Inspiration

AI agents can move fast on ad accounts—but handing them long-lived OAuth tokens is risky. We built AdBrain for the Authorized to Act: Auth0 for AI Agents hackathon to show how enterprise-style identity (Token Vault, progressive consent, and step-up MFA) can sit in front of real ad APIs, so optimization stays fast without sacrificing control.

What it does

AdBrain is an AI ad campaign assistant for Google Ads and Meta Ads. It connects accounts through Auth0 Connected Accounts + Token Vault, surfaces a unified dashboard, and generates optimization proposals with plain-language reasoning. Nothing executes without user approval; high-risk actions require MFA (step-up) before they can proceed. Users can review scopes, disconnect accounts, and inspect an audit timeline (token exchange, API calls, approvals, MFA).

How we built it

  • Frontend: React 18 + TypeScript + Vite, Tailwind CSS, Radix UI, PWA-ready tooling (vite-plugin-pwa), Recharts for performance views, @auth0/auth0-react for Universal Login.
  • API & security path: Go 1.22 on Vercel Serverless for authenticated routes, Auth0 session/token handling, RFC 8693-style token exchange against Auth0, and a proxy to Google Ads / Meta APIs so ad tokens stay server-side.
  • Agent: LangGraph.js (stateless graph, no long-lived checkpoint on the serverless path) with xAI Grok via LangChain, Gemini as a fallback, structured outputs validated with Zod.
  • Data & ops: Vercel KV for proposal-related persistence where configured; Vercel Analytics & Speed Insights for product telemetry; GitHub Actions for CI/CD; Terraform for infrastructure and Auth0-oriented automation as described in our design docs.

Architecture and threat-model details live in our repo under docs/design.md and docs/requirements.md.

Challenges we ran into

  • Consent vs. convenience: Separating login scopes (email, profile) from ad API scopes (e.g. Google adwords, Meta ads_management) so users see progressive consent without a scary first screen.
  • Serverless + LLM + external APIs: Keeping invocations within timeouts while still calling Token Vault, ad APIs, and the LLM—leading to a deliberately stateless LangGraph design and careful error handling when tokens expire.
  • Human-in-the-loop that feels real: Making risk levels, MFA, and audit entries understandable in the UI—not just backend logs.

Accomplishments that we're proud of

  • End-to-end security story: Token Vault + Connected Accounts + step-up MFA wired to real approval flows in the product—not only in diagrams.
  • Cross-platform agent: One flow analyzes Google + Meta together and explains why a change is suggested.
  • Production-minded delivery: CI/CD, infra-as-code, observability hooks, and documentation that map cleanly to hackathon judging criteria.

What we learned

Auth0’s Token Vault and token exchange patterns are a practical way to let an agent “act on behalf of” a user without ever holding classic long-lived refresh tokens in app code the same way a naive OAuth integration would. Pairing that with explicit UI for scopes, revocation, and MFA for high-risk actions is how you keep agentic UX trustworthy.

What's next for AdBrain

  • Deeper live campaign execution paths and richer proposal lifecycle (with stronger idempotency and rollbacks).
  • Additional ad platforms (e.g. TikTok Ads) using the same Connected Accounts pattern.
  • Tighter Auth0 Log Streams / SIEM-friendly audit exports for teams.

Bonus Blog Post

I wrote a Medium article that documents three production-grade patterns we used with Auth0 around secure AI agents:

Building Secure AI Agents with Auth0: Three Patterns from Production

Built With

  • analytics
  • auth0-(universal-login
  • auth0/auth0-react
  • connected-accounts
  • github-actions
  • go
  • google-ads-api
  • google-gemini-(llm-fallback)
  • langchain.js
  • langgraph.js
  • management-api)
  • meta-marketing-api-(graph-api)
  • mfa-/-step-up
  • radix-ui
  • react
  • react-router
  • serverless-functions
  • speed-insights)
  • tailwind-css
  • terraform
  • token-vault
  • typescript
  • vercel-(hosting
  • vercel-kv
  • vite
  • vitest
  • xai-grok-api
  • zod
Share this project:

Updates