VaultMind: Your AI Calendar Assistant with Auth0-Powered Security

This is a submission for the Auth0 for AI Agents Challenge

What I Built

VaultMind is an AI-powered calendar assistant that transforms how you manage your schedule. Instead of clicking through calendar interfaces, just tell VaultMind what you need:

• 💬 "Am I free tomorrow afternoon?" - Instant availability checks

• 📅 "Schedule a team standup next Monday at 2pm" - Smart event creation with conflict detection

• 🌍 "What time is 3pm Tokyo in San Francisco?" - Automatic timezone conversion across 19 global zones

• ⚠️ "Find me 30 minutes this week" - Intelligent scheduling with conflict warnings

The Problem It Solves

Modern professionals waste 2+ hours per week on calendar management:

• Manual timezone calculations for distributed teams

• Checking availability across multiple calendars

• Avoiding double-bookings and scheduling conflicts

• Context-switching between chat, email, and calendar apps (Update soon!)

• And more!!

VaultMind eliminates this friction by leveraging AI agents that integrate seamlessly with the Google Calendar API, using real data instead of mock responses or templates.

Key Features

✅ Real API Integration: interacts with Google Calendar API for actual event management

🤖 True AI Understanding: integrates OpenAI for natural language processing

🔐 Enterprise Security: Auth0 Management API with short-lived tokens—no stored credentials

🌍 Global Timezone Support: support multiple timezones with live clocks for distributed teams

⚠️ Smart Conflict Detection: Warns before creating overlapping events

📊 Real-Time Validation: See actual calendar events appear instantly

Demo

Live Demo: https://vaultmind-app.vercel.app

GitHub Repository: https://github.com/mrdaiking/vaultmind

Demo Account:

• Email: vmind97@gmail.com
• Password: vaultmind@97

Important: If you want to test the full Google Calendar integration, please register in the waitlist first and I will add you to the audience list of Google OAuth consent screen since this app is still in testing mode. Sorry about this!

Screenshots

Landing Page with Real-World Use Cases

How I Used Auth0 for AI Agents

AI Chat Interface with Timezone Support

Smart Conflict Detection

Real Google Calendar Integration

How I Used Auth0 for AI Agents

Architecture

VaultMind implements Auth0's best practices for securing AI agents with three layers of security:

1. JWT Validation with JWKS Caching

Every API request validates the Auth0 JWT token:

async def verify_jwt(credentials: HTTPAuthorizationCredentials):

# Fetch and cache Auth0's public keys (JWKS)

jwks = await get_jwks()

# Verify JWT signature, issuer, audience, expiration

payload = jwt.decode(

token,

public_key,

algorithms=["RS256"],

audience=AUTH0_AUDIENCE,

issuer=f"https://{AUTH0_DOMAIN}/"

)

logger.info(f"[AUTH] JWT verified for user: {payload.get('sub')}")

return payload

Security Benefits:

• ✅ Cached JWKS reduces Auth0 API calls (1-hour TTL)

• ✅ Prevents token forgery with signature verification

• ✅ Validates issuer, audience, and expiration automatically

2. Auth0 Management API for Secure Token Exchange

Instead of storing refresh tokens (security risk!), VaultMind uses Auth0 Management API to fetch short-lived Google Calendar tokens on-demand:

async def get_google_access_token_from_management_api(user_sub: str):

# Get Management API token (cached, 24hr expiry)

mgmt_token = await get_management_api_token()

# Fetch user's Google identity with access token

response = await client.get(

f"https://{auth0_domain}/api/v2/users/{user_sub}",

headers={"Authorization": f"Bearer {mgmt_token}"},

params={"fields": "identities", "include_fields": "true"}

)

# Extract Google access token from identities

for identity in user_data.get("identities", []):

if identity.get("provider") == "google-oauth2":

return identity.get("access_token") # Short-lived token!

Security Benefits:

• ✅ Zero Stored Credentials: App never stores refresh tokens

• ✅ Short-Lived Tokens: Google tokens expire in ~1 hour

• ✅ Runtime Token Retrieval: Fetched only when needed

• ✅ Scoped Access: Minimal Calendar API permissions

3. Structured Audit Logging

Every AI agent action is logged with security context:

# Tagged logging for production observability

logger.info("[AUTH] ✅ JWT verified for user: google-oauth2|123456")

logger.info("[MGMT] 🔑 Requesting Management API token...")

logger.info("[CALENDAR] ✅ Created calendar event: abc123xyz")

logger.info("[AI] Processing message: 'Am I free tomorrow?'")



