google
diff --git a/‎samples/python/agents/headless_agent_auth/.env.example
+16 b/‎samples/python/agents/headless_agent_auth/.env.example
+16
diff --git a/‎samples/python/agents/headless_agent_auth/README.md
+71 b/‎samples/python/agents/headless_agent_auth/README.md
+71
diff --git a/‎samples/python/agents/headless_agent_auth/__main__.py
+121 b/‎samples/python/agents/headless_agent_auth/__main__.py
+121
@@ -0,0 +1,16 @@
+# Gemini
+GOOGLE_API_KEY=
+
+# Auth0
+HR_AUTH0_DOMAIN=
+
+# A2A Client -> HR AGENT (auth method: Client Credentials)
+A2A_CLIENT_AUTH0_CLIENT_ID=
+A2A_CLIENT_AUTH0_CLIENT_SECRET=
+
+# HR AGENT -> HR API (auth method: CIBA)
+HR_AGENT_AUTH0_CLIENT_ID=
+HR_AGENT_AUTH0_CLIENT_SECRET=
+
+HR_AGENT_AUTH0_AUDIENCE=https://staff0/agent
+HR_API_AUTH0_AUDIENCE=https://staff0/api
@@ -0,0 +1,71 @@
+# Auth for Headless Agents
+
+This sample demonstrates how headless agent's tools can leverage [Auth0's Client-Initiated Backchannel Authentication (CIBA) flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-initiated-backchannel-authentication-flow) to request user authorization via push notification and obtain tokens for accessing separate APIs.
+
+Additionally, it shows agent-level authorization via the [OAuth 2.0 Client Credentials flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-credentials-flow).
+
+## How It Works
+
+Allows an A2A client to securely interact with an external HR agent owned by the fictional company Staff0 to verify whether the provided user data corresponds to an active employee.
+
+With the authorization of the employee involved (via push notification), the Staff0 HR agent can access the company's internal HR API to retrieve employment details.
+
+```mermaid
+sequenceDiagram
+   participant Employee as John Doe
+   participant A2AClient as A2A Client
+   participant Auth0 as Auth0 (staff0.auth0.com)
+   participant HR_Agent as Staff0 HR Agent
+   participant HR_API as Staff0 HR API
+
+   A2AClient->>HR_Agent: Get A2A Agent Card
+   HR_Agent-->>A2AClient: Agent Card
+   A2AClient->>Auth0: Request access token (Client Credentials)
+   Auth0-->>A2AClient: Access Token
+   A2AClient->>HR_Agent: Does John Doe with email [email protected] work at Staff0? (Access Token)
+   HR_Agent->>Auth0: Request access token (CIBA)
+   Auth0->>Employee: Push notification to approve access
+   Employee-->>Auth0: Approves access
+   Auth0-->>HR_Agent: Access Token
+   HR_Agent->>HR_API: Retrieve employment details (Access Token)
+   HR_API-->>HR_Agent: Employment details
+   HR_Agent-->>A2AClient: Yes, John Doe is an active employee.
+```
+
+## Prerequisites
+
+- Python 3.12 or higher
+- [UV](https://docs.astral.sh/uv/)
+- [Gemini API key](https://ai.google.dev/gemini-api/docs/api-key)
+- An [Auth0](https://auth0.com/) tenant with the following configuration:
+  - **APIs**
+    - HR API
+      - Audience: `https://staff0/api`
+      - Permissions: `read:employee`
+    - HR Agent
+      - Audience: `https://staff0/agent`
+      - Permissions: `read:employee_status`
+  - **Applications**
+    - A2A Client
+      - Grant Types: `Client Credentials`
+      - APIs: `HR Agent` (enabled permissions: `read:employee_status`)
+    - HR Agent
+      - Grant Types: `Client Initiated Backchannel Authentication (CIBA)`
+      - APIs: `Auth0 Management API` (enabled permissions: `read:users`)
+  - Push Notifications using [Auth0 Guardian](https://auth0.com/docs/secure/multi-factor-authentication/auth0-guardian) must be `enabled`.
+  - A test user enrolled in Guardian MFA.
+
+## Running the Sample
+
+1. Create a `.env` file by copying [.env.example](.env.example), and provide the required environment variable values.
+
+2. Start HR Agent and HR API:
+
+   ```bash
+   uv run --prerelease=allow .
