What The Pack - AI Mission Control for D2C Logistics

rokimiftah — Mon, 27 Oct 2025 06:57:22 +0000

This is a submission for the Auth0 for AI Agents Challenge

What I Built

I built WhatThePack.today, an AI-powered, multi-tenant "Mission Control" OS for Direct-to-Customer (D2C) businesses. It's designed to solve the "delegation nightmare" by allowing business owners (owner) to safely grant granular permissions to their staff (admin and packer) for critical logistics operations, all powered and secured by Auth0, and enhanced with integrated AI tools.

Each business receives an isolated dashboard (store-name.whatthepack.today). The platform provides the core AI intelligence and notifications, while the owner brings their own courier (BYOC) account. WhatThePack transforms manual operational chaos into an automated, intelligent, and secure logistics workflow. For the warehouse packer, it answers their core question hands-free: "What Should Be Packed Today?", while ensuring every action is secured.

The Problem

Successful D2C sellers (on Instagram, WA, etc.) drown in manual work. To scale, they must hire staff, which creates a massive security risk. I identified four core problems:

Operational Chaos: Successful D2C sellers are drowning in manual work: verifying bank transfers, copy-pasting addresses, checking shipping rates, and typing tracking numbers back to customers. Data entry is slow and error-prone.
The Delegation Nightmare (Core Problem): To hire staff (an admin and a packer), the owner is forced to share highly sensitive access:
- Online Banking Login (to verify transfers).
- Courier/Aggregator API Keys (to purchase shipping labels).
- Financial Data (Cost of Goods Sold, profit margins, etc.). Crucially, staff passwords should also remain private.
Location Disparity & Communication Gaps: The admin (at the office/home) and the packer (in the warehouse) lack a real-time, single source of truth for orders, and critical updates (like stockouts) are often delayed.
Warehouse Inefficiency: The packer must constantly look at a screen, switch between tasks, and manually confirm steps, slowing down fulfillment and increasing the chance of errors.

The Solution

WhatThePack.today solves this multi-layered crisis by integrating Auth0's security with targeted AI tools, creating a secure, agentic workflow:

✅ Securely Onboards & Authenticates Staff: Uses Auth0 Universal Login, employs Auth0 Roles, and leverages Auth0's email enrollment flow triggered via the Management API for secure staff onboarding. Owner invites staff via email, and staff set their own private passwords.
✅ Ensures Business Isolation: Leverages Auth0 Organizations for true multi-tenancy, guaranteeing data separation between businesses.
✅ Protects Sensitive Credentials: Secures the owner's critical API key (e.g., ShipEngine) in the Auth0 Organization Metadata, preventing exposure to staff or the AI itself.
✅ Enables Secure Agentic Action & Warehouse Efficiency: Empowers an AI Agent (running on Convex) - triggered via VAPI.ai voice commands from the packer - to securely access the Organization Metadata and execute actions (like buying labels) on the owner's behalf. This solves the core delegation nightmare and allows the packer to work hands-free, eliminating screen-switching inefficiency.
✅ Delivers Role-Aware Intelligence: Implements Auth0's Limit knowledge (RAG) principle, using the user's role (from the Auth0 JWT) to filter data before it reaches the LLM (OpenAI). This ensures the AI provides relevant information (SOPs for packers, profit for owners) without leaking sensitive data.
✅ Provides Proactive Communication: Uses Resend (triggered by the AI Agent) to send automated email notifications (e.g., stock alerts reported via VAPI) to the relevant roles (owner/admin). This instantly bridges the communication gap caused by location disparity.
✅ Reduces Operational Burden: Utilizes the LLM for practical AI assistance, such as extracting order details from pasted chat logs (admin) and generating business summaries/analysis (owner). This directly combats operational chaos and slow data entry.

Product Philosophy: The Justification for Manual Workflows

WhatThePack intentionally does not automate customer chat or payment verification. This is a deliberate design philosophy essential for the D2C/Social Commerce target market.

