Fin-Guard

AI financial guardian that monitors your money but can never touch it. Auth0 Token Vault + FGA + CIBA enforce read-only access, audit every action, and require human approval for high-risk findings.

Comment

Bonus Blog Post: Building a Zero-Trust AI Agent with Auth0 Token Vault

When we started developing Fin-Guard, we thought the most challenging aspect would be the AI. It wasn't. The hard part was trust.

Every AI agent demo shows an agent that does things: sends emails, books flights, and moves money. But when we asked ourselves, "Would I actually connect my bank account to this?" the answer was no. It wasn't because the AI wasn't smart enough; it was because there was no architecture guaranteeing that it couldn't go rogue.

That's where Auth0 Token Vault changed everything. Token Vault doesn't just store OAuth tokens. It enforces scoped access at the token exchange level (RFC 8693). When Fin-Guard requests a token for Plaid, it receives a read-only, scoped token. The agent cannot request write access because the Token Vault won't issue it.

However, Token Vault alone isn't enough. We layered Auth0 FGA on top and check permissions before every tool call. Not in the prompt. Not in application logic. It's in the authorization infrastructure. The agent's code never sees a write permission because it doesn't exist in the FGA model.

The real "aha" moment came when we built the Threat Lab. We created five attack scenarios where users try to make the agent transfer money, escalate privileges, or exfiltrate data. Watching FGA block every attempt, and CIBA escalate to the human when the attacks persist, made the security model tangible. Judges don't have to trust our claims. They can attack it themselves and watch it hold.

The biggest lesson: AI agents don't need fewer restrictions to be useful. They need better restrictions. Token Vault, FGA, and CIBA together create an agent that users actually trust, because the safety isn't a promise. It's the architecture.

Inspiration

AI agents are gaining access to sensitive APIs, yet most agent frameworks lack real permission boundaries. An agent either has full access or none at all. There is no read-only mode, no audit trail, and no human approval for high-risk actions. We wanted to build an AI agent that is genuinely useful for financial monitoring and is architecturally incapable of modifying your data.

What it does

Fin-Guard is a read-only AI financial guardian. When you open the app, the AI agent immediately takes over. It connects your bank accounts via Auth0 Token Vault, scans your transactions, detects anomalies, and reports findings, all within seconds and without manual setup.

The agent knows everything about your money. However, it can never touch a cent of it.

  • Conversational AI: Ask "What did I spend the most on?" or "Am I over budget?" to receive specific answers with real numbers.
  • Anomaly Detection: AI-powered pattern analysis flags unusual transactions, such as overseas charges and cryptocurrency purchases.
  • Interactive Threat Lab: Five attack scenarios in which you play the attacker and observe how Auth0's security layers respond in real time.
  • Dynamic Security Score: A 0-100 scale that measures your security posture across five dimensions.

How we built it

Auth0 Token Vault manages OAuth tokens for connected services, such as Plaid, Google Sheets, and Slack. The agent receives scoped, read-only tokens via the RFC 8693 token exchange; it never receives raw credentials.

Auth0 FGA (Fine-Grained Authorization) enforces permissions on every tool call before execution. The agent has "viewer" access to financial data and "writer" access only to Slack alerts. The authorization model permanently blocks write access to financial data, not just the prompt.

Auth0 CIBA (Client-Initiated Backchannel Authentication) handles human-in-the-loop consent. When the agent detects transactions over $1,000, it pauses and sends a push notification to the account owner. The agent cannot proceed until the human approves or denies.

Architecture: Next.js frontend on Vercel, FastAPI backend on Render, and OpenAI GPT-4o-mini for analysis. Each visitor receives a unique, randomly generated profile with isolated connections and audit trails.

Challenges we ran into

  • Building real depth beyond a demo dashboard. Early versions were just buttons with mock data. We had to make the AI agent the primary interface instead of a sidebar widget.
  • Enforcing FGA at the infrastructure level rather than the prompt level. Prompt-based restrictions can be bypassed; FGA cannot.
  • Making CIBA feel meaningful rather than annoying. We limited alerts to the top two or three anomalies instead of flooding users with approve/deny dialogs.

Accomplishments that we're proud of

  • The AI agent auto-onboards in under 10 seconds: connecting three services, scanning 104 transactions, identifying 11 anomalies, and presenting a full financial summary with zero manual clicks.
  • Every tool call passes through FGA authorization before execution. This is not a prompt instruction; it is actual infrastructure-level enforcement that cannot be bypassed.
  • The Threat Lab lets judges run five real attack scenarios (wire fraud, privilege escalation, data exfiltration, social engineering, and rogue API key) and observe how Token Vault, FGA, and CIBA respond step by step.
  • Per-session isolation: Each visitor receives a unique, randomly generated profile with different account balances, ensuring that no two demonstrations are the same.
  • Built a 10-page production app (landing page, dashboard, accounts, budget, security center, alerts, profile, and settings) as a solo developer in 48 hours.

What we learned

The most important insight: AI agents don't need unlimited access to be useful. A read-only agent with proper authorization boundaries is more trustworthy and useful than an unrestricted agent, because users trust it enough to connect their real accounts.

What's next for Fin-Guard

  • Real Plaid integration for live bank data
  • Auth0 Universal Login for actual user authentication
  • Mobile push notifications via Auth0 Guardian for CIBA approvals
  • Expanding the read-only agent pattern to healthcare records and legal documents

Built With

Share this project:

Updates