DebitMeKe?

"You think you can debit me? ๐Ÿ˜‚" DebitMeKe? is an AI agent that freezes surprise subscriptions, using Auth0 Token Vault to require your explicit authorization before any money leaves your wallet

Comment

Inspiration

We have all been victims of "subscription fatigue" and dark patterns. There is nothing quite like the panic of waking up at 2:00 AM to a random bank debit alert for a subscription you forgot to cancelโ€”especially when your balance is already low. Companies make it incredibly easy to sign up, but practically impossible to leave. In Nigeria, when someone tries to pull a fast one on you, the slang is โ€œKe?โ€ (meaning, "You think you can?"). Thus, DebitMeKe? was born.Mathematically, once a merchant has your raw card details, your financial exposure $E$ over time $t$ for $n$ subscriptions is a guaranteed loss function: $$E(t) = \sum_{i=1}^{n} (C_i \cdot f_i(t)) + U(t)$$ Where $C_i$ is the known cost, $f_i(t)$ is the billing frequency, and $U(t)$ represents unauthorized or forgotten surprise debits.I wanted to change that equation. DebitMeKe? introduces a human-in-the-loop boolean modifier $A_i(t) \in {0, 1}$ using Auth0 Token Vault. Now, no money moves unless $A_i(t) = 1$. The merchant is effectively held at the gate until you explicitly say yes.

What it does

DebitMeKe? is an autonomous AI agent that protects your main wallet. Instead of giving merchants your real debit card, you ask the AI to provision a merchant-specific virtual card (e.g., a "Netflix Card" with a โ‚ฆ5,000 limit).

By default, this card is strictly frozen.

When Netflix attempts to charge the card, the charge is intercepted by our FastAPI backend. The AI agent pings you in the dashboard chat: "โš ๏ธ Netflix is attempting to debit โ‚ฆ4,500. Do you authorize this?" If you agree, the app leverages Auth0 Token Vault for step-up authentication. You securely log in, grant the agent the scoped delegated consent, and the agent uses that token to temporarily unfreeze the card, fund it from your main wallet, and let the charge pass before freezing it again. You maintain absolute financial sovereignty.

How we built it

The project was built using a highly interactive tripartite architecture:

The Brain (Backend): Built with Python and FastAPI. I used the Google Gemini API to parse natural language from the user (e.g., "Omo, create a card for Spotify") into structured JSON payloads that the backend can execute.

The Vault (Database): Supabase (PostgreSQL) serves as the mock banking layer, holding the Users main balance and the Virtual_Cards states.

The Command Center (Frontend): A unified Vite (React + TypeScript) dashboard. I used Tailwind CSS and Framer Motion to create the "Rebel Fintech" theme (Deep Charcoal base, Blazing Orange actions, and Goldenrod warnings), complete with a custom chat interface and interactive, frosted-glass virtual cards that update in real-time.

The Security Layer: Auth0 Token Vault for AI Agents is the star of the show. It intercepts high-stakes backend operations (unfreezing cards and moving money) and seamlessly hands the authorization flow over to the Vite frontend via the @auth0/auth0-react SDK.

Challenges we ran into

The biggest bottleneck was the realization that you cannot easily intercept a standard Visa/Mastercard transaction mid-flight once the merchant initiates it. I initially wanted to block direct debits on a real card.

I had to pivot the architecture to the Virtual Card Issuing model. By ensuring the virtual card is frozen by default, the incoming merchant webhook naturally fails or pends, giving the AI agent the perfect window to hold the transaction and ask the Auth0 Token Vault for step-up human authorization.

Additionally, syncing the asynchronous Auth0 delegated consent flow between a Python backend and the real-time React chat UI required careful state management to ensure the user saw the balance update instantly once they clicked "Authorize".

Accomplishments that we're proud of

Seamless Chat-to-UI Sync: When you prompt the AI to create a card, watching the beautifully styled React card component pop onto the screen right next to the chat window feels like absolute magic.

Nailing the Auth0 Token Vault Flow: Successfully implementing the human-in-the-loop delegated consent. The agent respects the boundaries of its permissions, perfectly showcasing the hackathon's core requirement.

What we learned

I gained a massive appreciation for how difficult it is to build secure, autonomous agents. Giving an LLM access to a database is terrifying. Learning to use Auth0 Token Vault to scope permissions dynamically and enforce cryptographic step-up authentication completely changed how I will architect AI applications in the future.

What's next for DebitMeKe?

"Sachet" Subscriptions: Auto-deleting a virtual card after exactly 24 hours so users can safely buy a 1-day subscription to watch a football match without worrying about next month's billing cycle.

Agentic Cancellation: Integrating browser automation (like Playwright) so the AI doesn't just block the charge, but actively logs into your Adobe or Netflix account and navigates the annoying "Are you sure you want to leave?" menus to officially cancel the account for you.

๐Ÿ“ BONUS BLOG POST: Checkmating Companies Trying to "run me down"

Iโ€™ve been there: it's 2:00 AM, my phone buzzes, and some random subscription I forgot to cancel just pulled โ‚ฆ4,500 from my savings account right before payday. Companies engineer incredibly frictionless onboarding, but make their churn pipelines a maze of dark patterns. In Nigeria, when a system tries to pull a fast one on you, the slang is โ€œKe?โ€ (meaning, "You really think you can?"). So, I built DebitMeKe?.

But building an AI agent to fight back presented a terrifying architectural paradox.

Initially, I thought I could build a system to intercept incoming charge intents directly from the Visa or Mastercard networks. I spent hours trying to architect a middleware that would catch the authorization request mid-flight. I quickly hit a brick wall; I found out it was architecturally impossible for a third-party developer to sit between a merchant and the core card networks like that.

That realization sent me back to the drawing board. I needed a completely different paradigm. That is when I decided to go the "virtual, frozen by default" route. Instead of trying to shield my real card, the AI would provision merchant-specific virtual cards that are strictly locked from the moment they are created.

However, giving an LLM raw UPDATE access to a financial database to manage these new cards is development suicide. If the agent hallucinates, or my natural language prompt is slightly ambiguous, it could accidentally drain my main wallet instead of protecting it. I needed a bouncer for my bouncer.

That is where implementing the Auth0 Token Vault for AI Agents became my ultimate technical achievement in this hackathon. It fundamentally shifted my application from a cool LLM wrapper into a cryptographically secure financial firewall.

Token Vault allowed me to strip my FastAPI agent of its permanent god-mode credentials. Now, the agent operates in a zero-trust environment. When a merchant webhook hits my server trying to debit a frozen virtual card, the AI parses the intent perfectly. It knows it needs to temporarily unfreeze the card and transfer funds. But it hits a hard wall; it lacks the fund:virtual_card scope.

Instead of failing or executing blindly, the agent leverages Auth0 to push a step-up authentication request to my React dashboard. My phone buzzes, I see the AI's warning in the chat, and I click "Authorize." Auth0 takes over, securely validating my identity and handing a short-lived, strictly scoped token back to the AI. Only then can the agent execute the database transaction.

Integrating Token Vault wasn't just checking a box for the hackathon; it was the exact missing piece required to make Agentic AI viable for high-stakes personal finance. I learned that true financial sovereignty isn't just about blocking merchants; it is about cryptographically ensuring that even my own AI cannot move a single Naira without my explicit consent.

Built With

Share this project:

Updates