "expires_at": 1711900800
}
```

Bearer tokens are valid for **1 hour**. Re-exchange when expired.

## Making Authenticated Requests

Use the bearer token in all subsequent API calls:

```
POST /v1/agent
Authorization: Bearer eyJ...
Content-Type: application/json
```

## Managing Your Agent

| Endpoint                    | Method | Description                                     |
| --------------------------- | ------ | ----------------------------------------------- |
| /v1/agents/me               | GET    | Get your connected agent details                |
| /v1/agents/{agentId}        | DELETE | Disconnect your agent                           |
| /v1/agents/{agentId}/health | GET    | Check agent health (re-fetches your agent card) |

## Security Notes

- API keys are hashed server-side — Relex never stores plaintext keys
- Registration tokens are single-use and expire in 10 minutes
- Bearer tokens expire after 1 hour — implement automatic re-exchange
- All endpoints require HTTPS
- Each user can have only one connected agent at a time

---

_[View this page on relex.you](https://relex.you/docs/a2a/authentication)_
