FinAgent

AI-powered credit dossiers for Nigeria's 50 million invisible workers, built on Auth0 Token Vault, consent-first, and approved by you before anything reaches a bank.

Comment

Inspiration

Adunola sells fabric at Oje Market in Ibadan. She earns around ₦184,000 a month, pays every utility bill on time, and saves faithfully with her cooperative society. She has done this for nearly a decade.

Last month, her bank said no to a ₦500,000 business loan. The reason: no payslip. No formal credit history. In Nigeria's financial system, she does not exist, even though she clearly does, in transaction after transaction across OPay, Mono, Remita, and her cooperative records.

There are 50 million Adunolas in Nigeria. They represent 80% of the workforce and ₦1.8 trillion in annual informal trade. The financing gap for informal SMEs across Sub-Saharan Africa sits at $240 billion according to the IFC. This is not a small problem, and it is not an unsolvable one.

FinAgent exists because we believe consent is not a checkbox. It is trust infrastructure. And trust infrastructure, built right, can unlock financial dignity for the people most excluded by the formal system.

What it does

FinAgent is a consent-first AI agent that builds credit dossiers for informal economy workers in Nigeria.

A user connects their financial accounts through Auth0 Token Vault: OPay mobile wallet, Mono bank statements, Remita utility payments, and cooperative savings records. Each connection stores one encrypted, read-only OAuth token per source. The user's password never touches our servers.

The FinAgent LangGraph pipeline then runs seven named nodes:

  • FETCH_MONO reads bank transaction history via Token Vault
  • FETCH_OPAY reads mobile wallet data via Token Vault
  • FETCH_REMITA reads utility payment history via Token Vault
  • FETCH_COOPERATIVE reads savings and loan repayment records
  • ANALYSE_INCOME calculates monthly averages, growth trends, and seasonal patterns
  • SCORE_RELIABILITY builds a creditworthiness index from 0 to 100
  • BUILD_NARRATIVE asks Claude AI to write a warm, factual credit recommendation memo

Every token access is logged to an immutable consent audit log. The user can see exactly what the agent read, when, from which source, and with which scoped token.

Before any dossier reaches a bank, Auth0 CIBA triggers a push notification to the user's registered device. The user must approve on their phone. No submission happens without explicit, real-time, physical consent.

The final output is a structured dossier with a reliability score, financial metrics, an AI narrative, and a full audit trail that a loan officer can use to make a credit decision. Adunola finally has a document that tells her real story.

How we built it

Auth0 for AI Agents is the identity and consent backbone of FinAgent.

Token Vault stores one encrypted OAuth token per data source, retrieved just-in-time by each LangGraph node. CIBA gates every bank submission with a real-time push notification approval. Connected Accounts manages OAuth flows to Mono, OPay, Remita, and cooperative APIs. The Management API with the read:user_idp_tokens scope enables server-side token retrieval inside the agent pipeline.

The full stack: Next.js 14 with App Router and TypeScript, LangGraph for the seven-node agent pipeline, Claude claude-sonnet-4-20250514 as the narrative engine with streaming, Supabase with PostgreSQL and row-level security for the consent audit log and dossier storage, and Vercel for deployment.

The agent streams events to the frontend via Server-Sent Events. Users watch each node tick through in real time, with the AI narrative typing itself character by character as the final node completes.

For the data sources: we built production-ready OAuth connectors for Mono Connect, OPay, and Remita API integrations (sandbox/mock - real API connectors built, awaiting production keys). Getting approved for live API access in Nigeria requires business registration processes that exceeded our hackathon timeline. We built production-ready connectors with full OAuth flows, the app uses realistic simulated data across 10 years of transactions while awaiting API approval. The Auth0 Token Vault integration is fully functional and would work identically with live credentials.

Challenges we ran into

Nigerian financial APIs do not follow standard OAuth flows. Mono, OPay, and Remita are not in Auth0's social connections catalogue. We had to implement them as custom OAuth2 connections and configure Token Vault storage manually. The documentation for custom providers was thin, and the read:user_idp_tokens Management API scope required significant trial and error to configure correctly.

Real Nigerian financial API access required business registration and approval processes that exceeded our hackathon timeline. We built production-ready connectors for Mono, OPay, and Remita with full OAuth flows, the app uses realistic simulated data while awaiting API approval. The Auth0 Token Vault integration is fully functional and would work identically with live credentials.

LangGraph state serialization caused a production failure we did not anticipate. The initial implementation using LangGraph's built-in state machine threw a "state.errors is not iterable" error in production. We refactored the agent into a clean async sequential pipeline while preserving all seven node names, the streaming callbacks, and the consent audit logging.

CIBA in sandbox mode requires a mobile app with push notification infrastructure. We built a phone mockup UI that simulates the device approval screen so judges can see the full approval interaction without needing a physical device.

Accomplishments that we're proud of

Full Token Vault integration: every data source gets its own scoped, encrypted token. The agent never stores credentials anywhere. It asks the vault, uses the token, and lets go.

An immutable consent audit log: every token access is recorded with the source, scope, token ID, agent node, and timestamp. Visible to the user from their permissions panel. Revocable with a single click that removes the token from the Auth0 vault permanently.

Real-time AI narrative streaming: Claude composes the credit memo live as the agent finishes its analysis. Users watch it write itself, not a loading spinner followed by a result, but the agent thinking in public.

