Knowhy - AI Email Assistant

AI-powered secure email assistant built on Auth0 Token Vault with Zero Trust architecture.

Comment

Inspiration

As AI agents become more powerful, users are increasingly hesitant to grant them raw access to their personal data, leading to a desire to keep AI in restricted modes. Giving an LLM raw API tokens to read or send emails is a massive security risk. We asked ourselves: How can we build an intermediary agent that communicates securely with the outside world while maintaining a strict Zero Trust architecture? Our inspiration was to build a secure email assistant where the AI is highly capable but cryptographically "blind" to the user's actual credentials.

What it does

Knowhy is an AI-powered secure email assistant that operates entirely on a Zero Trust architecture. It helps users manage their inbox by reading, drafting, summarizing, and deleting emails. However, the LLM never sees any Google tokens; this is achieved through our "Blind Token Injection" pipeline. For high-stakes actions like sending or deleting an email, Knowhy enforces Step-up Authentication, requiring explicit MFA approval from the user before executing the tool. It also features asynchronous automation, such as a nightly cron job that summarizes the last 24 hours of emails.

How we built it

We built a dual-agent architecture consisting of a Worker Agent and a Guardrail Agent.

  • Frontend: Built with React, Vite, and TailwindCSS to provide a seamless chat interface and MFA modals.
  • Backend: Node.js, Express, and PostgreSQL handle the business logic and session state.
  • Auth & Security: We heavily utilized Auth0 Token Vault to store Google tokens securely.
  • The Flow: When a user requests an action, the Worker Agent generates a JSON tool call (e.g., {"action": "send_email"}). Before execution, the Guardrail Agent inspects this tool call for malicious intent. If approved, the backend securely fetches the federated token from Auth0 Token Vault, executes the Gmail API call, and returns only the text result back to the LLM.

Challenges we ran into

Our biggest challenge was seamlessly integrating Auth0's Step-up Auth (MFA) within a continuous, conversational AI flow. When the Worker Agent attempts a high-stakes action (like delete_email), we had to pause the execution, push a Step-up challenge to the frontend, wait for the user to complete the MFA modal, and then auto-retry the exact same conversational state with the newly validated stepUpChallengeId. Balancing this strict security logic (fail-closed for high risk) without ruining the user experience (fail-open for low risk) required complex state management.

Accomplishments that we're proud of

We are incredibly proud of successfully implementing the "Blind Token Injection" pattern. Tokens are never stored in our PostgreSQL database and the LLM never sees them in its context window. We also successfully mapped all of the hackathon's core judging criteria—especially the Security Model and User Control—directly into our architecture by ensuring the agent only operates within explicit, MFA-verified boundaries.

What we learned

Building Knowhy deepened our understanding of agentic authorization. We learned how to leverage Auth0 Token Vault's M2M tokens and the Management API to dynamically fetch federated google-oauth2 access tokens on the fly. We also learned the intricacies of writing robust system prompts to ensure the LLM strictly outputs JSON tool calls that our Node.js tool executor can parse and validate securely.

What's next for Knowhy - AI Email Assistant

Our immediate next steps include expanding this "Authorized to Act" architecture to other sensitive productivity suites like Google Drive and Calendar. We also plan to implement anomaly detection; if the AI detects an unusual pattern in email drafting, it will dynamically trigger a Step-up Authentication challenge even for actions that are normally considered low-risk.

🚀 Bonus Blog Post Submission: Authorized to Act with Zero-Trust Agents

When building AI agents that interact with personal data, developers face a critical dilemma: how do you give an LLM the ability to take actions on behalf of a user without handing over the keys to the kingdom? In the "Authorized to Act" hackathon, we tackled this exact problem by building Knowhy, an AI email assistant heavily powered by Auth0 Token Vault.

Our primary achievement was designing a system we call "Blind Token Injection." Typically, naive AI integrations might pass user access tokens directly into the LLM's context so it can execute API requests. This is incredibly dangerous. In Knowhy, we used Auth0 Token Vault as an impenetrable middle layer. When our Worker Agent decides it needs to read an email, it simply emits a structured JSON command. Our backend intercepts this, authenticates with Auth0 via an M2M token, and retrieves the specific federated Google token from the Vault. The backend executes the Gmail API call and only returns the sanitized text result to the AI. The LLM remains completely "blind" to the authentication layer.

Furthermore, we pushed the boundaries of the Token Vault by combining it with Step-up Authentication. Reading an email is one thing, but what about sending or deleting one? We implemented a "Guardrail Agent" that acts as a security checkpoint. If the Guardrail detects a high-stakes tool call, our Node.js backend immediately halts the operation and triggers an Auth0 Step-up Challenge. The user receives an MFA prompt on their frontend. Only after explicit human verification does the system retrieve the token from the Vault and execute the action.

By offloading OAuth flows, token management, and consent delegation entirely to Auth0 Token Vault, we were able to focus entirely on building a robust, dual-agent architecture. Knowhy proves that we don't have to sacrifice security for the sake of agentic automation. With the right identity layer, AI agents can be fully authorized to act while users remain in total control of their digital boundaries.

Built With

Share this project:

Updates