What does this A2A agent card validator check?

This free web tool checks JSON syntax (does it parse without errors?), required fields (name, version, url, provider), and URL format validity. It can also fetch agent cards from a URL. It is good for catching typos and malformed JSON before you commit.

What does this validator NOT check?

This tool does not verify cryptographic signatures (identity), check if the card was tampered with (integrity), validate freshness or replay protection, or test if endpoints are actually reachable. For these security checks, use the CapiscIO CLI or Guard.

How do I verify agent card signatures?

Use the CapiscIO CLI: run "capiscio validate ./agent-card.json" to verify signatures automatically. The CLI checks Ed25519 signatures, JWKS key resolution, and RFC-002 compliance. Add --test-live to also test endpoint availability.

What is the difference between this web validator and the CLI?

The web validator is a quick syntax checker - no installation required, instant feedback. The CLI provides full security validation: signature verification, endpoint testing, CI/CD integration with JSON output, and proper exit codes. The CLI is what you use before deploying to production.

⚠️ Schema Only: This tool checks JSON syntax and field presence. It does not verify signatures, test endpoints, or enforce identity. For real agent security, use the CLI or Guard.

A2A Agent Card Checker (Schema Only)

Quick Check: Is Your Agent Card Valid?

Paste your JSON, check for typos and missing fields. No installation required.

For signature verification and optional live endpoint checks, use the CapiscIO CLI. For runtime identity, integrity, and freshness enforcement, use Guard.

Agent Card Input

Paste a full agent card JSON document here. To validate a card hosted online, use the Fetch from URL tab.

Ready to Validate

Paste your agent card JSON, fetch it from a URL, or upload a file to get started

What This Checks (And What It Does Not)

This Tool Checks

✓

JSON syntax: Does it parse without errors?

✓

Required fields: Is name, version, url, provider present?

✓

URL format: Are URLs syntactically valid?

✓

Optional URL fetch: If you paste a direct URL to a JSON agent card, this page can fetch it and run the same checks.

Good for: Catching typos and malformed JSON before you commit.

This Tool Does Not Check

✗

Identity (signatures): Is this agent who it claims to be?

✗

Integrity (payload hashes): Was the card tampered with?

✗

Freshness (replay protection): Is this request current?

For these: Use the CLI or Guard.

When to Use Which Tool

This page is a playground. CLI and Guard are where real security happens.

🎨

You are writing your first agent card

Use this web checker to catch syntax errors as you type. Quick feedback loop, no installation.

Pro tip: Keep this page open while you edit. Paste, check, fix, repeat.

🚀

You are about to deploy to production

Now you need the CLI. It verifies signatures, checks protocol compliance, and can optionally test live endpoints with --test-live.

Run: capiscio validate ./agent.json (add --test-live to test availability)

🛡️

You need runtime enforcement

CapiscIO Guard enforces identity, integrity, and freshness on every request. CLI validates before deploy. Guard enforces at runtime.

Python: from capiscio import SimpleGuard

⚙️

You are setting up automated testing

Use the CLI. It outputs JSON for CI/CD integration, runs headless, and provides proper exit codes for pipeline automation.

Example: capiscio validate ./agent.json --json --errors-only

Schema Is Not Security

A valid JSON structure does not mean a trustworthy agent. Here is what this tool cannot catch:

→
Signature is present but signed by the wrong key
Or expired. Or the JWKS URL is unreachable. This tool does not verify cryptographic signatures.
→
No signature at all
The card cannot prove agent identity. Treat it as unauthenticated metadata until verified by CLI or Guard.
→
Endpoint URL is valid syntax but not reachable
Firewall rules, DNS issues, SSL problems. This tool does not test live agent endpoints/availability.
→
Replayed or stale requests
Freshness checks require runtime enforcement. Only Guard can reject replays.

This is why CLI and Guard exist. Schema validation is step one. Identity, integrity, and freshness are steps two, three, and four.

Run Full Validation in CLI Secure Runtime with Guard →

Ready for Real Validation?

Schema checks pass? Now verify identity, integrity, and freshness.

Install the CLI

npm install -g capiscio

Or Python: pip install capiscio

Run full validation

capiscio validate ./agent-card.json

This verifies signatures and checks protocol compliance. Add --test-live to test availability.

Add runtime enforcement

CLI validates before deploy. Guard enforces at runtime. Same identity, integrity, freshness checks on every request.

Learn more about Guard →

Additional Installation Options

Choose your installation method:

Node.js:

npm install -g capiscio

Python:

pip install capiscio

Standalone Binary (No Dependencies):

Validate with signature verification (automatic):

capiscio validate ./agent-card.json

Test actual endpoints:

capiscio validate https://agent.example.com/agent-card.json --test-live

CI/CD integration:

capiscio validate ./agent.json --json --errors-only

Schema Checks Are Just the Start

This page confirms your JSON is valid. CLI and Guard confirm your agent is secure.

Web Checker

Schema completeness

What you just used

CLI

Identity + Integrity

Signatures, endpoints, CI/CD

Guard

+ Freshness

Runtime enforcement

Schema completeness is not a security score. It reflects field presence and JSON validity only.

Schema Passes. Now Prove Identity.

CLI validates signatures and can test endpoints (--test-live). Guard enforces identity, integrity, and freshness at runtime.

Learn About Guard →