Auth0 Tenant: dev-fukzjiacq4tif7w5

Inspiration

AI agents are rapidly gaining autonomous access to production APIs — deleting databases, revoking access, transferring funds — all without human oversight. The moment an LLM misclassifies intent or hallucinates a "cleanup" action, there's no guardrail between the agent and catastrophe.

We asked: What if every destructive AI agent action required human step-up authorization, powered by Auth0 Token Vault?

That question became Midosoc — a zero-trust gateway that sits between AI agents and protected resources, suspending destructive requests in memory until a human SOC analyst explicitly authorizes them through Auth0.

What it does

Midosoc intercepts every API call an AI agent makes and classifies its intent using an LLM-powered policy engine:

• Safe actions (read data, check weather) pass through instantly — zero friction
• Destructive actions (delete database, revoke access) are suspended in RAM — the agent's HTTP connection literally hangs until a human decides

A real-time SOC dashboard shows pending threats with forensic analysis: risk level, confidence score, LLM rationale, and flagged markers. When an analyst approves, Auth0 Token Vault issues an M2M delegation token via Client Credentials flow. The agent only receives the token after human authorization. It then uses that token to call the protected external API.

If denied, no token is ever generated. The agent gets a 403. Zero trust, enforced at the authorization layer.

How we built it

The suspended-socket pattern is the architectural core. When a destructive request arrives, Express holds the HTTP response object in memory inside a queue. The agent's connection stays open — no polling, no webhooks. The moment a human approves on the dashboard, the response is flushed back to the agent with the vault token. This creates a true synchronous human-in-the-loop without changing how agents make API calls.

Stack:

• Backend: Node.js, Express 5, Zod validation, Pino structured logging
• Policy Engine: OpenAI GPT-4o-mini for intent classification, with static heuristic fallback
• Frontend: Next.js 16 (App Router), React 19, Tailwind CSS 4, shadcn/ui
• Auth: Auth0 Universal Login (Google social connection), Auth0 Token Vault (M2M Client Credentials), @auth0/nextjs-auth0 v4
• Real-time: Server-Sent Events (SSE) with polling fallback
• Deployment: GCP Cloud Run (both services), Docker
• Testing: Jest, 14 automated tests

Auth0 Integration

Auth0 plays two critical roles:

1. Human authentication — SOC analysts sign in via Auth0 Universal Login (Google social login). Their identity is captured in the audit trail on every approve/deny decision.

2. Token Vault delegation — On approval, Auth0 Token Vault issues an M2M token via Client Credentials flow. This token is the only way the agent can access the protected external API. No human approval = no token = no access.

This creates a delegation chain: Human authenticates → Reviews threat → Authorizes → Auth0 issues scoped token → Agent executes with that token. The agent never has standing access to destructive operations.

Challenges

The NEXT_PUBLIC_ build-time trap. Next.js inlines NEXT_PUBLIC_* environment variables into the JavaScript bundle at build time. Deploying to Cloud Run with runtime env vars had no effect on client-side code. We solved this by separating build-time vars (for the client) from runtime vars (for server-side API routes).

Middleware file naming. The Auth0 SDK middleware in Next.js must be in a file named middleware.ts — our file was named proxy.ts and was silently ignored. Auth0 routes (/auth/login, /auth/callback) returned 404 until we caught this.

Suspended socket lifecycle. Holding HTTP connections in RAM on a serverless platform required careful handling — Cloud Run's request timeout, container scaling, and connection draining all interact with long-lived requests. We tuned timeouts and verified the pattern works with scale-to-zero.

What we learned

• Auth0 Token Vault is a natural fit for human-in-the-loop AI authorization — the delegation model maps perfectly to "human approves, agent receives scoped token"
• The suspended-socket pattern is surprisingly simple and effective — no message queues, no webhooks, just holding a reference to the response object
• LLM intent classification with heuristic fallback gives both accuracy and reliability — if the LLM is unavailable, keyword matching catches destructive actions
• SSE over polling makes a dramatic difference in demo quality — threats appear on the dashboard in under 100ms

What's next

• Persistent storage for the queue (currently in-memory — lost on restart)
• Webhook notifications for mobile SOC analysts
• Multi-agent policy management with per-agent permission scopes
• Auth0 Organizations for multi-tenant SOC teams

---

📝 Blog Post: Why Auth0 Token Vault Changes Everything for AI Agent Authorization

The rise of autonomous AI agents creates a fundamental authorization problem that traditional auth patterns can't solve. When a human calls an API, you authenticate them. But when an AI agent calls an API on behalf of a human — who authorized that specific action?

Most agent frameworks solve this with long-lived API keys or broadly-scoped OAuth tokens. The agent gets a token once and uses it for everything — safe or destructive. There's no distinction between "read the weather" and "delete the production database." Both use the same credential.

Auth0 Token Vault introduces a different model: delegated, just-in-time authorization.

In Midosoc, we use Token Vault's Client Credentials flow as a conditional gate. The M2M token is never pre-issued. It doesn't exist until a human explicitly approves a specific action. The flow works like this:

1. Agent sends a request through the Midosoc gateway
2. The policy engine classifies intent — safe actions pass through, destructive ones are suspended
3. A human SOC analyst reviews the forensic analysis on the real-time dashboard
4. On approval, Token Vault issues a scoped M2M token at that exact moment
5. The agent receives the token and uses it to call the protected API

The key insight is that Token Vault's Client Credentials flow maps naturally to human-in-the-loop delegation. The "client" requesting the token is the gateway acting on behalf of the human decision. The token represents not just machine identity, but human-verified intent.

This pattern scales beyond security operations. Any workflow where AI agents need conditional access to sensitive resources — financial transactions, infrastructure changes, PII access — benefits from this model. The agent never holds standing credentials. Every destructive action requires fresh, human-authorized delegation.

Token Vault doesn't just store tokens. It enables a new authorization primitive: human step-up for AI agents.

Built With

• auth0
• cloud
• css
• docker
• express.js
• google
• next.js
• node.js
• openai
• python
• react
• run
• shadcn/ui
• tailwind
• token
• vault