AuthDungeon

An AI agent that learns to conquer dungeons, but only using powers you've authorized through the use of Auth0 Token Vault.

Comment

Inspiration

In game development is massively untapped. Most games still use scripted behavior trees from decades ago. We wanted to show what a learning AI agent looks like inside a game and pair it with a real permission model so the agent is both smart and trustworthy.

What it does

An AI agent learns to navigate a 13-room dungeon using Q-learning, improving over multiple runs. Users can grant the agent powers through Auth0 Token Vault each one requires real OAuth consent and is backed by a live GitHub token exchange that can be revoked instantly. The agent behaves differently based on exactly what permissions it holds.

How we built it

React frontend with a custom SVG dungeon map and live Q-value display. Java Spring Boot backend that performs the Auth0 Token Vault exchange using RFC 8693 swapping the user's Auth0 access token for their GitHub token to call the GitHub API on their behalf leaving credentials secure.

Challenges we ran into

Getting the Token Vault exchange right was the hardest part. The Custom API Client setup, grant types, and request encoding all had to be exact before Auth0 would return a token. Debugging a 401 with no response body across multiple credential configurations took quite a bit of time.

Accomplishments that we're proud of

A working end-to-end Token Vault exchange with a real GitHub API call. The Q-learning produces genuinely visible behavior and results.

What we learned

Auth0 Token Vault changes the trust model for AI agents entirely. The agent never holds credentials, users stay in control, and revocation is immediate. RFC 8693 is the right pattern for agentic systems. Through this system designed by Auth0 its possible to lessen and even prevent the various security risks that stand in the way of agentic ai platforms like OpenClaw or Claude CoWork. If the AI never even sees the credentials it effectively negates the security risk of the AI having access to these platforms.

What's next for AuthDungeon

Multiple OAuth providers for different powers, step-up authentication on boss fights, and procedurally generated dungeons so the agent relearns from scratch every run.

Built With

Share this project:

Updates