DEV Community

Peace Thabiwa
Peace Thabiwa

Posted on

“MINDKEY — Secure AI Memory Vault

#devchallenge #ai #authentication #auth0challenge

Auth0 for AI Agents Challenge Submission

MINDKEY is a privacy-first AI Memory Vault. It gives humans a way to own, authorize, share, and erase their AI memories across devices and agents.

Auth0 secures humans and the memory-reading agents with Universal Login + MFA.

Auth0 FGA (Fine-Grained Authorization) enforces who/what can access which memories.

Each memory is encrypted, time-labeled, and portable across apps/agents.

Users can grant a therapist’s agent read-only, their writing agent read/write, and their “AI clone” no-access (or vice-versa) — all enforced by policy.

Demo

Live (prototype): https://mindkey-demo.vercel.app (swap with your URL)

Repo: https://github.com/sageworks-ai/mindkey

Test user: demo@mindkey.ai / Auth0Demo@123

Demo flow: Login → create notes/chats → label memories → share a subset with “WriterAgent” → watch FGA block a forbidden read.

How I Used Auth0 for AI Agents

Universal Login (+ social login) to authenticate users and memory-agents.

Token Vault to issue scoped tokens to agent tools (no hardcoded API keys).

FGA to gate memory access at document/paragraph/message level.

Asynchronous Authorization (CIBA) to request human consent before an agent exports memories to another app.

Architecture

Auth: Auth0 (OIDC, MFA) + Auth0 FGA for relationship-based rules

LLM: GPT with memory adapters (LangChain)

Store: Encrypted vector DB (pgvector / Qdrant) + object store (S3/IPFS)

API: Next.js / FastAPI (JWT enforced)

UI: Next.js + Tailwind

Key Policies (FGA examples)

subject = agent:{writer|therapist|clone}-{userId}

object = memory:{memoryId}

relation: viewer, editor, owner

type memory
relations
define owner: [user]
define viewer: owner or writer_agent
define editor: owner or therapist_agent

type agent
relations
define writer_agent: [user]
define therapist_agent: [user]

Agent Tool Stubs (TypeScript)

export async function readMemory({agentId, memoryId, userJwt}:Args){
await auth0.verify(userJwt, {scope:"mem:read"});
await fga.check({subject:agent:${agentId}, relation:"viewer", object:memory:${memoryId}});
return vault.readEncrypted(memoryId);
}

Lessons Learned

identity-before-intelligence: agents need auth boundaries to be useful.

FGA made “share just this part” actually doable.

time-labeled, user-portable memory is the future of humane AI.

Top comments (0)