Update A2A docs/snippets to use `Authorization: Bearer` (drop `x-adcp-auth` references on the A2A surface)

[bokelley]

Context

adcp 4.5.0 ships per-leg BearerTokenAuth config (mcp_header_name / a2a_header_name knobs). The A2A leg now defaults to RFC 6750 Authorization: Bearer <token> — the canonical carrier a2a-sdk clients emit out of the box and the only auth header that produces a bearerAuth HTTPAuthSecurityScheme on the agent card.

Salesagent (Prebid's reference seller) just shipped the migration off the legacy x-adcp-auth header on A2A in bokelley/salesagent#194. MCP keeps x-adcp-auth for back-compat with early adopters; A2A is canonical RFC 6750 only.

Ask

Audit adcontextprotocol/adcp (spec + onboarding docs + quickstart curl/Python snippets + any agent-card examples) for places that still document x-adcp-auth as the A2A auth header, and update those references to Authorization: Bearer <token>. Examples likely to need touching:

• A2A skill payloads / curl examples
• Buyer-onboarding quickstart pages
• Agent-card example showing securitySchemes with apiKey: x-adcp-auth on A2A
• Any # Authorize via x-adcp-auth lines in code samples

MCP-side snippets stay on x-adcp-auth — that's the legacy alias the SDK still supports per-leg.

Why now

A2A clients copy-pasting the docs against an adcp 4.5.0 seller will get HTTP 401. The misleading docs are the only thing standing between buyers and a working integration on the new wire convention.

Reference

• adcp 4.5.0 BearerTokenAuth docstring: https://github.com/adcontextprotocol/adcp-client-python/blob/v4.5.0/adcp/server/auth.py (search "Canonical carrier")
• Salesagent migration PR: refactor(auth): drop BearerToAdcpAuthMiddleware shim, use adcp 4.5.0 per-leg config bokelley/salesagent#194

[bokelley]

Triage

Classification: Bug (doc correctness — causes HTTP 401 on adcp 4.5.0)
Bucket(s): web / site / docs
Status: drafting-pr

What the experts said:

• docs-expert: 3 blockers — conflation claim at authentication.mdx:131, legacy apiKey: init in a2a-guide.mdx, missing securitySchemes on agent card sample. All are copy-paste-to-401 paths.
• ad-tech-protocol-expert: per-leg split is non-breaking (A2A was always RFC 6750 on the wire; 4.5.0 made the x-adcp-auth alias MCP-only explicit). securitySchemes shape (type: "http", scheme: "bearer") is the correct A2A 1.0 OpenAPI-derived form. Migration callout needed for sellers on old a2a_header_name config.

My take: Three surgical doc errors in two files, all confirmed non-breaking fixes of already-shipped 4.5.0 behavior. Drafting PR now.

Drafting PR #4224: corrects auth header claim, updates A2AClient init snippet, adds securitySchemes/security to the agent card example.

---

Triaged by Claude Code. Session: https://claude.ai/code/session_019Syf6X1uxPcLgV9ggxixXB

---

Generated by Claude Code