Skip to main content
ACP authentication is negotiated during initialization. Agents advertise available authentication methods in authMethods, Clients choose one by calling authenticate, and Agents that support ending an authenticated state advertise the logout capability.

Advertising Authentication

Agents advertise authentication options in the authMethods field of the initialize response. Each method has an id that the Client passes back to the Agent in a later authenticate request. Agents that support logout also advertise capabilities.auth.logout: 
{
  "jsonrpc": "2.0",
  "id": 0,
  "result": {
    "protocolVersion": 2,
    "capabilities": {
      "auth": {
        "logout": {}
      }
    },
    "authMethods": [
      {
        "id": "agent-login",
        "name": "Agent login",
        "type": "agent",
        "description": "Sign in using the agent's login flow"
      }
    ]
  }
}
If capabilities.auth.logout is omitted or null, the Agent does not support logout and Clients MUST NOT call it. Supplying {} means the Agent supports the method.

Authentication Method Types

The standard authentication method type is agent, where the Agent handles authentication itself. Every authentication method must include a type discriminator: 
{
  "id": "agent-login",
  "name": "Agent login",
  "type": "agent",
  "description": "Sign in using the agent's login flow"
}
In v2, authentication method type values can be custom or future variants. Custom method types MUST begin with _. Unknown non-underscore method types are reserved for future ACP variants. Clients that do not understand a method type should preserve the raw method payload when storing, replaying, proxying, or forwarding initialization data, and otherwise ignore the method or display it generically. See the schema for the full stable AuthMethod definition.

Authenticating

When an Agent requires authentication before allowing session creation, the Client calls authenticate with one of the advertised authentication method IDs: 
{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "authenticate",
  "params": {
    "methodId": "agent-login"
  }
}
methodId
string
required
The ID of the authentication method to use. This value must match one of the methods advertised in the initialize response.
On success, the Agent returns an empty result: 
{
  "jsonrpc": "2.0",
  "id": 1,
  "result": {}
}
After successful authentication, the Client can create new sessions without receiving an auth_required error for authentication-gated requests.

Logging Out

The logout method allows Clients to end the current authenticated state. Clients should only call it after verifying the Agent advertised capabilities.auth.logout during initialization. 
{
  "jsonrpc": "2.0",
  "id": 2,
  "method": "logout",
  "params": {}
}
On success, the Agent returns an empty result: 
{
  "jsonrpc": "2.0",
  "id": 2,
  "result": {}
}
After a successful logout, new sessions that require authentication will require the Client to call authenticate again.

Active Sessions

The protocol does not guarantee what happens to already-running sessions after logout. Agents may terminate them, keep them running, or return auth_required errors for future session activity. Clients SHOULD be prepared for active session operations to fail with authentication-related errors after logout and should prompt the user to authenticate again when appropriate.