Mandate

An executive assistant where you define exactly what the agent can do. Auth0 handles everything — user authentication via Universal Login and service authorization via Token Vault.

Comment

Inspiration

Every AI agent framework gives agents the ability to act — but none give users clear, real-time control over what the agent is authorized to do. We built Mandate because authorization for AI agents shouldn't be an afterthought bolted on after the fact. It should be the product. The question we set out to answer: can you give an AI agent broad capabilities across Google, Slack, and GitHub while keeping every single permission visible, revocable, and auditable — all through Auth0?

What it does

  • Mandate is an AI executive assistant where you define exactly what the agent can do. Auth0 handles everything end-to-end — user authentication via Universal Login and service authorization via Token Vault.

  • You connect Google and Slack through Auth0's social connection OAuth flow. Token Vault stores the provider tokens securely. Then you set permission boundaries through a 4-tier risk classification system: Auto (read-only, executes immediately), Confirm (write ops, one-time approval), Approve (sensitive actions, explicit every time), and Step-Up (critical operations requiring re-authentication via Auth0).

  • The agent shows its full action plan before doing anything. You approve or reject each step. Every action, permission change, and approval decision is logged in a real-time audit trail exportable as a PDF consent receipt. If you revoke a service mid-conversation, the agent doesn't crash — it tells you what happened and asks to reconnect.

How we built it

  • Auth0 runs end-to-end. User authentication uses @auth0/nextjs-auth0 with withMiddlewareAuthRequired protecting the dashboard. Users sign in through Auth0 Universal Login. For service connections, clicking "Connect" on Google or Slack triggers Auth0's social connection OAuth flow. Auth0 manages the handshake with the external provider and stores tokens in Token Vault.

  • Our token-vault.ts implements RFC 8693 token exchange using the urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token grant type — when the agent needs to call Google Calendar, it exchanges the user's Auth0 token for a Google-specific access token. The app never stores provider credentials.

  • The AI layer uses Groq's free API running Llama 3.3 70B through an OpenAI-compatible interface. The agent receives a system prompt encoding which services are connected, which scopes are enabled, and what risk level each action carries. It responds with structured JSON action plans that the frontend renders as approval cards.

  • The frontend is Next.js 14 with App Router, React 18, Tailwind CSS, and Zustand for state management. Connected services persist in localStorage so they survive OAuth redirects. jsPDF generates the consent receipt PDFs client-side.

Challenges we ran into

  • The hardest problem was the Auth0 audience configuration. Token Vault's token exchange requires an API audience registered in the Auth0 dashboard, but the login flow breaks if the application isn't authorized to access that resource server. We went through multiple iterations of removing the audience for basic login, then adding it back for Token Vault — eventually landing on a clean separation where login works without an audience and Token Vault exchange happens server-side.

-The OAuth redirect flow for connecting services was another major challenge. Each "Connect" click triggers a full Auth0 login with a specific social connection, which reloads the page and wipes client-side state. We solved this by persisting connected services in localStorage and detecting the OAuth return via URL parameters.

  • Getting the risk classification UX right took several attempts. Early versions treated every action equally, which led to "approval fatigue" where users click Yes to everything without reading. The breakthrough was the 4-tier model with user-customizable overrides per scope — mirroring how human delegation naturally works.

-Network reliability from our development location also posed challenges — Groq API connections would occasionally reset, requiring retry logic and graceful fallback to demo mode.

Accomplishments that we're proud of

  • Auth0 running truly end-to-end — one tenant handles user identity and service authorization with no additional auth providers. The Token Vault integration uses the correct RFC 8693 exchange pattern with real API helpers for Google Calendar, Slack, and GitHub.

-The graceful degradation flow — disconnect a service mid-conversation and the agent handles it instead of crashing. This pattern doesn't exist in any other agent framework we've seen.

-The consent receipt — transforming an audit log into a downloadable PDF compliance artifact that enterprises actually need before deploying AI agents.

-The Risk Rules editor — letting users reclassify any scope's risk level with a single click, making the security model personal rather than one-size-fits-all. And the step-up authentication modal for critical operations like merging PRs.

-The design system — Bricolage Grotesque, Figtree, and IBM Plex Mono with the copper/obsidian palette creates something distinctive and memorable rather than generic.

What we learned

-Authorization for AI agents is a UX problem, not just an infrastructure problem. Token Vault handles the token management beautifully — storage, refresh, exchange, revocation. But the user-facing layer — showing what permissions are granted, what actions are planned, and giving users real control — is where trust actually gets built.

-Having Auth0 handle both user identity and service authorization through one platform simplified the architecture dramatically. No juggling multiple auth providers, no credential management across systems. One sign-in, one session, one source of truth.

-Progressive trust mirrors how humans actually delegate. You hand a new assistant your calendar without hesitation, but you wouldn't give them your email password on day one. The 4-tier model with configurable overrides encodes this natural pattern into software.

-The OAuth redirect challenge taught us that client-side state management and server-side auth flows need explicit bridging — localStorage persistence was the key.

What's next for Mandate

-Real-time token refresh triggers when health monitoring detects expiring tokens — proactively refreshing through Token Vault before the agent hits an expired token mid-action.

-Auth0 Actions integration for custom step-up authentication triggers — using Auth0's pipeline to enforce MFA or biometric verification for specific Token Vault operations.

-Organization-level permission policies where an admin sets base risk rules and individual users can only tighten them, never loosen — bringing Mandate from a personal tool to an enterprise deployment.

-More Token Vault connections — Salesforce, Jira, Linear, Notion, Microsoft 365 — expanding the agent's reach while keeping the same permission model.

-Packaging the risk classification and consent receipt patterns as an open-source library that any AI agent framework can adopt, turning Mandate's insights into reusable infrastructure.

Built With

Share this project:

Updates