DevFlow

Inspiration

Here's a typical Monday morning: you open GitHub to check PRs, switch to Slack to post a standup, hop to Linear to update tickets, check Google Calendar for the sprint planning meeting, then Vercel to see if last night's deploy landed. Five tabs. Five logins. Zero flow state.

Now imagine giving an AI agent the keys to all five. Terrifying, right? That's the problem. We trust AI to write our code, but we don't trust it with our credentials. And honestly, we shouldn't — not unless there's a real security layer between the agent and our accounts.

That's where Auth0 Token Vault comes in. It gave us a way to build an agent that can act across GitHub, Slack, Linear, Calendar, and Vercel — but never touches a raw token, never stores credentials, and always operates within scopes the user explicitly granted. The agent works for you, but it's Auth0 that makes sure it doesn't go rogue.

DevFlow is the result: an AI DevOps command center where one agent handles your entire development workflow, and you can see — and revoke — everything it does.

What it does

DevFlow gives developers three ways to interact with their AI agent:

Command Palette (Ctrl+K)

Hit Ctrl+K anywhere in the dashboard and you get a Raycast-style command palette. Type what you need:

• "Triage Issues" — AI pulls open GitHub issues, reads them, classifies each as bug/feature/docs, and suggests priority labels
• "PR Summary" — generates a human-readable summary of any pull request with diff stats
• "Generate Standup" — aggregates yesterday's merged PRs, new issues, and deploy activity into a formatted standup post
• "Post to Slack" — sends messages to any channel your agent has access to
• "Today's Meetings" — lists your calendar events with attendee context

Each command shows which service it'll hit and what scope level (read/write/step-up) before you execute it. No surprises.

Workflow Builder

A visual canvas where you drag-and-drop automation pipelines:

PR Merged → Generate Changelog → Post to Slack #releases → Deploy Preview

Nodes are color-coded by risk:

• Green = triggers (PR opened, issue created, cron schedule)
• Blue/Purple = actions (post Slack, create Linear ticket, deploy)
• Yellow = conditions (if label = bug, if author = X)
• Red = step-up auth (deploy to production, force merge) — these pause the pipeline and require MFA approval before continuing

Permission Manager

The transparency layer. Every connected service shows:

• Its current OAuth scopes (expandable: read, write, step-up)
• A connect/disconnect toggle
• A full audit log — filterable by service — showing every action the agent took, which scope it used, and whether step-up auth was triggered

This isn't just a settings page. It's the answer to "what has my agent been doing?" And for the judges: it's the answer to "does the user have real control?"

Connected Services

Service	Read	Write	Step-Up Required
GitHub	Issues, PRs, repos	Labels, comments	Force merge, delete branch
Slack	Channels, users	Messages, files	Post to public channels
Google Calendar	Events, attendees	Create events	Modify others' events
Linear	Issues, sprints	Create/update tickets	Bulk close/archive
Vercel	Deployments	Preview deploys	Promote to production

How we built it

Architecture

Next.js 16 Frontend
├── Auth0 proxy.ts (session management)
├── Vercel AI SDK (agent + 11 tools)
├── React Flow (workflow canvas)
├── cmdk (command palette)
└── shadcn/ui + Tailwind (UI)
    ↓ REST
FastAPI Backend
├── Workflow engine
├── SQLite (users, workflows, audit log)
└── CRUD APIs
    ↓ OAuth Token Exchange (RFC 8693)
Auth0 Token Vault
├── GitHub (federated connection)
├── Slack (federated connection)
├── Google (federated connection)
├── Linear (federated connection)
└─Vercel (federated connection)

The AI Agent

Built with the Vercel AI SDK and powered by Google Gemini 2.5 Flash. The agent has 11 tools — 4 for GitHub (list issues, get PR, add labels, comment), 2 for Slack (post message, list channels), 2 for Linear (list/create issues), 1 for Calendar (list events), and 2 for Vercel (list/check deployments).

Each tool follows the same pattern: request a scoped token from Token Vault → call the third-party API → return structured data to the agent → agent reasons and responds. The agent never stores, caches, or logs tokens. They're ephemeral by design.

Token Vault Integration

This is the core of the project. Every service connection goes through Auth0:

1. User connects a service → Auth0 handles the OAuth dance → Token Vault stores the refresh token
2. Agent tool is invoked → exchanges the refresh token for a scoped access token via Token Vault's token exchange endpoint (urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token)
3. Token is used once → for that specific API call → then discarded
4. Token expires? → Token Vault auto-refreshes. Our code never touches refresh logic.

For destructive operations, we use Auth0 CIBA (Client-Initiated Backchannel Authentication). The workflow pauses, the user gets an MFA push, they approve or deny, and the pipeline resumes or stops. The human stays in the loop for anything that can't be undone.

Challenges we ran into

The Zod v4 saga. Next.js 16 ships with Zod v4, but the Vercel AI SDK's tool() function generates JSON Schema that OpenAI's API rejects — type: "None" instead of type: "object". We spent hours debugging before switching to jsonSchema() with hand-written schemas. Lesson: when two libraries disagree on types, go lower-level.

Auth0 SDK v4 is a different library. No more handleAuth(), handleLogin(), UserProvider. The new SDK uses Auth0Client with a proxy.ts file (not middleware.ts). The migration guide exists but the ecosystem hasn't caught up — most tutorials still show v3 patterns.

Python 3.14 broke our backend. SQLAlchemy's async engine requires greenlet, which doesn't compile on 3.14. Rather than downgrading Python, we rewrote the database layer to use plain sqlite3. Sometimes the simplest tool is the right one.

OpenAI's Responses API. @ai-sdk/openai v3 defaults to OpenAI's new /v1/responses endpoint, which handles tool schemas differently than /v1/chat/completions. We had to use openai.chat() explicitly — and ultimately switched to Gemini, which worked out better (and is free).

Accomplishments that we're proud of

• 5 real OAuth services through Token Vault — not mocked, not simulated. GitHub, Slack, Google, Linear, and Vercel, all with scoped permissions and audit logging.
• The workflow builder actually works — drag nodes, connect them, save pipelines. Step-up auth nodes visually pulse red. It's not a mockup.
• Ctrl+K feels native — the command palette is fast, fuzzy-searchable, and shows scope/service badges before execution. Developers will actually use this.
• Full audit trail — every agent action logged and filterable. This is what "user control" actually looks like.
• Zero to deployed in one day — Next.js 16, FastAPI, Auth0, 11 AI tools, workflow builder, deployed on Vercel. Coffee helped.

What we learned

Token Vault changes how you think about agent architecture. When tokens are managed externally, your agent becomes stateless with respect to credentials. This is a fundamental shift — it means you can scale agents horizontally, audit them centrally, and revoke access instantly. Every agent framework should work this way.

Step-up auth isn't a nice-to-have — it's table stakes. The moment your agent can write data (not just read), you need tiered permissions. CIBA makes this practical: the user doesn't leave the app, they just approve a push notification.

Transparency creates trust. The audit log isn't glamorous, but it's the feature that makes everything else acceptable. Users will let an AI manage their GitHub if they can see exactly what it did and revoke access in one click.

What's next for DevFlow

• Live workflow execution — SSE streaming so you watch pipelines run step by step
• Webhook triggers — GitHub events fire workflows automatically
• Team workspaces — shared workflows with role-based access
• More services — Notion, Figma, AWS, any OAuth API via Token Vault
• Workflow templates — pre-built pipelines for common dev workflows

Built With

• gemini
• google
• node.js
• oauth
• tailwind