OrchestraOS

Inspiration

AI agents are being deployed across enterprises at an accelerating pace — managing CRMs, reviewing code, monitoring infrastructure. But the authorization story for these agents is shockingly immature. Most multi-agent systems share a single API key, have no permission boundaries between teams, and offer zero human oversight for high-stakes actions. We saw the gap: there's no "Salesforce for AI agents" — no platform where enterprises can deploy, govern, and audit autonomous agents across teams with real security guarantees. Auth0 already solves identity, authorization, and consent for humans. We wanted to prove it can do the same for AI agents.

What it does

OrchestraOS is a multi-tenant AI agent orchestration platform where Auth0 is the trust layer. Four AI agents across two teams (Marketing and Engineering) each have their own Auth0 M2M identity, their own credential namespace in Token Vault, and fine-grained permissions governed by OpenFGA. When an agent tries to use a tool, OpenFGA checks whether a relationship tuple exists — no tuple, no access (fail-closed). When an agent attempts a high-sensitivity action like publishing to a shared company blog, CIBA triggers a Guardian push notification to a human approver. The agent pauses until the human taps Approve. Every action — allowed, denied, or approved — is logged in a full audit trail with the complete token delegation chain showing who delegated, which agent acted, and who approved.

How we built it

The backend is FastAPI with LangGraph StateGraphs for agent orchestration. Each agent is a state machine: check permission → (optional) request CIBA → wait for approval → execute → audit. OpenFGA checks happen before every action using the Auth0 FGA SDK with client credentials auth. CIBA uses Auth0's /bc-authorize endpoint with JSON-formatted login_hint containing the approver's Auth0 user ID, then polls /oauth/token until the Guardian approval lands. The frontend is Next.js 16 with Auth0 SDK v4, featuring a dark mission-control dashboard with real-time WebSocket event streaming, an OpenFGA permission matrix with live revoke, a CIBA approval queue with countdown timers, and an audit trail with collapsible token chain tree visualization. PostgreSQL stores the audit log. Everything is real — no mocks, no simulated auth flows.

Challenges we ran into

Getting CIBA working end-to-end was the hardest part. Auth0's login_hint parameter requires a JSON object with iss_sub format containing the Auth0 user ID — not a plain email address. This isn't obvious from the docs and took significant debugging. The OpenFGA SDK upgraded from 0.6.0 to 0.9.9 mid-project (pulled in by the auth0-ai package), which broke every import and changed the tuple write/check API. We also hit a subtle issue where Auth0 returns opaque encrypted tokens instead of JWTs when no API audience is configured — this caused silent CORS failures because the backend middleware crashed before CORS headers were added. Getting the Auth0 v4 Next.js SDK working with proxy.ts (the Next.js 16 convention replacing middleware.ts) and ensuring refresh tokens via offline_access scope were additional hurdles.

Accomplishments that we're proud of

All four Auth0 pillars are genuinely integrated — not checkbox features, but load-bearing parts of the architecture. The CIBA flow works live: trigger an agent action, get a Guardian push on your phone, approve it, watch the agent resume and the audit entry appear with approved_by. OpenFGA is fail-closed — any error denies access, never silently passes. The permission matrix is live and interactive — you can revoke a tuple and immediately see the agent get denied. The token delegation chain visualization in the audit trail shows the complete trust path from user through agent to external API, including CIBA approvals. And the dark mission-control UI with staggered animations, scan-line effects, and monospace data labels genuinely looks like something enterprises would use.

What we learned

AI agents need identity, not shared API keys. Permissions need relationships (ReBAC), not roles — because the question isn't "is this agent an admin?" but "does this agent have a relationship with this specific tool?" High-stakes actions need human approval at the protocol level (CIBA), not just logging after the fact. Token Vault eliminates the "API key in .env" anti-pattern by storing credentials per agent and handing them out only to authorized callers. And the act claim in RFC 8693 token exchange creates an auditable delegation chain that makes every hop traceable and revocable. These aren't theoretical insights — we hit each one as a real design constraint and Auth0 had the answer.

What's next for OrchestraOS

Production deployment with Railway (backend) and Vercel (frontend) with full CI/CD. Real Token Vault connections to external services (HubSpot, GitHub, PagerDuty) replacing the current simulated responses. Cross-team delegation flows using RFC 8693 token exchange where Marketing's ContentBot requests Engineering's sprint data with a delegated token. A tuple management UI where team leads can grant and revoke cross-team permissions through the dashboard instead of API calls. Multi-tenant support with Auth0 Organizations so different companies can each run their own fleet of agents. And an agent marketplace where pre-built agents can be deployed with one click, automatically provisioned with the right M2M identity, Token Vault connections, and OpenFGA tuples.

Built With

• asyncpg
• auth0-ciba
• auth0-ciba-/bc-authorize
• auth0-guardian
• auth0-openfga
• auth0-token-vault
• auth0-universal-login
• ciba-+-guardian
• datadog-(simulated)-real-time:-websocket-(fastapi-native)-deployment:-vercel-(frontend)
• fastapi
• github
• httpx
• hubspot
• langgraph
• local-dev-(backend)-other:-pydantic
• next-themes
• next.js-16
• openfga)
• openfga-check/write-api
• pagerduty
• postgresql
• pydantic
• python
• python-jose
• python-jose-(jwt)-database:-postgresql-(timescaledb-cloud)-apis:-auth0-management-api
• react-19
• rfc-8693-token-exchange
• shadcn/ui
• shadcn/ui-auth-&-security:-auth0-(universal-login
• tailwind-css-4
• token-vault
• typescript
• typescript-5-frameworks:-next.js-16-(app-router)
• vercel
• websocket