Software-as-a-service (SaaS) is evolving into Agents-as-a-service (AaaS).
Instead of isolated applications, developers are creating AI agents that interoperate using standardized open protocols such as the Agent2Agent (A2A) protocol and can be orchestrated through centralized agent platforms like Gemini Enterprise Agent Platform.
When building for your specific use case, we believe the goal should always be to engineer high-quality agents that combine autonomy with the ability to reliably execute complex, multi-step workflows that deliver clear business value. For agent builders and developers looking to publish and commercialize these high-impact, third-party agents through Google Cloud Marketplace and to deploy them to the Gemini Enterprise app, this guide provides a step-by-step path to a fully integrated, marketplace-ready solution.
Step 1: Design your agent architecture for integration with Marketplace
The end-state architecture bridges Google Cloud Marketplace billing, identity provider (IdP) security, and Gemini Enterprise Agent Platform.
Here’s an overview of these architectural elements:
-
Customer project: Where users discover agents via the dedicated Agent Marketplace category within Google Cloud Marketplace and interact with these agents through the Gemini Enterprise app.
-
Partner project: Hosts your agent as well as the marketplace handler, which handles the logic for procurement, and Dynamic Client Registration (DCR) for authorization.
-
Partner Marketplace project: Manages the Partner Procurement API and Pub/Sub topics for Marketplace events like account creation or entitlement approvals.
Step 2: Review the organizational requirements to sell on Marketplace
-
Join the Google Cloud Partner Network: If you're new to offering your solutions on Marketplace, join the Google Cloud Partner Network.
-
Review Agent-as-a-Service listing requirements. Verify that your organization meets the requirements to list your solutions on Marketplace.
-
Marketplace Vendor Agreement: Review and accept the Marketplace Vendor Agreement (MVA).
-
Nominate your agent for Google Cloud Marketplace by contacting your Google Cloud representative.
All agents listed on Marketplace must comply with the above standard requirements plus several agent-specific mandates:
-
Define your agent use case: We recommend defining specific, agentic use cases targeting high-value enterprise functions designed to solve tangible pain points and scale across multiple enterprise customers.
-
A2A protocol adherence: Agents must comply with the A2A protocol specifications for interoperability. This can include the A2UI protocol which enables your agents to generate rich, interactive user interfaces.
-
A2A Agent Card: Create an Agent Card, a JSON file declaring capabilities (skills), authentication methods, and service endpoints.
-
Authentication: Agents must support public access or OAuth 2.0 Authorization Code Grant Flow.
-
Marketplace integration: Mandatory integration with Procurement APIs and Pub/Sub for entitlement lifecycle management.
Step 3: Review the technical requirements for your agent to be compatible with Marketplace and the Gemini Enterprise app
A2A protocol
When designing and implementing your agent, ensure you follow the A2A protocol documentation. This will guide you on choices for interaction patterns (e.g., streaming or asynchronous tasks) that your agent can provide and can include incorporating an interactive UI experience using the A2UI protocol. Using A2UI allows you to leverage the latest and greatest UX controls available—such as advanced, dynamic charts and modern interaction models. By utilizing these native user controls, you ensure your agent doesn't just function reliably, but looks, feels, and operates with a premium sense of "pride in craft" inside the Gemini Enterprise app.
A2A agent card
To list your Agent-as-a-Service product on the Marketplace, you must provide an A2A Agent Card for your agent. The Agent Card is a JSON file declaring the agent's capabilities (skills), supported authentication & authorization methods, and service endpoints.
The Gemini Enterprise app relies on your Agent Card to:
-
Display your agent name, description, and other necessary metadata.
-
Locate endpoints for Dynamic Client Registration (if supported).
-
Discover agent entry points for sending messages or getting task execution status updates.
-
Determine the required authentication/authorization methods.
Here is an example Agent Card with definition below.
