The popularity of RESTful APIs within modern Web services makes API security a critical concern gradually. The mainstream tools for API discovery and vulnerability detection have effect limitations in discovering hidden or undocumented APIs due to relying on API documents or public paths for scanning， and have high false positive rates in complex or dynamic API environments. Addressing these challenges， A2A （Agent to API vulnerability detection）， an Agent system for hidden API discovery and vulnerability detection was proposed through agents communicating seamlessly via a Model Context Protocol （MCP）， so as to realize full-process automation from hidden API discovery to vulnerability detection. In A2A， adaptive enumeration and HTTP response analysis were employed to discover potential hidden API endpoints automatically， and a service-specific API fingerprint library was combined to confirm and discover hidden APIs， On API vulnerability detection， Large Language Model （LLM） and Retrieval-Augmented Generation （RAG） techniques were integrated by A2A， and high-quality test cases were generated automatically through a feedback iterative optimization mechanism， so as to verify whether the vulnerability exists. Experimental evaluation results indicate that A2A has the average API discovery rate of 91.9%， with an false discovery rate of 7.8%， and discover multiple hidden API vulnerabilities previously undetected by NAUTILUS and RESTler successfully.