Preserving the "Human Touch" (High-Touch): Social commerce brands are built on personal conversations. Customers want to ask, "Is this material comfortable?" A rigid bot would destroy this personal experience. In this model, the admin is a Human Customer Service representative, not a data operator.
Market Reality (Trust in Payments): In many markets, "Manual Transfer + Send Proof" is the most common and trusted payment method for SMEs. It maximizes profit (zero payment gateway fees) and aligns with existing customer behavior.
Focusing on the Real Problem: The biggest problem for sellers is NOT replying to chats. It's what happens after the chat is closed: the logistics chaos and the security nightmare of delegating that chaos. WhatThePack is laser-focused on solving that core problem.

Target Audience

Business Type: D2C sellers who avoid marketplaces to maximize their profit. (e.g., independent fashion brands, jewelry, hobbies, or thrift stores on IG/WA/TikTok).
Business Scale: Growing Small-to-Medium Businesses (SMEs). Perfect for the "Overwhelmed Solopreneur" hiring their first staff, or small teams (2-5 people) needing a clear separation of duties.

Comparison & Advantages vs. Marketplaces

This platform is designed for sellers who avoid marketplaces. Here's why it's a superior model for them:

Aspect	Marketplace (Amazon, Shopee)	`WhatThePack.today`
Profit Margin	Low. Slashed by marketplace commissions (5-10%).	100% Profit. No sales commissions.
Customer Data	Owned by Marketplace. You cannot re-market.	Owned by You. You build your own customer data asset.
Staff Security	Basic. Generic admin roles.	Granular & Secure (Auth0). (`owner`, `admin`, `packer`) roles with totally separate UIs & data.
API Control	Locked-in. You must use their payment & shipping.	Open & Secure (Auth0 Organization Metadata). "Bring Your Own Courier" (via ShipEngine) & secure your API key.
Warehouse Ops	Manual. `Packer` must view a screen.	Agentic (VAPI.ai). `Packer` can work hands-free via voice commands.
Business Intel	Generic. Basic sales analytics.	Specific & Secure (Auth0 RAG). `Owner` sees profit, `Packer` sees SOPs. Same data, different views.

Demo

Live Demo: https://whatthepack.today
GitHub: https://github.com/rokimiftah/whatthepack.today

Owner Dashboard: Financial KPIs, Staff Management (Invite form), Integrations page showing ShipEngine connected via Organization Metadata.
Admin Dashboard: Order entry form with "Paste Chat to Auto-fill" button and order list.
Packer Dashboard: Packing Queue view on a tablet/mobile, highlighting the VAPI.ai voice interface prompt.
Auth0 Configuration: Screenshots showing: Auth0 Roles (owner, admin, packer), Auth0 Organizations list, Organization Metadata configuration for ShipEngine API.
Example Email Notification: Screenshot of the "CRITICAL STOCK ALERT" email sent via Resend.
Auth0 Enrollment Email: Screenshot of the invitation email received by a new staff member.

🎮 Try It Yourself

Test users are pre-configured. Password: A!1aaaaa
*Note: For demo purposes, test users have pre-set passwords. The actual secure onboarding flow involves the owner inviting staff via email, and the staff member setting their own private password via an Auth0 enrollment link.*

https://thrift-store.whatthepack.today

Email	Role	Organization	Key Permissions	Username (Example)
`owner-thrift-store@whatthepack.today`	`owner`	Store A	Connects APIs, Sees Profit, Manages Staff, VAPI (Insight)	`owner`
`admin-thrift-store@whatthepack.today`	`admin`	Store A	Creates Orders, Sees Order Status	`lisa_admin`
`packer-thrift-store@whatthepack.today`	`packer`	Store A	Sees Packing Queue, VAPI (Action Mode)	`john_packer`

Try These Scenarios:

Secure Staff Onboarding (Simulated):
- Login as owner-thrift-store@whatthepack.today → Go to "Manage Staff" → Click "Invite Staff".
- Enter a staff email (use a real email you can access to see the Auth0 invite), assign role packer, username base test. Confirm username test_packer. Click "Send Invite".
- Check your email for the Auth0 enrollment link and follow it to set a password.
Secure API Delegation (The Core Loop):
- Login as owner-thrift-store@whatthepack.today → Go to "Integrations" → Connect your ShipEngine TEST API key.
- Login as admin-thrift-store@whatthepack.today (using username lisa_admin) → Create a new order.
- Login as packer-thrift-store@whatthepack.today (using username john_packer) → Use VAPI: "Vapi, next order."
- VAPI will read the order. Say: "Finished packing, weight 300 grams."
- Result: The AI Agent buys the label using the owner's key. The packer never sees it. The admin will see the tracking number appear.
RAG - Role-Based Knowledge:
- Login as packer-thrift-store@whatthepack.today → Ask VAPI: "How do I pack SKU123?" → AI Response: "Fold 3 times, use polymailer M."
- Now ask: "How much profit did we make on SKU123?" → AI Response: "Sorry, you are not authorized to access financial information."
RAG - Owner Insight:
- Login as owner-thrift-store@whatthepack.today → Ask VAPI: "Vapi, read my daily briefing." → AI Response: "Good morning. You had 15 orders, with an estimated profit of $145. Stock for 'Black T-Shirt' is low."
Multi-Tenancy Isolation:
- Login as owner@store-b.com → You will see zero orders or data from Store A. Your dashboard is completely isolated.

Detailed Feature Matrix per Role

Feature	`owner` (The Strategist)	`admin` (The Operator)	`packer` (The Executor)
Login & Dashboard	Login via `store-name...`. Full Dashboard: Financial KPIs, AI Analytics, Staff Logs.	Login via Username (`name_role`) Limited Dashboard: "Order Management" only.	Login via Username (`name_role`) Hyper-Limited Dashboard: "Packing Queue" only.
Staff Management	✅ Yes (Invite & Remove `admin` / `packer` via email enrollment).	❌ No	❌ No
API Integration	✅ Yes (Connects ShipEngine API key via Auth0 Organization Metadata).	❌ No	❌ No
Product Management	✅ Yes (Upload/Edit Catalog & SOPs. Enters COGS, Sell Price, Bin Location).	❌ No	❌ No
Order Management	✅ Yes (View & Edit all orders).	✅ Yes (Create new orders, view status). LLM Feature: "Paste Chat" to auto-fill form.	❌ No (Only sees `status: "paid"` queue).
Email Notifications	✅ Receives ("Stock Alert," "Daily Briefing," etc. from `notifications@whatthepack.today`).	✅ Receives ("Stock Alert," "Order Failed," etc.).	❌ No (Works via UI/VAPI only).
RAG (LLM) Access	✅ Full Access. "What's my profit?" "Analyze SKU123 trends."	✅ Limited Access. "What's order #125 status?" "How much stock is left for SKU123?"	✅ Scoped Access. "How do I pack SKU123?" "Where is SKU123 located?"
VAPI.ai Access	✅ Insight Mode (Read-Only). "Vapi, read my AI Daily Briefing." "How is `packer` John performing?"	❌ No	✅ Action Mode (Read-Write). "Vapi, next order." "Finished, weight 300g." "Stock for SKU123 is out."
Staff Analytics	✅ Yes. Views performance dashboard (e.g., "Avg. pack time per `packer`").	❌ No	❌ No

How I Used Auth0 for AI Agents (And Integrated AI Tools)

My project's entire security and operational model is built on solving the "multi-layered crisis of trust" using the complete Auth0 for AI Agents framework, intelligently integrated with other key AI technologies.

1. Solving Organizational & Role-Based Trust (`Authenticate the user`)

The Problem: How to manage multiple businesses securely and enforce strict permissions between owner, admin, and packer, especially during onboarding.
My Auth0 Solution: I use Auth0 Organizations for multi-tenancy and Auth0 Roles + Actions to inject JWT claims. Crucially, staff onboarding uses Auth0's secure email enrollment triggered via the Management API.
Implementation:

  // convex/auth.config.ts (Simplified)
  // This config tells Convex to trust Auth0 and read the custom claims.
  export default {
    providers: [
      {
        domain: process.env.AUTH0_DOMAIN!,
        applicationID: process.env.AUTH0_CLIENT_ID!,
        jwksUrl: `https://${process.env.AUTH0_DOMAIN}/.well-known/jwks.json`,
        // We map the custom claims from the Auth0 Action
        roleClaim: "https://whatthepack.today/roles",
        organizationClaim: "https://whatthepack.today/orgId",
      },
    ],
  };

Staff Onboarding (Auth0 Management API): When the owner invites a staff member via the UI, a Convex action calls the Auth0 Management API. This call creates the user within the correct Organization, assigns the appropriate Role, and triggers Auth0 to send a secure enrollment/invitation email to the staff member. The staff member clicks the link and sets their own private password. The owner never knows it.