+   ```
+
+3. Run the test client:
+   ```bash
+   uv run --prerelease=allow test_client.py
+   ```
@@ -0,0 +1,121 @@
+import asyncio
+import click
+import json
+import logging
+import os
+import sys
+import uvicorn
+
+from dotenv import load_dotenv
+load_dotenv()
+
+from agent import HRAgent
+from agent_executor import HRAgentExecutor
+from api import hr_api
+from oauth2_middleware import OAuth2Middleware
+
+from a2a.server.apps import A2AStarletteApplication
+from a2a.server.request_handlers import DefaultRequestHandler
+from a2a.server.tasks import InMemoryTaskStore
+from a2a.types import (
+    AgentAuthentication,
+    AgentCapabilities,
+    AgentCard,
+    AgentSkill,
+    # ClientCredentialsOAuthFlow,
+    # OAuth2SecurityScheme,
+    # OAuthFlows,
+)
+
+
+logging.basicConfig(level=logging.INFO)
+logger = logging.getLogger()
+
+
+@click.command()
+@click.option('--host', default='0.0.0.0')
+@click.option('--port_agent', default=10050)
+@click.option('--port_api', default=10051)
+def main(host: str, port_agent: int, port_api: int):
+    async def run_all():
+        await asyncio.gather(
+            start_agent(host, port_agent),
+            start_api(host, port_api),
+        )
+
+    asyncio.run(run_all())
+
+
+async def start_agent(host: str, port):
+    agent_card = AgentCard(
+        name='Staff0 HR Agent',
+        description='This agent handles external verification requests about Staff0 employees made by third parties.',
+        url=f'http://{host}:{port}/',
+        version='0.1.0',
+        defaultInputModes=HRAgent.SUPPORTED_CONTENT_TYPES,
+        defaultOutputModes=HRAgent.SUPPORTED_CONTENT_TYPES,
+        capabilities=AgentCapabilities(streaming=True),
+        skills=[
+            AgentSkill(
+                id='is_active_employee',
+                name='Check Employment Status Tool',
+                description='Confirm whether a person is an active employee of the company.',
+                tags=['employment status'],
+                examples=[
+                    'Does John Doe with email [email protected] work at Staff0?'
+                ],
+            )
+        ],
+        authentication=AgentAuthentication(
+            schemes=['oauth2'],
+            credentials=json.dumps({
+                'tokenUrl': f'https://{os.getenv("HR_AUTH0_DOMAIN")}/oauth/token',
+                'scopes': {
+                    'read:employee_status': 'Allows confirming whether a person is an active employee of the company.'
+                }
+            }),
+        ),
+        # securitySchemes={
+        #     'oauth2_m2m_client': OAuth2SecurityScheme(
+        #         description='',
+        #         flows=OAuthFlows(
+        #             authorizationCode=ClientCredentialsOAuthFlow(
+        #                 tokenUrl=f'https://{os.getenv("HR_AUTH0_DOMAIN")}/oauth/token',
+        #                 scopes={
+        #                     'read:employee_status': 'Allows confirming whether a person is an active employee of the company.',
+        #                 },
+        #             ),
+        #         ),
+        #     ),
+        # },
+        # security=[{
+        #     'oauth2_m2m_client': [
+        #         'read:employee_status',
+        #     ],
+        # }],
+    )
+
+    request_handler = DefaultRequestHandler(
+        agent_executor=HRAgentExecutor(),
+        task_store=InMemoryTaskStore(),
+    )
+
+    server = A2AStarletteApplication(
+        agent_card=agent_card, http_handler=request_handler
+    )
+
+    app = server.build()
+    app.add_middleware(OAuth2Middleware, agent_card=agent_card, public_paths=['/.well-known/agent.json'])
+
+    logger.info(f'Starting HR Agent server on {host}:{port}')
+    await uvicorn.Server(uvicorn.Config(app=app, host=host, port=port)).serve()
+
+
+async def start_api(host: str, port):
+    logger.info(f'Starting HR API server on {host}:{port}')
+    await uvicorn.Server(uvicorn.Config(app=hr_api, host=host, port=port)).serve()
+
+
+# this ensures that `main()` runs when using `uv run .`
+if not hasattr(sys, '_called_from_uvicorn'):
+    main()