# Comprehensive audit trail

audit_log.log_action(

user_id=user_claims.get('sub'),

action='create_calendar_event',

details={'event_id': event_id, 'title': title},

success=True

)

Logging Tags:

• [AUTH] - JWT validation and token retrieval

• [MGMT] - Auth0 Management API operations

• [CALENDAR] - Google Calendar API calls

• [AI] - OpenAI agent processing

• [ERROR] - Security failures and API errors

Auth0 Configuration Highlights

Google Social Connection:

• ✅ Enabled Google OAuth2 with Calendar scopes

• ✅ Configured https://www.googleapis.com/auth/calendar permission

• ✅ Users must re-authenticate to grant calendar access

Management API Permissions:

• ✅ Enabled read:users for user identity lookup

• ✅ Enabled read:user_idp_tokens for Google token retrieval

• ✅ Machine-to-machine authentication with client credentials

Security Settings:

• ✅ JWT token expiration: 10 hours

• ✅ Allowed callback URLs: Production + localhost

• ✅ CORS configured for frontend domain only

• ✅ Rate limiting enabled on backend API

• ✅ Prevent prompt injection with moderation filters

Tech Stack

Frontend:

• Next.js 15.5.6 (App Router)

• Tailwind CSS for responsive design

• Auth0 Next.js SDK (@auth0/nextjs-auth0)

Backend:

• FastAPI (Python 3.11.9)

• Auth0 JWT validation with PyJWT

• Google Calendar API integration

• OpenAI GPT-4o-mini for natural language processing

• pytest + black + flake8 for code quality (Make code production-ready)

Infrastructure:

• Vercel (Frontend deployment)

• Render.com (Backend deployment)

• Structured logging with tags for observability

Lessons Learned and Takeaways

1. Read Auth0 Docs Thoroughly: Management API is hidden in advanced docs—don't miss it

2. Use Structured Logging Early: [TAG] prefixes make production debugging trivial

3. Test with Real APIs: Mock data hides integration issues

4. Deploy Often: Vercel + Render made continuous deployment seamless

5. Validate in Production: Local testing ≠ real-world behavior

🚀 Next Steps

If I had more time, I'd add:

1. Email Integration: Schedule from Gmail threads

2. Token Vault of Auth0: Store other sensitive info securel

3. Multi-Calendar Support: Merge personal + work calendars

4. More Agentic: Integrate with more platforms

5. Your feedback!: Feature requests from early users

🙏 Thank You

Huge thanks to Auth0 and the DEV Community for this challenge! Building VaultMind demonstrated that secure AI agents are feasible today with the right architecture. This project ignited my motivation to explore new technologies, and I’m thrilled to build more tools in the future. I genuinely appreciate the opportunity to participate. I made numerous mistakes, but I learned a lot along the way. Just start! Do it right! Do it better. That’s all.

Special shoutout to:

• Auth0 Management API docs (excellent tools for security)—I’m eager to explore more Auth0 features.
• OpenAI GPT-4o-mini (affordable and powerful).
• Google Calendar API (surprisingly well-designed)—I look forward to exploring more Google APIs.

---

Try VaultMind: https://vaultmind-app.vercel.app

GitHub: https://github.com/mrdaiking/vaultmind

TechCodx: https://techcodx.com

Twitter/X: https://twitter.com/techcodx)

Twitter/X: https://twitter.com/cuongnp0506

Youtube: https://www.youtube.com/@techcodx

Built with ❤️ for the Auth0 for AI Agents Challenge

Comments

[Varshith V Hegde]

I was exploring your app and noticed that the demo credentials aren’t working. Out of curiosity, I took a quick look at the source code and saw that you're not using the official Auth0 Package (auth0_ai_langchain). Instead, it looks like you're handling OAuth tokens through direct API calls. Is there a specific reason you chose that approach?

[cuongnp]

Hi! Thanks for checking out VaultMind. You're correct that I opted to implement the OAuth token handling manually instead of using the auth0_ai_langchain package. I actually missed this part, and I appreciate you pointing it out! Let me try it.