- $AGENT_APP_URL - A required field representing the base URL endpoint where the A2A agent can be reached. All API calls to the agent will use this as the base path.
- $AGENT_PROVIDER_ORGANIZATION - A required field representing the agent provider's organization.
- $AGENT_PROVIDER_URL - A required field representing the agent provider's website or relevant documentation.
- $AGENT_DCR_URL - A required field if the agent implements Dynamic Client Registration (DCR).
- $AGENT_ICON_URL - An optional field providing a URL to an image file to be used as an icon for the agent. If provided, it will be displayed in the Gemini Enterprise app.
- $AUTH_SCOPE - An array of strings listing the scope names required for the client to access the agent's operations.
- $AUTH_SCOPE_DESCRIPTION - Scope description. Example: "Permission to retrieve email address of the user.”
- $AUTHZ_URL - A required part of the OAuth2 security scheme definition for the Authorization Code flow. It specifies the URL of the authorization server's endpoint used to obtain an authorization code from the resource owner. This follows the OpenAPI Specification.
- $TOKEN_URL, $REFRESH_URL - URLs for the client to exchange the authorization code for an access token and a refresh token (can be the same).
Authentication and authorization
Implement authentication and authorization for your agent according to the A2A protocol. To allow the Gemini Enterprise app to call your agent, you must establish one of these two methods for your agents:
-
Public Access: No authentication required. Suitable only for agents that do not access any user data or sensitive resources.
-
OAuth 2.0 Authorization Code Grant Flow: This is the standard flow for delegated user authorization. Users will be prompted to authorize your agent to access their data or act on their behalf.
Dynamic Client Registration (DCR)
Traditionally, connecting a third-party app to an enterprise system required manual copying of Client IDs and secrets. DCR eliminates this by allowing Gemini Enterprise to programmatically register itself as an OAuth client with your agent's authorization server.
How the DCR Flow Works:
-
Discovery: The Gemini Enterprise app reads your Agent Card to find the DCR endpoint.
-
Request: Google sends an HTTP POST to your endpoint containing a software_statement which is a cryptographically signed JSON Web Token (JWT).
-
Validation: Your backend verifies the JWT signature using Google's public keys to ensure the request is authentic.
-
Provisioning: Upon success, your server creates a new OpenID Connect (OIDC) application in your identity provider (e.g., Okta) and returns the client_id and client_secret to Gemini Enterprise.
Note: Validating the JWT ensures the request is from Google, but you must cross-reference the google.order ID against your database to ensure the user has actually paid.
Step 4: Publish your agent listing on Marketplace
Once you’ve built your agents, you will need to publish and offer them on Google Cloud Marketplace. This is where you describe your agent and define availability and pricing models. The seller journey begins in the Producer Portal accessible through Google Cloud Console:
-
Select Solution Type: Choose "AI Agent as a Service" as the product type in the Producer portal.
-
Upload Agent Card: Provide the Agent Card JSON file via a Google Cloud Storage (GCS) bucket.
-
Availability: Decide whether the AI agent listing can be purchased through publicly available pricing (self-service) or available via private offer only.
-
Pricing: Create your pricing plan and choose the pricing model you want to use to monetize the agent through Marketplace.
-
Technical Integration: Configure the backend procurement. No frontend integration is required for this solution type.
-
Validation and End-to-End testing: Google Cloud reviews the agent's functionality, security, and pricing model before it is published to the catalog.
-
Publish: Agent is now successfully published and available in Google Cloud Marketplace.
Step 5: Managing transactions and registrations in Marketplace and the Gemini Enterprise App
There are distinct phases to the procurement and registration lifecycle of agents on Google Cloud Marketplace and the Gemini Enterprise app, which is critical for establishing strict enterprise governance, preventing shadow IT, and ensuring seamless compliance across the organization. A secured chain of custody is managed across three key personas: the Billing Administrator, who maintains financial oversight by controlling procurement and spending on Google Cloud Marketplace; the Discovery Engine Administrator, who acts as the technical gatekeeper by securely registering verified agents and determining organizational access in Gemini Enterprise; and the Discovery Engine User, who can safely leverage the agent's full capabilities within their Gemini Enterprise app only after completing proper identity authorization.
