AI Financial Guardian

AI Finance Guardian: Auth0 Token Vault delegates banking API access server-side; Ollama runs local AI. Agents act only when authorized—secrets never reach the browser.

Comment

Inspiration

We were inspired by a fundamental tension in modern AI applications:

Users want agents that can perform real actions across real services, but they do not want to expose long-lived secrets or enable over-privileged automation.

As local-first AI became more accessible, this tension became sharper. Running models locally improves privacy, but introduces a key challenge:

How can an AI system securely access external APIs on behalf of a user?

This led us to build AI Financial Guardian, where:

  • Auth0 manages identity and secure delegation
  • Local AI performs financial reasoning

Our guiding principle:

  • Keep users in control
  • Keep tokens out of the browser
  • Enable meaningful, secure agent actions

What it does

AI Financial Guardian is a web application that:

  • Authenticates users using Auth0
  • Fetches transaction data through a backend API
  • Uses local AI (Ollama) to detect and explain suspicious financial activity
  • Enables sensitive actions (like freezing a card) behind a step-up authorization flow
  • Maintains an audit trail for high-impact decisions

At the security layer:

  • Tokens are never exposed to the frontend
  • The backend uses Auth0 Token Vault to securely retrieve delegated credentials
  • All third-party API calls are executed server-side

How we built it

We implemented the system as a TypeScript monorepo:

Frontend

  • Next.js
  • Auth0 SDK for authentication and session handling

Backend

  • Express.js API
  • JWT validation
  • Token Vault integration
  • Secure action endpoints
  • Audit logging

AI Layer

  • Ollama for local inference
  • Structured JSON output handling
  • Fallback mechanisms for reliability

Mock Banking API

  • Local service for deterministic demos and testing

Key Architecture Decisions

  1. Identity and delegation separation
    We separated who the user is from what the agent can access.

  2. Server-side token handling
    All tokens are retrieved and used only on the backend.

  3. Resilient AI pipeline
    We moved to per-transaction analysis with bounded concurrency and fallback logic.

Challenges we ran into

1) AI reliability under latency constraints
Large prompts caused timeouts and inconsistent outputs.
We solved this by reducing prompt size and processing transactions individually.

2) Output normalization
LLM outputs sometimes missed required identifiers.
We added strict parsing, normalization, and fallback mapping.

3) Security vs demo tradeoffs
We needed a system that works locally while reflecting real-world security.
We implemented both mock mode and real Token Vault integration.

4) Agent authorization semantics
Sensitive actions required explicit user intent.
We introduced step-up authentication and audit logging.

Accomplishments that we're proud of

  • Built a secure AI agent system without exposing user credentials
  • Successfully integrated Auth0 Token Vault for delegated authorization
  • Designed a practical and resilient local AI pipeline
  • Implemented step-up authentication for sensitive actions
  • Created a complete end-to-end workflow from detection to action

What we learned

We learned that secure AI systems are primarily an identity and authorization problem.

A useful mental model:

$$ \text{Risk} \propto \text{Privilege} \times \text{Exposure} \times \text{Persistence} $$

  • Token Vault reduces exposure and persistence of credentials
  • Scoped delegation reduces excessive privilege

We also learned that local AI can be effective when supported by:

  • Controlled workloads
  • Structured outputs
  • Reliable fallback mechanisms

What's next for AI Financial Guardian

  • Integrate with real banking systems using stricter permission scopes
  • Enhance step-up authentication with adaptive risk-based policies
  • Add observability for:
    • AI latency
    • fallback rates
    • action outcomes
  • Allow users to define policies for:
    • automatic actions
    • approval-based actions

AI Financial Guardian points toward a broader future:

AI systems where humans remain in control, security is enforced through strong identity architecture, and agents operate within clear, auditable boundaries.

Bonus Blog Post

Token Vault in AI Finance Guardian

Modern “AI agents” often fail in production for a boring reason: secrets and delegated access. Letting an agent hold a static API key is convenient until it leaks or over-scopes every user. Letting the browser hold third-party tokens is worse. For the Authorized to Act hackathon, we anchored AI Finance Guardian on Auth0 Token Vault so the human’s consent and OAuth relationships stay authoritative, while the agent’s runtime stays minimal and server-side.

Concretely, the backend treats the user’s Auth0 access token as the root of trust for delegation. Where configured, we perform token exchange (RFC 8693) using a custom API client to obtain a vault-scoped access token, then call Auth0’s Token Vault APIs to retrieve the stored credential for the right connection and user. That token is used immediately for a single upstream call pattern (e.g., fetch transactions or invoke a protected action) and is not logged or forwarded to the client.

This separation matters for “sovereign” or local AI storylines too: you can keep the model local (Ollama) while still binding API access to Auth0’s lifecycle—rotation, audience, exchange rules, and future step-up/async flows become platform concerns rather than ad-hoc agent code. Mock mode preserves demo reliability when judges run the stack locally; real mode demonstrates the same code path against Token Vault when the banking API is not on localhost.

The outcome is a clearer security contract: the UI authenticates humans; Auth0 brokers identity and delegated tokens; the backend is the only component that ever sees vault-derived credentials for upstream services. That is the kind of boundary that lets aggressive agent UX exist without surrendering account control.

Built With

  • application
  • auth0-for-ai-agents-token-vault
  • auth0-management/token-vault-related-endpoints-data/storage:-in-memory-stores-for-demo-state-(alerts/audit-in-current-implementation)-tooling-&-platform:-npm-workspaces-(monorepo)
  • auth0-next.js-sdk
  • axios
  • axios-authentication-&-identity:-auth0-(universal-login
  • backend
  • control/deployment
  • deployment
  • express.js
  • for
  • frontend
  • github
  • html/css-frontend:-next.js-(react)
  • javascript
  • jest-(backend-testing)
  • jwt-based-api-auth)
  • languages:-typescript
  • mock-banking-api
  • model-llama3.2:latest-apis:-custom-backend-rest-api
  • oauth-2.0-token-exchange-(rfc-8693)-ai/llm:-ollama-(local-inference)
  • source
  • tailwind-css-backend:-node.js
  • target:
  • ts-node
  • typescript
  • web
  • workflow
Share this project:

Updates