Resume AI Creator: Building an Intelligent Resume Platform with MCP and Auth0

This is a submission for the Auth0 for AI Agents Challenge

What I Built

I built Resume AI Creator, an intelligent resume management platform that leverages the Model Context Protocol (MCP) to enable AI agents to create, manage, and optimize professional resumes through natural language conversations. The application solves the problem of tedious resume creation by allowing users to interact with AI agents that understand context and can intelligently structure work history, projects, and achievements.

The platform features:

• AI-Powered Resume Creation: Natural language interface for building resumes via MCP tools
• Structured Data Management: PostgreSQL database with relational tables for resumes, work history, projects, and achievements
• Multi-Provider AI Support: Integration with OpenRouter, Google Gemini, and OpenAI for flexible AI capabilities
• Secure Authentication: Auth0-based user authentication with session management
• API Key Management: Secure storage and validation of API keys for external integrations
• Real-time Updates: Modern React 19 UI with Next.js 15 App Router

Demo

Repository: GitHub - resume-ai-creator-mcp

Web demo: https://resume-chatgpt-apps.vercel.app/

The application exposes 6 MCP tools that AI agents can use:

• create-resume - Create new resumes with structured data
• update-resume - Modify existing resumes
• get-resume - Retrieve resume details
• list-resumes - List all user resumes
• delete-resume - Remove resumes with cascading deletes
• draft-create-resume - Preview resumes before creation

Tech Stack:

• Next.js 15.3.5 with React 19
• xmcp 0.3.4 for MCP server implementation
• Drizzle ORM with PostgreSQL (Neon)
• TailwindCSS 4.1 for styling
• TypeScript 5.9 for type safety
• Vercel AI SDK for multi-provider support

How I Used Auth0 for AI Agents

Auth0 plays a critical role in securing both the web application and the MCP server endpoints. Here's how I implemented it:

1. User Authentication Flow

I integrated Auth0's Next.js SDK (@auth0/nextjs-auth0) to handle user authentication:

• Users authenticate via Auth0's Universal Login
• Sessions are stored in encrypted HTTP-only cookies
• The middleware validates sessions on every protected route

2. Protected MCP Endpoints

The MCP server runs as a Next.js API route, and I secured it using Auth0 middleware:

// middleware.ts
export async function middleware(request: NextRequest) {
  const protectedPaths = ['/api/resumes', '/api/api-keys', '/resumes'];
  const isProtected = protectedPaths.some(path => 
    request.nextUrl.pathname.startsWith(path)
  );

  if (isProtected) {
    const session = await auth0.getSession(request);
    if (!session) {
      return NextResponse.redirect(new URL('/api/auth/login', request.url));
    }
  }
}

3. User Context in MCP Tools

Each MCP tool extracts the authenticated user ID from the Auth0 session to ensure data isolation:

// src/tools/create-resume.ts
export async function handler(args: InferSchema<typeof schema>, extra: any) {
  const userId = getUserIdFromExtra(extra);

  const resume = await createResume({
    userId,
    name: args.name,
    title: args.title,
    // ... other fields
  });

  return { success: true, resumeId: resume.id };
}

4. API Key Authentication for AI Agents

I implemented a secondary authentication layer for AI agents using API keys stored in the database:

• Users can generate API keys through the web UI
• API keys are validated against the api_keys table
• Each key is associated with a specific Auth0 user ID
• Last usage timestamps track API key activity

5. Session Management

Auth0's session handling ensures:

• Automatic token refresh for long-running AI agent sessions
• Secure cookie storage with encryption
• CORS support for cross-origin MCP requests
• Graceful error handling with automatic re-authentication

The combination of Auth0's robust authentication and MCP's tool-based architecture creates a secure environment where AI agents can operate on behalf of authenticated users without compromising security.

Lessons Learned and Takeaways

Building this project taught me several valuable lessons about AI agents, authentication, and modern web development:

1. MCP is a Game-Changer for AI Integration

The Model Context Protocol provides a standardized way for AI agents to interact with applications. Instead of building custom APIs for each AI provider, MCP tools are universally accessible. The xmcp library made it incredibly easy to expose Next.js API routes as MCP endpoints with just a config file.

2. Authentication for AI Agents is Different

Traditional user authentication doesn't translate directly to AI agents. I learned to implement a dual authentication system:

• User-facing: Auth0 for web UI and session management
• Agent-facing: API keys for programmatic access with user context

This hybrid approach ensures security while maintaining the flexibility AI agents need.

3. Database Schema Design Matters

Using Drizzle ORM with a relational schema (resumes → work_history, projects, achievements) made it easy to structure complex resume data. The cascading deletes ensure data integrity, and TypeScript types generated from the schema eliminate runtime errors.

4. Challenges Faced

• Session Cookie Issues: Auth0's encrypted cookies initially caused JWE errors. I fixed this by only validating sessions on protected routes, not on every request.
• MCP Tool Parameter Validation: Ensuring AI agents pass correctly structured data required careful Zod schema design with descriptive field annotations.
• Multi-Provider AI Support: Different AI providers have varying capabilities. Using the Vercel AI SDK abstracted these differences.

5. Key Insights

• Fish Shell Syntax: Standardizing on Fish shell for all terminal commands improved consistency across development workflows.
• Bun for Performance: Using Bun as the primary package manager significantly reduced install times and improved dev server startup.
• Conventional Commits with Emojis: Implementing a structured commit message format (✨ feat, 🔧 fix, etc.) made the Git history much more readable.

6. Advice for Other Developers

• Start with a clear database schema before building MCP tools
• Use TypeScript everywhere—it catches errors before they reach production
• Test MCP tools with multiple AI providers to ensure compatibility
• Implement proper error handling in middleware to avoid cryptic authentication failures
• Use Drizzle Studio (bun run db:studio) for visual database management during development

This project demonstrated that combining Auth0's enterprise-grade authentication with MCP's AI-native architecture creates powerful, secure applications that feel magical to use. The future of software is conversational, and tools like these are paving the way.