A2A client (calling remote agents)
A NAT workflow can call other agents over the A2A protocol by
adding an authenticated_a2a_client entry under function_groups. The remote agent appears as
a tool the orchestrator can invoke, just like MCP tools or local functions.
function_groups:
remote_agent:
_type: authenticated_a2a_client
url: "https://app.datarobot.com/api/v2/deployments/<deployment-id>/directAccess/a2a/"
auth_provider: datarobot_auth
workflow:
_type: langgraph_agent
llm_name: datarobot_llm
tool_names:
- remote_agent # ← the orchestrator can now call this agent
authentication:
datarobot_auth:
_type: datarobot_api_key
The function group handles agent card discovery, authentication for both the discovery and RPC
phases, and SSE streaming, all driven by workflow.yaml.
For details on which auth providers are available and how to configure them (DataRobot API key, Okta XAA), see a2a-auth.md.
Agent card resolution
Before the first RPC call, the client must obtain the remote agent's agent card — a JSON document describing the agent's capabilities and authentication requirements. There are two mutually exclusive ways to obtain it.
Direct fetch (url)
This is the simplest setup — use it when the card endpoint is directly reachable with the same credentials used for RPC calls.
In a direct fetch, the client fetches the card from {url}/.well-known/agent-card.json. The auth_provider is used
for both the card fetch and subsequent RPC calls.
function_groups:
remote_agent:
_type: authenticated_a2a_client
url: "https://app.datarobot.com/api/v2/deployments/<deployment-id>/directAccess/a2a/"
auth_provider: datarobot_auth
Central registry (registry)
In DataRobot deployments, the agent card endpoint is protected by per-agent AuthN/AuthZ. However, the
card itself describes how to authenticate, creating a chicken-and-egg problem. The central
agent card registry solves this by exposing all agent cards in the tenant at a single endpoint
that requires only a standard DATAROBOT_API_TOKEN.
Lookup by deployment ID:
function_groups:
remote_agent:
_type: authenticated_a2a_client
registry:
deployment_id: "64a1b2c3d4e5f6a7b8c9d0e1"
auth_provider: okta_auth
Lookup by external ID (when the remote agent sets general.front_end.a2a.external.id):
function_groups:
remote_agent:
_type: authenticated_a2a_client
registry:
external_id: "my-remote-agent"
auth_provider: okta_auth
[!NOTE] When using the registry the RPC base URL is derived from the card's advertised
url— you do not need to specify it.
Batch fetching
When a workflow has many registry-backed function groups, all cards are resolved in a maximum of two HTTP calls: one for deployment IDs, one for external IDs. Results are cached in-memory and reused until the TTL expires.
Registry environment variables
| Variable | Required | Description |
|---|---|---|
DATAROBOT_API_TOKEN |
Yes | DataRobot API token for registry authentication. |
DATAROBOT_ENDPOINT |
Yes | DataRobot API base URL, e.g. https://app.datarobot.com/api/v2. |
AGENT_CARD_REGISTRY_CACHE_TTL |
No | Cache TTL in seconds. Default 86400 (24 h). Set to 0 to disable caching. |
AGENT_CARD_REGISTRY_TIMEOUT |
No | HTTP timeout in seconds for registry requests. Default 30. |
AGENT_CARD_REGISTRY_ON_DUPLICATE |
No | Strategy when multiple cards share the same external ID: first keeps the earliest registered card, last keeps the most recently registered card, error raises an exception. Default: first. |
Variables are loaded via DataRobotAppFrameworkBaseSettings, which supports env vars, .env
files, file secrets, Runtime Parameters, and Pulumi config.
Configuration reference
authenticated_a2a_client function group
| Field | Default | Description |
|---|---|---|
url |
— | Base URL for direct card fetch. Mutually exclusive with registry. |
registry |
— | Registry lookup block. Mutually exclusive with url. |
auth_provider |
None |
Name of an authentication entry for A2A RPC calls. |
agent_card_path |
/.well-known/agent-card.json |
Card path for direct fetch — ignored when using registry. |
registry block
Exactly one field must be set.
| Field | Description |
|---|---|
deployment_id |
DataRobot deployment ID. |
external_id |
External agent catalogue identifier. |
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
RuntimeError: Failed to fetch agent card from … |
Direct-fetch URL unreachable or auth failed. | Verify url and auth_provider configuration. |
AgentCardRegistryError: DataRobot API token is required |
DATAROBOT_API_TOKEN not set. |
Export the variable or add it to .env. |
AgentCardRegistryError: DataRobot API endpoint is required |
DATAROBOT_ENDPOINT not set. |
Export the variable or add it to .env. |
AgentCardRegistryError: … HTTP 401 |
Token invalid or expired. | Regenerate your API token in the DataRobot console. |
AgentCardRegistryError: No agent card found … |
Deployment not in the registry. | Confirm the deployment has an A2A agent card published. |
ValueError: … 'url' … or 'registry' …, not both |
Both fields set. | Remove one — they are mutually exclusive. |
| Stale card after redeployment | Cache TTL has not expired. | Set AGENT_CARD_REGISTRY_CACHE_TTL=0 or wait for TTL to elapse. |