  // convex/users.ts (Simplified pseudocode for invitation action)
  import { ManagementClient } from "auth0"; // Auth0 Node SDK

  import { action } from "./_generated/server";

  export const inviteStaff = action({
    args: { email: v.string(), role: v.string(), orgId: v.string(), username: v.string() },
    handler: async (ctx, args) => {
      const identity = await ctx.auth.getUserIdentity();
      // Check if inviter is owner of the org...

      const management = new ManagementClient({
        domain: process.env.AUTH0_MGMT_DOMAIN!,
        clientId: process.env.AUTH0_MGMT_CLIENT_ID!,
        clientSecret: process.env.AUTH0_MGMT_CLIENT_SECRET!,
      });

      // Create user in Auth0 (password set by user via link)
      const newUser = await management.users.create({
        email: args.email,
        connection: "Username-Password-Authentication", // Or your DB connection
        username: args.username, // e.g., lisa_admin
      });

      // Add user to the correct organization
      await management.organizations.addMembers(args.orgId, { members: [newUser.data.user_id!] });

      // Assign the role (admin or packer)
      await management.roles.assignUsers({ id: getRoleId(args.role) }, { users: [newUser.data.user_id!] });

      // Trigger the enrollment email (change password ticket)
      await management.tickets.createPasswordChangeTicket({
        result_url: `https://${getStoreSubdomain(args.orgId)}.whatthepack.today/login`, // Redirect after password set
        user_id: newUser.data.user_id!,
      });

      // Store user reference in Convex DB...
    },
  });

Why This Matters: Provides the foundational security layer, enables granular control, and ensures staff passwords remain private via a standard, secure onboarding flow.

2. Solving Delegated Trust (`Control the tools`)

The Problem: How to let a low-privilege packer perform a high-trust action (buy a shipping label) without the owner's master API key?
My Auth0 Solution: This is the star feature. The owner saves their ShipEngine API Key directly into the Auth0 Organization Metadata. When the packer gives the voice command, my AI Agent (a Convex Action) is authorized to request and use that token on the organization's behalf, but the packer never sees it.
Implementation:

  // convex/agents/shippingAgent.ts (Simplified pseudocode)
  import { internalAction } from "../_generated/server";
  import { ManagementClient } from "auth0";

  export const buyLabel = internalAction({
    args: { orderId: v.id("orders"), orgId: v.string() },
    handler: async (ctx, args) => {
      // 1. Get the owner's secured API key from Organization Metadata
      const mgmt = new ManagementClient({
        domain: process.env.AUTH0_DOMAIN!,
        clientId: process.env.AUTH0_MGMT_CLIENT_ID!,
        clientSecret: process.env.AUTH0_MGMT_CLIENT_SECRET!,
      });

      // Retrieve from Organization Metadata (encrypted at rest)
      const org = await mgmt.organizations.getByID({ id: args.orgId });
      const shipEngineApiKey = org.data.metadata?.shipengine_api_key;

      if (!shipEngineApiKey) throw new Error('API key not configured');

      // 2. Use the API key to call the external API
      const shipEngine = new ShipEngineClient(shipEngineApiKey); // ShipEngine client library
      const label = await shipEngine.purchaseLabel(...); // Add necessary order details

      // 3. Update our database
      // ... (update order with tracking number using Convex mutations)
    },
  });

Why This Matters: I built a true zero-trust, delegated-action workflow. The AI agent acts as a secure proxy, enabling a low-trust user to perform a high-trust action without ever exposing the credential.

3. Solving AI Trust & Providing Role-Aware Info (`Limit knowledge`)

The Problem: How to ensure the AI gives correct, role-specific answers (SOPs vs. Profit) without leaking data.
My Auth0 + LLM Solution: I use Auth0's Limit knowledge (RAG) principle. The AI Agent checks the user's role from the Auth0 JWT before querying the database for context. The LLM only receives data that the specific role is authorized to see.
Implementation:

