diff --git a/.github/workflows/run-tck-1.0-wip.yml b/.github/workflows/run-tck-1.0-wip.yml
index b29c78c2c..cf03e8739 100644
--- a/.github/workflows/run-tck-1.0-wip.yml
+++ b/.github/workflows/run-tck-1.0-wip.yml
@@ -5,15 +5,15 @@ on:
   push:
     branches:
       - main
-  #pull_request:
-  #  branches:
-  #     - main
+  pull_request:
+    branches:
+       - main
   workflow_dispatch:
 
 env:
   # TODO this is currently running the TCK off the main branch which included changes needed for 0.4.0
   # Tag/branch of the TCK
-  TCK_VERSION: spec_1.0
+  TCK_VERSION: extended_security_tests
   # Tell the TCK runner to report failure if the quality tests fail
   A2A_TCK_FAIL_ON_QUALITY: 1
   # Tell the TCK runner to report failure if the features tests fail
@@ -42,7 +42,7 @@ jobs:
       - name: Checkout a2a-tck
         uses: actions/checkout@v4
         with:
-          repository: a2aproject/a2a-tck
+          repository: jmesnil/a2a-tck
           path: tck/a2a-tck
           ref: ${{ env.TCK_VERSION }}
       - name: Set up JDK ${{ matrix.java-version }}
@@ -64,8 +64,12 @@ jobs:
         working-directory: tck/a2a-tck
       - name: Build with Maven, skipping tests
         run: mvn -B install -DskipTests
+      - name: Generate random password
+        run: |
+          A2A_PASSWORD=$(openssl rand -base64 16)
+          echo "A2A_PASSWORD=$A2A_PASSWORD" >> $GITHUB_ENV
       - name: Start SUT
-        run: SUT_GRPC_URL=${{ env.SUT_JSONRPC_URL }} SUT_REST_URL=${{ env.SUT_JSONRPC_URL }} mvn -B quarkus:dev & #SUT_JSONRPC_URL already set
+        run: SUT_GRPC_URL=${{ env.SUT_JSONRPC_URL }} SUT_REST_URL=${{ env.SUT_JSONRPC_URL }} mvn -B quarkus:dev -Dquarkus.security.users.embedded.users.alice=${A2A_PASSWORD} &
         working-directory: tck
       - name: Wait for SUT to start
         run: |
@@ -101,12 +105,16 @@ jobs:
             sleep "$RETRY_INTERVAL"
           done
           
-      - name: Run TCK (JSONRPC)
+      - name: Run TCK
         id: run-tck
-        timeout-minutes: 5
+        timeout-minutes: 10
         run: |
           set -o pipefail
-          ./run_tck.py --sut-url ${{ env.SUT_JSONRPC_URL }} --category all --transports jsonrpc --compliance-report report.json 2>&1 | tee tck-output.log
+          export PYTHONUNBUFFERED=1
+          A2A_AUTH_TYPE=basic \
+          A2A_AUTH_USERNAME=alice \
+          A2A_AUTH_PASSWORD=$A2A_PASSWORD \
+          ./run_tck.py --sut-url ${{ env.SUT_JSONRPC_URL }} --category all --transports jsonrpc,grpc,rest --compliance-report report.json 2>&1 | tee tck-output.log
         working-directory: tck/a2a-tck
       - name: Capture Diagnostics on Failure
         if: failure()
diff --git a/tck/pom.xml b/tck/pom.xml
index 9b41e49e3..f01085d3f 100644
--- a/tck/pom.xml
+++ b/tck/pom.xml
@@ -42,6 +42,11 @@
             <groupId>jakarta.ws.rs</groupId>
             <artifactId>jakarta.ws.rs-api</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-elytron-security-properties-file</artifactId>
+            <scope>provided</scope>
+        </dependency>
     </dependencies>
 
     <build>
diff --git a/tck/src/main/java/io/a2a/tck/server/AgentCardProducer.java b/tck/src/main/java/io/a2a/tck/server/AgentCardProducer.java
index d5b5d6ffd..25976586d 100644
--- a/tck/src/main/java/io/a2a/tck/server/AgentCardProducer.java
+++ b/tck/src/main/java/io/a2a/tck/server/AgentCardProducer.java
@@ -4,15 +4,19 @@
 
 import java.util.Collections;
 import java.util.List;
+import java.util.Map;
 
 import jakarta.enterprise.context.ApplicationScoped;
 import jakarta.enterprise.inject.Produces;
 
+import io.a2a.server.ExtendedAgentCard;
 import io.a2a.server.PublicAgentCard;
 import io.a2a.spec.AgentCapabilities;
 import io.a2a.spec.AgentCard;
 import io.a2a.spec.AgentInterface;
 import io.a2a.spec.AgentSkill;
+import io.a2a.spec.HTTPAuthSecurityScheme;
+import io.a2a.spec.OpenIdConnectSecurityScheme;
 import io.a2a.spec.TransportProtocol;
 
 @ApplicationScoped
@@ -41,6 +45,11 @@ public AgentCard agentCard() {
                         .pushNotifications(true)
                         .stateTransitionHistory(true)
                         .build())
+                .securitySchemes(Map.of("acme", HTTPAuthSecurityScheme.builder()
+                       .scheme("basic")
+                       .build()))
+                .security(List.of(Map.of("acme", Collections.emptyList())))
+                .supportsExtendedAgentCard(true)
                 .defaultInputModes(Collections.singletonList("text"))
                 .defaultOutputModes(Collections.singletonList("text"))
                 .skills(Collections.singletonList(AgentSkill.builder()
@@ -58,5 +67,13 @@ private static String getEnvOrDefault(String envVar, String defaultValue) {
         String value = System.getenv(envVar);
         return value == null || value.isBlank() ? defaultValue : value;
     }
+
+    @Produces
+    @ExtendedAgentCard
+    public AgentCard extendedAgentCard() {
+        return AgentCard.builder(agentCard())
+                //TODO what can we put in the extended agent card
+                .build();
+    }
 }
 
diff --git a/tck/src/main/resources/application.properties b/tck/src/main/resources/application.properties
index c68793be4..73e405822 100644
--- a/tck/src/main/resources/application.properties
+++ b/tck/src/main/resources/application.properties
@@ -18,3 +18,8 @@ quarkus.log.file.enable=true
 quarkus.log.file.path=target/tck-test.log
 quarkus.log.file.level=DEBUG
 quarkus.log.console.level=INFO
+
+# Enable basic authentication
+quarkus.http.auth.basic=true
+quarkus.security.users.embedded.enabled=true
+quarkus.security.users.embedded.plain-text=true
\ No newline at end of file