MediCheck

An AI agent that navigates your healthcare system — with you in control of every access.

Comment

Inspiration

The problem: Navigating healthcare services is broken. Checking if a specialist is covered by your insurance, finding available appointments, and managing medications requires jumping between 4–5 different portals. It's time-consuming, error-prone, and stressful. Need a secure integrator with control in user's hand.

What it does

MediCheck is an AI-powered healthcare navigation agent that handles this entire workflow on a patient's behalf — in a single conversation.
Ask "I have knee pain, can I see a specialist?" and the agent:

  • Checks your medical history from your EHR
  • Verifies insurance coverage for orthopedics
  • Finds available appointment slots
  • Books the appointment
  • Sends a confirmation email

The security innovation — Auth0 Token Vault: Healthcare data is among the most sensitive data that exists. MediCheck uses Auth0 Token Vault (Auth0 for AI Agents) to give each health service its own isolated OAuth token stored in app_metadata. The agent fetches tokens at runtime only when calling a specific tool — tokens never touch the browser or app database.

The result: users can grant and revoke per-service access at any time with instant effect. Revoke insurance access and the agent immediately loses that capability — no re-deploy needed, no session invalidation. This is what genuine user control over an AI agent looks like.

How we built it

  • Authentication: Auth0 v4
  • Token Vault: Auth0 Management API — tokens stored in app_metadata.token_vault
  • Framework: Next.js 16 (App Router, TypeScript) on Vercel
  • AI: GPT-4o via OpenAI + Vercel AI SDK v6 (streamText, tool calling)
  • Email: Resend (appointment confirmations)
  • Medications: OpenFDA public API (real drug data)
  • Mock services: EHR, Insurance, Appointments, Pharmacy APIs with Bearer token validation
  • Token Vault flow: When the AI calls a tool → getServiceToken(userId, serviceId) fetches from Auth0 Management API → if present, calls the health service with Authorization: Bearer → if absent, returns NOT_AUTHORIZED and prompts the user to connect the service.

Challenges we ran into

  • Accessing Service token updates after changes
  • Configuring Environment variables from Auth0 portal on Vercel
  • Vercel deployment error handling

Accomplishments that we're proud of

  • Successfuly implemented Authentication using username/password and Google social connection
  • Building a smooth UI for ChatBot using NextJS and Vercel SDK
  • Integrating Email using resend and fetching OpenFDA data

What we learned

Auth0 Token Vault changes how you think about AI agent permissions. Rather than authenticating an agent globally, you give it the minimum access it needs for each operation. This per-service isolation means a compromised prompt or hallucination cannot cascade across all services — the damage is bounded to whatever tokens exist at that moment. It's the principle of least privilege applied to AI agents, and it makes agentic applications genuinely safe to deploy.

What's next for MediCheck

  • Real authentication flow with real services
  • Implementation for Doctors/Health Serivce Providers also
  • Mobile/PWA app
  • Voice/Video consultation

Bonus Blog Post

When I started building MediCheck, the hardest question wasn't "how do I make the AI smart?" — it was "how do I make the AI trustworthy?"

Healthcare data is among the most sensitive information a person has. The moment I framed the project as "an AI that acts on your behalf," I ran into a fundamental tension: agents need access to act, but users need control to trust. Giving the AI a single long-lived credential felt wrong — one leaked token and everything is exposed. Scoping permissions per-action was too granular to manage. I needed something in between.

That's where Token Vault clicked for me. The insight is simple but powerful: each service gets its own isolated token, fetched only at the moment the agent needs it. No pre-loading, no caching on the client, no god-credential. The agent has to earn access on every tool call.

Getting there wasn't smooth. Auth0 v4, Next.js 16, and Vercel AI SDK v6 all landed with breaking changes simultaneously — routing conventions changed, middleware moved, the session API was restructured. I spent more time reading node_modules source than I'd like to admit. The proxy middleware approach for Next.js 16 was particularly underdocumented.

The moment that made it worth it: demoing the revocation flow. Revoke the Insurance token mid-conversation, ask about coverage — the agent immediately responds "I can't check that, you've disconnected insurance." Reconnect it, ask again — works instantly. No restart, no re-login. That live, granular control is what Token Vault uniquely enables, and it's exactly what healthcare AI needs.

Built With

  • auth0
  • auth0-management-api
  • auth0-token-vault
  • gpt-4o
  • nextjs
  • openfda
  • resend
  • vercel-ai-sdk
Share this project:

Updates