  // convex/agents/ragAgent.ts (Simplified)
  import { OpenAI } from "openai";

  import { api } from "../_generated/api"; // Import API for type safety
  import { query } from "../_generated/server";

  const openai = new OpenAI({ apiKey: process.env.OPENAI_API_KEY! });

  export const answerQuery = query({
    args: { prompt: v.string() },
    handler: async (ctx, args) => {
      const identity = await ctx.auth.getUserIdentity();
      if (!identity) throw new Error("Not authenticated");

      let contextData: any[] = []; // Initialize context data

      // 2. Role-Based Data Access (Limit Knowledge)
      // Ensure Org ID filtering for multi-tenancy!
      if (identity.role === "owner") {
        // Owner can access financial data for analysis within their org
        contextData = await ctx.db
          .query("products")
          .withIndex("by_orgId", (q) => q.eq("orgId", identity.orgId!)) // Use index for filtering
          .collect(); // Fetch relevant fields like costOfGoods, sellPrice, etc.
        // Add relevant order data for profit calculation
      } else if (identity.role === "packer") {
        // Packer can ONLY access SOPs and location within their org
        contextData = await ctx.db
          .query("products")
          .withIndex("by_orgId", (q) => q.eq("orgId", identity.orgId!)) // Use index for filtering
          .collect(); // Fetch relevant fields like sop_packing, warehouseLocation
      }
      // Add case for 'admin' if they have specific RAG needs

      // Simplistic context preparation (improve with actual RAG logic - embeddings, vector search)
      const relevantContext = contextData
        .map((doc) => `SKU: ${doc.sku}, Name: ${doc.name}, SOP: ${doc.sop_packing ?? "N/A"}`)
        .join("\n");

      // 3. The LLM only receives the pre-filtered, safe context for that Org
      const answer = await openai.chat.completions.create({
        model: "gpt-5",
        messages: [
          {
            role: "system",
            content: `You are a helpful assistant for the WhatThePack platform. Answer based ONLY on the provided context. Context: ${relevantContext}`,
          },
          { role: "user", content: args.prompt },
        ],
      });
      return answer.choices[0].message.content;
    },
  });

Why This Matters: The AI's "brain" is dynamically and securely scoped based on who is asking and which organization they belong to. The RAG pipeline is permission-aware at the data-access layer, ensuring zero data leakage to the LLM or between tenants.

4. Solving Warehouse Inefficiency & Enabling Agentic Action

The Problem: Packers are slowed down by screen-switching and manual confirmations.
My VAPI.ai + AI Agent Solution: I integrated VAPI.ai as the primary interface for the packer. Voice commands trigger my AI Agent (Convex Action), which then orchestrates the entire packing and shipping workflow (including RAG lookups and calling the Auth0 Organization Metadata).
Why This Matters: Creates a truly hands-free, efficient, and AI-driven warehouse operation.

5. Solving Communication Gaps

The Problem: Delayed critical updates (like stockouts) between warehouse and management.
My Resend + AI Agent Solution: When the AI Agent detects a critical event (e.g., packer reports "stock out" via VAPI), it triggers a Convex Action that uses the platform's Resend key to send an instant email notification to the owner and admin.
Why This Matters: Ensures timely communication and proactive management.

6. Solving Operational Chaos & Data Entry Burden

The Problem: Admins waste time copy-pasting chat logs into order forms; Owners struggle to get quick business insights.
My LLM Solution: I leverage the LLM (OpenAI) for:
- Data Extraction: The "Paste Chat to Auto-fill" feature on the admin's order form.
- Summarization & Analysis: The "AI Daily Briefing" and "Business Analyst" features for the owner.
Why This Matters: Directly reduces manual labor and provides actionable intelligence.

Technical Architecture Summary

Framework: React 19 (Frontend), Convex (Backend, DB, Serverless Functions)
Authentication: Auth0 (Universal Login, Organizations, Roles, Actions, Organization Metadata)
Voice AI: VAPI.ai (Agentic voice interface for packer and owner)
Logistics API: ShipEngine (Purchasing labels with owner's key)
Build Tool: Rsbuild
AI Model: OpenAI (Powered by platform key, used for RAG, Summarization, Analysis)
Notifications: Resend (Powered by platform key, for stock alerts)
Styling: Mantine UI
Code Quality: Biome (Linting), Prettier (Formatting), TypeScript strict mode

Complete Workflows

Flow 1: Setup & Data Upload (By Owner, One-Time)

