AI Project Manager with Auth0 for AI Agents

This is a submission for the Auth0 for AI Agents Challenge

What I Built

AI Project Manager is a secure, enterprise-ready agentic AI application that demonstrates how to build production-grade AI agents with proper authentication, authorization, and API access control using Auth0 for AI Agents.

Demo

• GitHub Repository: Repository
• Live Demo: Demo

How I Used Auth0 for AI Agents

This project leverages all four pillars of Auth0 for AI Agents to create a comprehensive security layer:

1. 🔐 Universal Login (User Authentication)

Implementation:

// client/js/auth0-spa-client.js
const auth0Client = await createAuth0Client({
  domain: 'genai-8649882471415737.us.auth0.com',
  clientId: 'A7kUmty4eQnifEG9zjRjTaAa3wjWTzyO',
  authorizationParams: {
    redirect_uri: window.location.origin + '/callback',
    audience: 'https://api.ai-project-manager.com',
    scope: 'openid profile email read:projects write:projects manage:calendar'
  }
});

2. 🔑 Token Vault (Secure API Access)

Implementation:

// Server-side token retrieval
app.get('/api/tokens/:service', jwtCheck, async (req, res) => {
  const { service } = req.params;
  const userId = req.auth.sub;

  const token = await tokenVault.getToken(userId, service);
  res.json({ token, service });
});

// AI agent uses managed tokens
async function getCalendarEvents() {
  const { token } = await makeAuthenticatedRequest('/api/tokens/google-calendar');
  const events = await googleCalendar.getEvents(token);
  return events;
}

3. 🛡️ Fine-Grained Authorization (FGA)

Implementation:

// Check permissions before AI agent actions
const permissions = await getUserPermissions(userId);
if (!permissions.includes('manage:projects')) {
  throw new Error('Unauthorized');
}

// FGA permission check before RAG retrieval
const { allowed } = await fgaClient.check({
  user: `user:${userId}`,
  relation: 'viewer',
  object: 'document:sensitive-project-data'
});

if (allowed) {
  const context = await retrieveFromVectorDB('sensitive-project-data');
  const response = await llm.generate({ context, prompt });
  return response;
} else {
  return "Access denied: You don't have permission to view this document.";
}

4. ⏳ Asynchronous Authorization

Implementation:

// Request async approval for critical operation
app.post('/api/async-approval', jwtCheck, async (req, res) => {
  const { action, details } = req.body;
  const userId = req.auth.sub;

  // Initiate CIBA flow
  const authReqId = await cibaClient.initiateAuth({
    login_hint: userId,
    binding_message: `Approve: ${action}`,
    user_code: generateUserCode()
  });

  res.json({ 
    auth_req_id: authReqId,
    status: 'pending',
    message: 'Check your authenticator app to approve this action'
  });
});

// AI agent waits for approval
async function deleteAllProjects() {
  const approval = await requestAsyncApproval('delete_all_projects');
  if (approval.approved) {
    await deleteProjects();
    return 'Projects deleted successfully';
  }
  return 'Operation cancelled by user';
}

---

Lessons Learned and Takeaways

1. Auth0 SPA SDK vs. Regular Web Application

• Challenge: Initial setup used "Regular Web Application" type, causing client secret exposure and redirect issues
• Solution: Switched to "Single Page Application" type and removed client-side secret handling
• Lesson: Always use the correct Auth0 application type for your architecture. SPAs require different security patterns than server-rendered apps.

2. Token Vault Integration Complexity

• Challenge: Managing OAuth flows for multiple third-party services (Google, Slack) while keeping tokens secure
• Solution: Centralized token management through Auth0 Token Vault with server-side token retrieval
• Lesson: Token Vault eliminates the need to implement custom OAuth handlers for each service, dramatically reducing security surface area.

3. FGA Performance at Scale

• Challenge: Permission checks on every RAG document retrieval could become a bottleneck
• Solution: Implemented caching strategy with TTL-based invalidation and bulk permission checks
• Lesson: FGA authorization checks are fast (~10-50ms), but strategic caching can reduce latency for high-throughput applications.

4. Async Authorization UX Design

• Challenge: Making asynchronous approval flows intuitive without blocking the user
• Solution: Real-time status updates, clear messaging, and timeout handling
• Lesson: Async auth is powerful but requires careful UX design. Users need clear feedback on pending approvals and fallback options.