This is a submission for the Auth0 for AI Agents Challenge
Music Moodboard Assistant 🎧
An Auth0-secured Agentic AI that turns your mood into music
What I Built
Music Moodboard Assistant is an agentic AI application that blends emotion recognition, music recommendation, and secure authentication to personalize Spotify experiences.
The idea came from a simple, everyday frustration — when you feel sleepy, energetic, or unfocused, Spotify doesn’t understand that feeling directly. You must search, scroll, and tweak to find what fits your mood.
Music Moodboard Assistant changes that.
You can simply say things like:
“I’m sleepy and need something relaxing.”
“Play me something upbeat to wake me up.”
Behind the scenes, the agent:
- Authenticates you via Auth0, ensuring all actions happen under your Spotify account securely.
- Analyzes your intent using an AI model hosted via OpenRouter.
- Uses Spotify APIs through Auth0’s Token Vault, without ever exposing tokens to the AI agent itself.
- Generates playlists or recommends songs that match your described mood, using audio features such as tempo, energy, and valence.
- Fetches context from a secure RAG (Retrieval-Augmented Generation) system, with fine-grained Auth0-based authorization that ensures the agent only accesses allowed information.
In short, it’s a mood-to-music finder that demonstrates how Auth0 for AI Agents can secure autonomous systems interacting with third-party APIs.
Demo
- Live demo: https://music-moodboard.vercel.app
- Repository: https://github.com/Akashdb5/music-moodboard
- Screenshots or video:
 |
 |
 |
 |
How I Used Auth0 for AI Agents
This project is built around Auth0 for AI Agents, implementing its three foundational pillars:
1. Authenticate the User
Every interaction starts with secure authentication via Auth0.
The API endpoint (app/api/chat/route.ts) requires a valid Auth0 session before the agent can act.
const session = await auth0.getSession();
if (!session) return new Response("Unauthorized", { status: 401 });
This ensures that every chat request, playlist creation, or Spotify query is tied to a verified user identity.
Each session is isolated using:
setAIContext({ threadID: session.user?.sub });
That way, the AI keeps conversation and personalization scoped to the right user.
2. Control the Tools (Token Vault Integration)
Once authenticated, the agent gains controlled access to the Spotify API using Auth0’s Token Vault.
The Token Vault ensures that:
- The agent never handles sensitive credentials directly.
- Tokens are issued per scope and per user, based on Auth0’s configured connection.
- Tokens can be revoked or re-scoped at any time, enhancing control and compliance.
Example (from lib/auth0-ai.ts):
const spotifyAI = auth0AI.withTokenVault({
connection: "spotify",
scopes: spotifyScopes,
});
The Token Vault connection uses a least privilege approach — defined in lib/spotify-config.ts — allowing only the actions the app truly needs:
- Playlist creation and modification
- Track search and recommendation
- Playback control
- Top tracks, recently played, and library access
Before performing any action that changes user data (like creating a playlist or uploading an image), the AI must get explicit approval through Auth0 Interrupts:
const withSpotifyPlaylistConfirmation = auth0AI.withUserConfirmation({
message: "Do you want the assistant to create this playlist in your Spotify account?"
});
This human-in-the-loop design ensures trust and transparency between the user and the AI agent.
3. Limit Knowledge (Authorized RAG)
In addition to Spotify actions, the project integrates a Retrieval-Augmented Generation (RAG) system that stores and retrieves documents (for example, internal configuration or mood-to-music mapping guides).
Auth0’s fine-grained authorization (FGA) ensures that even within the RAG system, users only access data they’re permitted to view.
The pipeline:
- Documents are chunked and embedded with OpenAI’s embedding models (
text-embedding-3-small). - When a query arrives, the vector store performs a similarity search.
- Auth0’s
FGAFilterfilters out any restricted results before the AI can use them. - The final answer is generated only from allowed context snippets.
From lib/rag/authorized-rag.ts:
const filter = new FGAFilter(auth0, { modelId: "knowledge-docs" });
const { allowed, filtered } = await filter.filterResults(results, session);
This prevents unauthorized data leakage during generation — a critical feature when AI systems have dynamic access to stored knowledge.
Lessons Learned and Takeaways
Technical Insights
Auth0’s Token Vault is transformative for AI agents.
It eliminates the need to store or manage refresh tokens manually, letting you control API access through Auth0 configuration alone.Fine-grained authorization for RAG pipelines is essential.
It ensures sensitive or internal knowledge bases can be shared securely between different users or organizations.Tool schemas matter.
By defining strong Zod schemas for tool inputs/outputs (lib/tools/spotify.ts), the agent produces more reliable, interpretable calls.Interrupts make agent actions safer.
ThewithSpotifyPlaylistConfirmationwrapper provides a natural way to ask for permission before performing actions that affect user data.Thread isolation improves user experience.
UsingthreadID = session.user.subensures persistent, secure, user-scoped interactions.
Personal Reflections
The Music Moodboard Assistant was born from the idea that music should meet you where you are emotionally.
When I’m sleepy, I don’t want to hunt for “lofi sleep” playlists — I just want to say “I’m sleepy” and let the assistant take over.
When I first saw it create a custom playlist with low-energy, high-acousticness songs and ask,
“Would you like me to add vocals or keep it instrumental?”
I realized how natural the interaction felt — and how much more human music discovery could be.
This project showed me that secure autonomy isn’t just about tokens and permissions — it’s about building AI systems that users trust enough to act on their behalf.
Top comments (2)
Really impressive build! 🎧🔥
The secure agent flow with Auth0 + Token Vault + Interrupts is such a smart way to make AI personalization trustworthy. Love how the assistant translates simple moods into actual curated Spotify experiences — super user-centric execution!
FYI, ini the best sih. đź’Ż jo777.help