A CIBA approval gate that means something: no dossier reaches a bank without the user explicitly approving that specific action on their registered device, at the moment it happens.

A production deployment at finagent-phi.vercel.app with Auth0, Supabase, and Anthropic all working together end-to-end.

What we learned

The hardest part of building agentic AI is not the AI. It is the authorization.

Token Vault solves a problem that every agentic application faces eventually: where does the token live between the moment the user consents and the moment the agent acts? In traditional web apps, that gap is milliseconds. In async agents, it can be hours or days.

Token Vault is the answer. It transforms consent from a one-time click into a durable, revocable, auditable relationship between a user and an agent. That is not a feature. That is a new category of trust infrastructure.

The most powerful moment in FinAgent is not the score ring animating to 82 out of 100. It is the CIBA phone screen. When you read "no submission happens without you" and watch the phone mockup appear asking for your fingerprint, you understand viscerally what authorized AI agency actually means.

What's next for FinAgent

  • Real Mono Connect sandbox integration with live Nigerian bank data
  • Bank portal dashboard: a separate interface for loan officers to receive and evaluate dossiers
  • BVN verification: Nigeria's Bank Verification Number as the identity anchor
  • Revenue model: banks pay ₦1,500 per dossier they request access to — the worker gets the service free
  • YC application: applying to Y Combinator with FinAgent as our primary product
  • We are a solo founder from Ibadan, Nigeria — building for the market we live in.

BLOG POST: Consent as Trust Infrastructure

What building FinAgent on Auth0 Token Vault taught us about the real problem in agentic AI

Submitted for the Bonus Blog Post Prize. This section is separate from the project description above.

Every developer who has built an AI agent that calls third-party APIs faces the same question eventually: where do I store the user's OAuth token?

In a traditional web app this question barely exists. The user clicks Connect, you get a token, you use it immediately, and it is gone from active memory. The gap between consent and action is milliseconds.

AI agents break this model entirely.

When Adunola connects her OPay wallet to FinAgent, she is not authorizing one immediate API call. She is authorizing a future agent, one that will run asynchronously across seven pipeline nodes, fetching data from four different sources, building a financial profile she will review before approving a bank submission. The token needs to be available when the agent runs. Not when she clicks the button.

This is the token storage problem for agentic AI. And most developers solve it the wrong way.

The wrong way: DIY token storage

Before we found Auth0 Token Vault, we planned to encrypt OAuth tokens ourselves and store them in Supabase. We would have built our own key management, rotation logic, and scope tracking. We estimated two to three weeks of engineering.

More importantly, we would have lost something we did not fully value until we thought it through: consent traceability.

DIY token storage tells you that a token exists. Token Vault tells you when it was issued, to which connection, with which scopes, and accessed by which application. That difference is everything for a financial product in Nigeria, where the conversation around data consent is just beginning.

The right framing: Token Vault as consent infrastructure

Auth0 Token Vault reframes the problem. Instead of asking where do I store this token, it asks: what did this user consent to, and can the agent prove it acted within that consent?

In FinAgent, every LangGraph node that touches a data source does two things before making any API call. First, it retrieves the user's token from the vault using the read:user_idp_tokens Management API scope. Second, it writes a record to our consent audit table: which source, which scope, which token ID, which agent node, at what time.

The result is a full audit trail the user can inspect from their permissions panel. They can see that at 10:13am, the FETCH_MONO node read their transaction history using the read:transactions scope. They can revoke that token with one click and the agent permanently loses access.

This is not good UX as an afterthought. It is the architecture of trustworthy AI agency.

The CIBA gate: authorization at the moment of consequence

Token Vault handles the reading side of consent. CIBA handles the acting side.

FinAgent's agent can read and analyse freely, that is what Adunola authorized when she connected her accounts. But submitting her dossier to a bank is a consequential action. It changes her real-world situation. It should require her active participation at the moment it happens, not just her passive permission from an hour ago.

Auth0's CIBA implementation lets us send a push notification to Adunola's registered device the moment the agent is ready to submit. She sees exactly where the dossier is going, the loan amount being requested, and she approves with a fingerprint tap. The agent waits at the AWAIT_CIBA node until she responds.

This is what Authorized to Act actually means. Not the user clicked a checkbox once. But the user is approving this specific action, right now, with full context, on their own device.

What this means for the future

The authorization problem in agentic AI is going to get harder. Agents are becoming more capable, more autonomous, and more consequential. The question of what is this agent actually allowed to do will be one of the defining challenges of the next five years.

Token Vault and CIBA together sketch the beginning of an answer: consent that is durable, scoped, auditable, and revocable. Agents that can prove they acted within their authorization. Users who understand what they have permitted and can change their mind instantly.

For FinAgent, none of this is optional. We are building for people who have been let down by institutions before - by banks that said no without explanation, by systems that treated them as invisible. Every Revoke this access button in our UI is a promise: you are in control here.

Fifty million people deserve that promise kept. Auth0 Token Vault helped us build the infrastructure to keep it.

FinAgent is live at finagent-phi.vercel.app. Code is at github.com/toluwalope12/finagent. Demo Video: https://youtu.be/fzaun434YKM

Built With

  • auth0-ciba
  • auth0-token-vault
  • claude-ai
  • langgraph
  • mono-connect-api
  • next.js
  • opay-api
  • postgresql
  • remita-api
  • supabase
  • tailwind-css
  • typescript
  • vercel
Share this project:

Updates