Use a credential the agent never sees
AAP is the authorization face: identity (AIP) and trust (ATP, ATX) say who an agent is; AAP decides what it may do without ever handing it the credential.
REFERENCE · read the full AAP specification
Interactive lab · 5 of 5 in the familystart
the problem
Before the spec: the usual way
The usual way: a tool needs a database, so the connection string is placed straight into the agent's context. Now any prompt injection can read it back out.
Agent contextmodel-visible
task: summarize today's orders
postgres://billing:S3cr3t@db.internal:5432/ordersa raw secret, one prompt injection from being read back out
trust boundary
Brokeroperator-controlled
no boundary: the agent holds the secret itself
Secret is currently in the agent context (exposed).
What is real here
AAP is a 0.2.0 draft; the broker and Exchange mode shown here are the v1 reference target (Level 1). The invariant on display, no credential value in the model's context, is core to the spec, not a proposed extension.
Copy as codeResolve a grant with the AAP broker SDK
import { broker } from "@opena2a/aap";
// The agent only ever names what it needs; the broker resolves it.
const rows = await broker.resolve("grant://orders-db", {
action: "db:read",
atx: agent.credential, // verified locally, then scoped
});
// `rows` is the result. No token, host, or secret entered this context.