1. Procurement Flow - Async (Google Cloud Marketplace)
Once listed, the backend procurement sequence follows these steps:
-
Trigger: A customer with Billing Administrator privileges clicks "Subscribe" (for self-serve listings) or accepts a "Private Offer" (for tailored private offer only listings).
-
Notification: Google sends a Pub/Sub notification to your environment.
-
Approval and storage: Your integrated marketplace handler approves the account and the entitlement via the Partner Procurement API.
-
Activation: The handler records the transaction by storing the unique Order ID in a database like Firestore, instantly activating the subscription or offer for the customer.
As shown above, the Billing Administrator executes a one-click subscription to activate the Lovable Agent free plan alongside their already active SaaS subscription procured through Cloud Marketplace.
2. Registration flow - sync (Gemini Enterprise)
After successful procurement, the customer's administrator links the purchase to their actual Gemini Enterprise app environment:
-
Redirect to Gemini Enterprise: The Discovery Engine Administrator will see a "Go to Gemini Enterprise" option directly on the procured Marketplace listing.
-
Project Verification: Clicking this prompts the administrator to log into the Google Cloud project where their Gemini Enterprise licenses are allocated. Note that the customer must ensure this destination Google Cloud project is actively linked to the specific billing account used during procurement.
-
DCR Handshake: The Discovery Engine Administrator configures the agent within the Gemini Enterprise app. At this point, your Dynamic Client Registration (DCR) logic validates the incoming JWT's Order ID against your Firestore records. If the IDs match, the secure registration completes successfully.
-
Agent successfully Registered: Agent is now successfully registered in Gemini Enterprise. Discovery Engine Administrator can now decide whom to give access to the agent.
Following procurement, the Discovery Engine Administrator registers the Lovable Agent into the Gemini Enterprise app to make it available to authorized users across an organization.
3. End-User Activation Flow (Gemini Enterprise)
Once the agent is securely registered, it becomes discoverable to your target enterprise users:
-
Gemini Enterprise in-app agent discovery and requests: End users have the ability to browse and directly request access to any available partner-built agent from Cloud Marketplace within the Agent Gallery in the Gemini Enterprise app. When a request is submitted, the Discovery Engine Administrator can review the request and coordinate directly with the organization’s Billing Administrator to procure the agent through Google Cloud Marketplace, and, if already procured and registered, can give access to the end user.
-
Access: Once access is given to the agent, any end user with an active Gemini Enterprise app account and Discovery Engine User role and license will be able to invoke the agent within their Gemini Enterprise app.
-
Authorization: Upon the first interaction, the user will be prompted to complete an OAuth authorization by inputting their partner-system username and password. Once authenticated, they can seamlessly leverage the agent's full capabilities from the Gemini Enterprise app chat interface.
An end user seamlessly invokes the Lovable Agent inside the Gemini Enterprise app, completes the one-time partner authorization prompt, and initiates a live conversational task workflow.
An end user requests access to Atlassian Rovo, another agent available from Marketplace, directly from the Agent Gallery in the Gemini Enterprise app. In this demo scenario, the agent has already been procured from Marketplace, allowing the Discovery Engine Administrator to verify, integrate, and instantly grant access.
Get started
Building agents for Gemini Enterprise and Google Cloud Marketplace as an AI Agent-as-a-Service solution provides a path to extend your reach and to get your agent into the daily workflow of millions of enterprise users.
We encourage you to start building today using tools like the Agent Development Kit (ADK) and to learn more about how you can accelerate your growth in the era of the agentic enterprise with Google Cloud Marketplace.
For any assistance, you can contact Google Cloud Marketplace support team.
1 hour ago
4