AgentGate

Drop in authorization middleware for AI agents. Every action passes 5 security gates - Identity, Intent, Policy, Consent, Token - powered by Auth0 Token Vault. Zero config. Any framework.

Comment

Inspiration

Every AI agent demo I watched had the same blind spot: the agent was given raw OAuth tokens, called APIs freely, and logged nothing. The IETF literally marked this gap as "TODO Security" in their AI agent auth draft. I wanted to build the thing the spec left blank.

What it does

AgentGate enforces a 5-gate security pipeline on every agent action:

  1. Identity — SPIFFE cryptographic ID + signed JWT. No anonymous agents.
  2. Intent — AuthZEN 4-tuple parsing: who, what, where, context.
  3. Policy — OPA rule evaluation: ALLOW / ESCALATE / DENY.
  4. Consent — Auth0 CIBA push notification for human approval on sensitive actions.
  5. Token — Auth0 Token Vault issues a scoped, 60-second credential. The agent never sees the raw OAuth token.

Every decision is SHA-256 hash-chained into a tamper-evident audit trail. One npm package. Any agent framework.

How we built it

  • Next.js 14 API routes for the 5-gate pipeline and dashboard
  • Auth0 for CIBA consent flows and Token Vault credential isolation
  • SPIFFE for cryptographic agent identity
  • OPA for policy evaluation with natural language compilation
  • Neon PostgreSQL for agent registry and audit trail persistence
  • Upstash Redis for real-time event streaming to the dashboard
  • Vercel for deployment — the npm SDK points to the live app by default

Challenges we ran into

Token Vault + cascade revocation was the hardest problem. When PANIC is triggered, every Token Vault credential ever issued needs to be invalidated — not just the agent's identity token. Wiring that through the Auth0 Management API while keeping the revocation atomic took the most iteration.

Real-time dashboard without WebSockets — Vercel's serverless environment doesn't support persistent connections. Built a server-sent events polling fallback that gives the dashboard a live feel without needing a dedicated socket server.

Agent JWT expiry vs Token Vault TTL — agent identity tokens are long-lived, but Token Vault credentials are 60 seconds. Getting that boundary right without forcing agents to re-register on every call required careful JWT claims design.

Accomplishments that we're proud of

  • Full end-to-end flow: npm install → register → authorize → appears in dashboard in real-time
  • All 5 gates running in production at agent-gate-theta.vercel.app
  • Published npm package @damitha-perera/agentgate that works with any HTTP-capable agent framework
  • Hash-chain audit trail that is mathematically verifiable in the dashboard

What we learned

  • Multi-tenant support so teams can share a dashboard
  • Policy templates for common frameworks (CrewAI, LangGraph)
  • Webhook callbacks when consent is approved or denied
  • OpenTelemetry export for the audit trail

What's next for AgentGate

Why Token Vault Was the Missing Piece in Agent Authorization

When I started building AgentGate, the hardest problem wasn't the policy engine or the audit trail — it was credentials. Specifically: how do you give an AI agent access to Gmail, GitHub, or Slack without handing it a raw OAuth token it can exfiltrate, replay, or leak in a prompt injection attack?

Every agent framework I looked at had the same implicit answer: just pass the token as an environment variable and trust the agent not to misuse it. That's not security — that's hope.

Token Vault changed everything.

The key insight is that agents should never see the actual OAuth token. Instead, AgentGate's Gate 5 calls Auth0 Token Vault after the policy check passes, and issues a scoped, time-limited credential with a 60-second TTL. The agent gets a tvault_* reference token that only works for the specific service and operation it just requested authorization for. When the TTL expires, it's gone. If the agent is revoked, all downstream Token Vault credentials are destroyed instantly.

The trickiest part was wiring Token Vault into the cascade revocation flow — when a PANIC is triggered, we needed to invalidate not just the agent's SPIFFE identity token but every Token Vault credential it had ever received. Auth0's Management API made this tractable.

The broader insight for the Auth0 community: credential isolation is the hardest unsolved problem in agent security, and Token Vault is the first production-ready answer I've seen. The pattern — authorize first, issue a scoped short-lived credential only after all gates pass — should become the standard for every agentic system that touches user data.

AgentGate is open source. The Token Vault integration lives in lib/auth0/token-vault.ts.

Bonus Blog Post

Why Token Vault Was the Missing Piece in Agent Authorization

When I started building AgentGate, the hardest problem wasn't the policy engine or the audit trail - it was credentials. Specifically: how do you give an AI agent access to Gmail, GitHub, or Slack without handing it a raw OAuth token it can exfiltrate, replay, or leak in a prompt injection attack?

Every agent framework I looked at had the same implicit answer: just pass the token as an environment variable and trust the agent not to misuse it. That's not security - that's hope.

Token Vault changed everything.

The key insight is that agents should never see the actual OAuth token. Instead, AgentGate's Gate 5 calls Auth0 Token Vault after the policy check passes, and issues a scoped, time-limited credential with a 60-second TTL. The agent gets a tvault_* reference token that only works for the specific service and operation it just requested authorization for. When the TTL expires, it's gone. If the agent is revoked, all downstream Token Vault credentials are destroyed instantly.

The trickiest part was wiring Token Vault into the cascade revocation flow — when a PANIC is triggered, we needed to invalidate not just the agent's SPIFFE identity token but every Token Vault credential it had ever received. Auth0's Management API made this tractable.

The broader insight for the Auth0 community: credential isolation is the hardest unsolved problem in agent security, and Token Vault is the first production-ready answer I've seen. The pattern — authorize first, issue a scoped short-lived credential only after all gates pass — should become the standard for every agentic system that touches user data.

AgentGate is open source. The Token Vault integration lives in lib/auth0/token-vault.ts.

Built With

  • auth0
  • auth0-ciba
  • auth0-guardian
  • auth0-token-vault
  • drizzle-orm
  • neon-postgresql
  • next.js
  • node.js
  • npm
  • opa
  • spiffe
  • tailwind-css
  • typescript
  • upstash-redis
  • vercel
Share this project:

Updates