Owner signs up. Auth0 creates a new Organization.
Owner is directed to their unique subdomain: store-name.whatthepack.today.
Integration: Owner goes to "Integrations" and sees only one button: "Connect ShipEngine". They enter their ShipEngine API Key, which is stored securely in the Auth0 Organization Metadata.
Data: Owner uploads their Product Catalog CSV (SKU, Name, COGS, Sell Price, Stock, Bin Location, Packing SOP).
Background (LLM): A Convex action triggers, using the platform's OpenAI key to create RAG embeddings.
Staff Onboarding: Owner goes to "Manage Staff" -> "Invite New Staff".
Owner enters the staff member's Email (lisa.admin@email.com), assigns a Role (admin), and optionally a Username Base (lisa). System confirms lisa_admin.
Owner clicks "Send Invite".
Backend (Auth0 Management API): Convex calls Auth0 to create the user (lisa_admin) in the Organization and trigger Auth0's email enrollment flow to lisa.employee@email.com.
Staff Experience: Lisa receives an Auth0 email, clicks the link, and sets her own private password. Owner invites john.packer@email.com similarly for the packer role (username john_packer).

Flow 2: Daily Order Processing (Manual Admin -> AI Logistics)

Admin Lisa logs in using username lisa_admin and her private password. She sees the "Order Management" dashboard.
(Outside the app) Lisa handles customer chat and manually verifies payment.
In WhatThePack, Lisa clicks "Create New Order".
LLM Feature: She pastes the final chat confirmation. The platform's LLM extracts details to auto-fill the draft form.
Lisa verifies, selects SKU123, and clicks "Send to Warehouse".
Order #125 (status: "paid") appears in real-time on Packer John's screen.
John starts the VAPI Voice Workflow (see Feature Matrix).
VAPI: "Finished packing. Weight 300 grams."
The AI Logistics Agent (Convex) is triggered:
- Calls Auth0 Organization Metadata -> gets owner's ShipEngine token for this orgId.
- Calls ShipEngine -> buys the cheapest label (billing the owner's account).
- Updates order in Convex with tracking number.
- Updates product stock in Convex.
VAPI confirms to John: "Label printed. Stock is now 14."
Real-time (Admin): Lisa's screen updates: Order #125 -> "Shipped", tracking number appears.
Lisa (manually) sends the tracking number to the customer.

Flow 3: Proactive Notification Workflow (AI -> Human)

Packer John (via VAPI): "Vapi, stock for SKU123 is out."
AI Agent updates product stock to 0.
AI Agent (Automatic): Triggers a Notification action.
Action uses the platform's Resend key to send an email from notifications@whatthepack.today to owner-thrift-store@whatthepack.today and lisa-thrift-store@whatthepack.today: > Subject: CRITICAL STOCK ALERT - SKU123 (Red Shirt) > Hello, > Stock for SKU123 (Red Shirt) was just reported as 0 by packer John on October 19, 11:15. > Please contact your vendor immediately to reorder.
Owner and admin are instantly notified.

Flow 4: Owner Monitoring Workflow (Mobile)

Owner opens VAPI on their phone (logged in as owner).
Owner (via VAPI): "Vapi, read me my AI Daily Briefing."
AI (VAPI + RAG + Platform LLM): Provides the summary.
Owner is informed and ends the call.

Lessons Learned and Takeaways

Agentic AI is about Secure Delegation: The synergy between Auth0 Organization Metadata and AI Agents (triggered by VAPI) is key to enabling low-trust users to perform high-trust actions securely.
Security Must Be Proactive (RAG + Roles): Auth0's Limit knowledge principle, combined with Role-Based Access and Organization filtering, is crucial for preventing data leaks before they reach the LLM, especially in a multi-tenant environment.
Auth0's Stack is the Key: This project would be impossible to secure properly without the combination of Organizations (for tenancy), Roles (for permissions), Actions (for claims), and the Organization Metadata (for delegated credentials). This stack is the perfect solution for building secure, multi-tenant AI applications.

Conclusion

WhatThePack.today demonstrates a real-world, scalable solution to a critical problem for D2C businesses. By leveraging the full power of the Auth0 for AI Agents suite, I built a platform that enables secure delegation, provides role-aware intelligence, enforces multi-tenant data isolation, and creates a truly "agentic," efficient workflow for logistics.

DEV Community: rokimiftah