-
-
Landing Page
-
How It Works
-
Token Vault
-
Security-First
-
Action-Call
Inspiration
A single compromised AI agent with full OAuth access costs an enterprise an average of $4.88 million per breach. Multiply that across the 300 million users now connecting AI agents to their email, calendar, and cloud storage. The exposure is not hypothetical. It is happening today.
In 2024, 61% of data breaches involved credentials and API tokens. Companies spent $19.7 billion on identity and access management trying to fix this. But none of that spending addresses the new threat: AI agents acting with more permissions than they need.
A marketing assistant AI with full Gmail access can read every email in the CEO inbox. A scheduling bot with calendar write access can delete every meeting in the organization. Not because it is malicious. Because nobody scoped its permissions to match its actual job.
We asked one question: what if the AI only got the permissions it actually needed, decided in real time by what you say?
That question became IntentGuard. And the math behind it makes the case.
The Money Problem
What companies lose today
| Risk | Average Cost |
|---|---|
| Single data breach from over provisioned API access | $4.88M |
| Credential theft incident response and recovery | $1.2M |
| Regulatory fines per GDPR violation | up to $22M |
| Annual spend on manual access reviews per enterprise | $840K |
| Revenue lost during breach downtime (avg 277 days to detect) | $3.1M |
An enterprise running 50 AI agents with blanket OAuth access has 50 potential breach points. At $4.88M per breach, that is $244 million in aggregate risk exposure sitting in production right now.
What IntentGuard saves
IntentGuard reduces the blast radius of every AI agent interaction by granting only the minimum scopes needed.
Example: An AI agent with full Gmail access (gmail.modify, gmail.send, gmail.readonly, gmail.settings) can read, send, delete, and modify email rules. If compromised, total exposure.
With IntentGuard, the same agent checking emails only gets gmail.readonly. If compromised, the attacker can read emails but cannot send, delete, or modify anything. The blast radius drops by 75%.
Across an enterprise with 50 agents:
- Without IntentGuard: $244M aggregate risk exposure
- With IntentGuard: $61M aggregate risk exposure
- Risk reduction: $183 million saved
Manual access reviews cost enterprises $840K per year in staff time. IntentGuard automates scope decisions in real time. That is $840K in annual savings per customer from day one.
What IntentGuard earns
The business model is usage based. Every scoped token exchange is a billable event.
| Metric | Value |
|---|---|
| Target market (IAM + AI agent security) | $47.1B by 2030 |
| Enterprise customers (Year 1 target) | 100 companies |
| Average AI agent interactions per company per month | 50,000 |
| Price per 1,000 scoped token exchanges | $2.50 |
| Monthly revenue per customer | $125 |
| Annual revenue per customer | $1,500 |
| Year 1 ARR | $150,000 |
| Year 3 ARR (5,000 customers) | $7.5M |
| Year 5 ARR (50,000 customers, higher usage) | $200M+ |
At scale, the platform capturing 1% of the $47.1B AI agent market is a $471 million business. At 3%, it crosses $1.4 billion.
What it does
IntentGuard is an AI agent that maps your natural language commands to the minimum OAuth scopes required to fulfill them.
- Say "check my unread emails" and it requests
gmail.readonly, auto approved instantly - Say "send an email to alice@company.com" and it flags
gmail.sendas a write operation, requiring your explicit step up authorization before executing
This works across channels. The same intent driven permission model applies whether you are on the web dashboard or chatting with our Telegram bot. Auth0 Token Vault handles all token storage, refresh, and scoped exchange behind the scenes so credentials never touch our code.
The principle is simple: your words define the boundary. The agent cannot cross it.
ROI for a single customer
A mid size company with 20 AI agents processing 30,000 interactions per month:
- Before IntentGuard: Each agent has full OAuth access. One breach costs $4.88M. Annual access review costs $840K. Total annual risk and cost: $5.72M
- After IntentGuard: Each agent gets minimum scopes per interaction. Breach blast radius reduced 75%. Access reviews automated. IntentGuard cost: $900/year
- Net savings: $5.71 million per year
- ROI: 6,344x
How we built it
The stack is intentionally lean to keep the focus on the security model rather than infrastructure complexity.
