AuroraPath - Chasing the northern lights | Earth Day Weekend Challenge

This is a submission for Weekend Challenge: Earth Day Edition

What I Built

AuroraPath — a real-time, carbon-optimized dashboard for sustainable aurora borealis viewing. 🌌🌿

Aurora hunting typically means driving long distances into rural darkness alone at night — one of the least carbon-efficient leisure activities imaginable. AuroraPath flips that script: it combines live NOAA space weather data with an Auth0-managed AI agent that generates travel recommendations prioritizing trains, buses, and carpooling over solo drives.

Auth0 is the backbone of AuroraPath's trust model. It enforces two distinct identity layers:

1. Human identity (User Auth) — Only authenticated users can invoke the AI. This prevents anonymous abuse of the Gemini API budget and ensures every recommendation is tied to a real account.
2. Machine identity (M2M Agent Auth) — The Gemini AI orchestrator runs under its own dedicated Auth0 Machine-to-Machine credential, completely separate from user auth. The AI agent has a traceable, revocable identity — if the M2M token is rotated or revoked, the AI stops calling Gemini without touching a single user session.

The remaining features are built on top of this trust foundation:

• Aurora Visibility Score (AVS) — a deterministic 0–100 score from live NOAA G-scale indices and solar wind speed
• Real-time geomagnetic dashboard — G/R/S-scale meters, solar wind, 24/48h forecasts, auto-refreshing from NOAA SWPC
• Interactive map — latitude-based aurora visibility bands that update with geomagnetic conditions
• Green Path AI recommendations — 3 nearby dark-sky spots with public transit directions, CO₂ saved vs. solo driving, and dark-sky ratings — only unlocked when Auth0 confirms the user's identity
• Per-user daily quota — Upstash Redis tracks each Auth0 user's Gemini calls (10/day) using a hashed sub claim as the key

Demo

🔗 Project URL: https://aurora-path.vercel.app/

The dashboard loads with live NOAA data immediately. Click "Find My Green Path" — Auth0 Universal Login appears if you're not signed in. Once authenticated, the AI agent (operating under its own M2M credential) generates sustainable viewing routes near your GPS location.

⚠️ Hackathon Note: Green Path uses Google AI Studio free tier (100 req/day shared). If it returns an error, the daily quota may be exhausted. The Aurora dashboard always works regardless.

Code

klee1611 / AuroraPath

🌌 Carbon-optimized aurora sighting dashboard — Earth Day 2026 Hackathon

AuroraPath 🌌

Sustainable Aurora Viewing — Earth Day Hackathon 2026

A real-time, carbon-optimized dashboard for aurora borealis sightings Built for the dev.to Earth Day Weekend Challenge.

---

✨ What It Does

AuroraPath combines live NOAA space weather data with Google Gemini AI to help you:

1. Track real-time aurora activity — Aurora Visibility Score (AVS), G/R/S-scale meters, solar wind speed
2. See where auroras are visible — Interactive map with latitude visibility bands that update with geomagnetic conditions
3. Find sustainable viewing routes — AI-generated "Green Path" recommendations with carbon savings, public transit options, and dark-sky ratings

---

🧬 Aurora Visibility Score (AVS)

An empirical model based on NOAA space weather indices:

AVS = (G-Scale/5 × 65) + (max(windSpeed - 300, 0)/500 × 25) + forecastBonus

Score	Level	Meaning
80–100	🌌 Excellent	Visible at mid-latitudes (≥45°N)
60–79	✨ High	Strong activity at high latitudes
35–59	🌠 Moderate	Visible at polar regions (≥60°N)
10–34	🌃

…

View on GitHub

How I Built It

Architecture

Two-Layer Auth0 Identity Model

The most interesting architectural decision was treating user identity and AI agent identity as separate
concerns:

Layer 1 — User Auth (Regular Web App):

User → Auth0 Universal Login → Session cookie (httpOnly, SameSite)
                                      ↓
/api/green-path checks getSession() → rejects anonymous requests (401)

Layer 2 — Agent Auth (M2M Application):

/api/green-path → Auth0 /oauth/token (client_credentials grant)
                        ↓
                M2M access token → logged as agentId in every response 
                (revocable independently of all user sessions)

Every AI recommendation response includes:

 {
   "agentId": "auth0-m2m|...",
   "generatedAt": "2026-04-19T...",
   "quota": { "remaining": 4, "limit": 5, "resetAt": "..." }
 }

This makes the AI fully auditable: you know who asked (Auth0 user sub) and who acted (Auth0 M2M agent ID) for every call.

Aurora Visibility Score (AVS)

Rather than showing raw space-weather indices, a deterministic scoring model converts them to a 0–100 scale:

AVS = (G-Scale/5 × 65) + (max(windSpeed − 300, 0)/500 × 25) + forecastBonus

• G-Scale (65% weight) — NOAA's geomagnetic storm index, the primary aurora driver
• Solar wind speed (25% weight) — elevated wind (>300 km/s) correlates with aurora enhancement
• Forecast bonus (+3–5 pts) — rewards stable or improving 24h conditions

The AVS gates the Green Path feature: users below AVS 10 ("None" activity) cannot trigger AI recommendations — there's no point generating eco-travel routes when there's nothing to see.

Gemini Green Path

The Gemini prompt injects the AVS score, G-scale, and reverse-geocoded region (resolved server-side to protect user GPS privacy), then requests structured JSON directly — no markdown parsing needed. Before any Gemini call:

1. Auth0 session verified (user layer)
2. Auth0 M2M token fetched (agent layer)
3. Upstash Redis quota checked (ratelimit:{sha256(userId)[0:32]}:{YYYY-MM-DD})
4. Input sanitized (sanitizeRegion() strips control chars, caps at 100 chars)
5. Gemini called with 30s timeout

Security Hardening

Full 7-phase audit conducted:

• Per-user Gemini quota via Upstash Redis (hashed sub, in-memory fallback for dev)
• IP rate limiting (30 req/min) on public /api/aurora
• Server-side Nominatim proxy — raw GPS never leaves the server
• 5 HTTP security headers: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
• CORS restricted to own AUTH0_BASE_URL origin

Prize Categories

🔐 Best Use of Auth0 for Agents - AuroraPath implements the full Auth0 for Agents pattern: a dedicated M2M application gives the Gemini AI orchestrator its own managed identity, completely decoupled from user auth.
Every AI recommendation is traceable to both a human (user.sub) and a machine (agentId). The M2M credential can be rotated or revoked without impacting any user session. The per-user daily quota uses the Auth0 sub claim (SHA-256 hashed) as the Redis key — Auth0 identity drives resource governance end-to-end.

✨ Best Use of Google Gemini - Gemini 1.5 Flash powers the Green Path feature — generating 3 location-aware sustainable aurora viewing recommendations as structured JSON, dynamically conditioned on the live AVS score and geomagnetic context. The model is only invoked after passing both Auth0 authentication layers and the Upstash quota check.