Intent Layer — Google Gemini AI classifies every user message into a structured intent object containing the operation type (read or write), target service (Gmail or Calendar), specific action, required OAuth scopes, confidence score, and whether step up authorization is needed.
Auth Layer — Auth0 handles authentication with passwordless email login. Token Vault securely stores Google OAuth refresh tokens. The web dashboard uses getAccessTokenForConnection for scoped token retrieval. The Telegram bot uses cross authentication, linking chat IDs to Auth0 user sessions and exchanging tokens through the Management API.
Execution Layer — Read operations execute immediately with the minimum scoped token. Write operations are held in a pending state until the user explicitly approves on the dashboard. Every action is logged in an activity feed with full intent metadata.
Frontend — Next.js with a clean enterprise UI inspired by Okta branding. The dashboard includes a chat interface, real time activity log, scope visualization map, and Telegram linking flow.
Challenges we faced
Token Vault integration was the hardest part. Getting the federated token exchange working required discovering that Auth0 dev keys do not support refresh tokens, upstream params must be set via the Management API to force access_type=offline, and the requested_token_type must be the exact Auth0 specific URI rather than the standard IETF token type. This single integration took more debugging hours than the rest of the project combined.
Cross channel token access was another challenge. The web SDK stores tokens in the user session but the Telegram webhook has no session context. We solved this by capturing and caching the Google access token during the Telegram linking step so the bot can reuse it without requiring a browser session.
Telegram Markdown parsing silently rejected messages containing special characters from email subjects. The bot would fetch emails successfully but never send the response. We added a plain text fallback that strips formatting when Markdown fails.
What we learned
- The real security gap in AI agents is not the AI itself but the permissions model around it
- Auth0 Token Vault is powerful but the documentation around Management API token exchange for server to server flows has room to grow
- Intent classification with modern LLMs is reliable enough at 95%+ confidence to make real time scope decisions practical
- Cross authentication between messaging platforms and web sessions is solvable but requires careful token lifecycle management
Built With
- Auth0 — Authentication, Token Vault, Management API
- Next.js — Full stack web application
- Google Gemini AI — Natural language intent classification
- Telegram Bot API — Cross platform agent interface
- Google APIs — Gmail and Calendar integration
- DigitalOcean — Cloud deployment
What is next for IntentGuard
The roadmap is built around one thesis: whoever owns the permissions layer for AI agents owns the next decade of software security.
- Enterprise multi tenant deployment with per organization scope policies
- Support for 50+ services including Slack, GitHub, Stripe, AWS, and Salesforce
- Real time scope anomaly detection flagging when an agent requests unusual permissions
- An open source intent to scope mapping SDK that any developer can plug into their agent
- SOC 2 and GDPR compliant audit trail for every permission grant
- Usage based pricing at $2.50 per 1,000 scoped exchanges
The AI agent economy is projected to be $47.1 billion by 2030. Every one of those agents needs a permissions layer. IntentGuard is building it.
Bonus Blog Post
How Auth0 Token Vault Became the Security Backbone of Our AI Agent
When we started building IntentGuard, we had a clear vision:
an AI agent that only gets the permissions it needs based on what the user actually says.
The hard part was not the AI.
It was the tokens.
The Problem With OAuth Tokens in AI Agents
Every AI agent that connects to services like Google, Slack, or any third-party API needs OAuth tokens.
Most developers handle this by:
- Storing tokens in their own database
- Implementing refresh logic themselves
- Managing encryption
- Handling expiry
- Handling revocation
This is where things break.
One leaked database backup and every user token is compromised.
Managing OAuth tokens securely becomes an entire security problem on its own.
Enter Auth0 Token Vault
Auth0 Token Vault changed everything for us.
Instead of storing Google OAuth tokens in our own infrastructure, Token Vault acts as a secure intermediary.
When a user connects their Google account through our app:
- The refresh token goes directly to Token Vault
- Our application never sees it
- Our servers never store it
- Our code never touches it
This completely removes a massive attack surface.
How Our AI Agent Uses Token Vault
When our AI agent needs to check a user's emails, it calls:
getAccessTokenForConnection("google-oauth2")
Built With
- auth0
- digitalocean
- gemini
- google-apis-discovery
- next.js
- telegram-api
- telegram-bot
Log in or sign up for Devpost to join the conversation.