PolyVault: a FinStream Guardian

A real-time financial fraud detection system that uses Auth0 for AI Agents to prevent "Rogue AI" from exceeding their authorized scopes during autonomous transactions.

Comment

About the Project

Inspiration

In a world moving toward "Sovereign AI" (like OpenClaw), AI agents are increasingly handling real financial assets. We asked ourselves: What happens if an agent goes rogue? If a "Notifier Agent" suddenly decides to "Freeze an Account," or an "Analyzer Agent" tries to move funds, the financial system breaks. We built FinStream Guardian to prove that AI autonomy doesn't have to mean a lack of control.

What it does

FinStream Guardian is a multi-agent system (orchestrated via LangGraph) that monitors a live stream of financial transactions.

The Guardrail: Each agent is treated as a first-class identity.

The Security: We use Auth0 for AI Agents Token Vault to ensure that when an agent needs to interact with the "Mock Bank API," it can only retrieve tokens for actions within its predefined scope.

Accomplishments that we're proud of:

Even if an LLM hallucination or a malicious prompt tells an agent to "Transfer $1M," the system blocks it at the identity layer because that agent lacks the Auth0-backed token for that specific action.

How We Built It Core: Python/FastAPI backend with a React/Vite frontend.

Orchestration: LangGraph manages the state machine between the Supervisor, Analyzer, Auditor, and Freezer agents.

Identity & Security: We integrated Auth0 for AI Agents. We used the Token Vault to store and rotate scoped credentials for our internal "Bank Service."

Cryptographic Integrity: Every agent action is signed with Ed25519 (PyNaCl) and verified against a registry in Supabase before the Supervisor allows the state transition.

Streaming: Real-time transaction simulation via Kafka and WebSockets for the live dashboard.

Challenges we ran into

The biggest hurdle was implementing "Least Privilege" at the agent level. Most AI frameworks give agents broad API keys. By switching to Auth0 Token Vault, we had to rethink our architecture so that the agent requests a short-lived, scoped token right before acting, effectively killing the "permanent API key" vulnerability.

What we learned

We learned that Identity is the new Perimeter for AI. By giving each agent a verifiable identity via Auth0, we can audit not just what happened, but who (which specific agent) authorized it, creating a foolproof audit trail for financial compliance.

What's next for PolyVault: a FinStream Guardian

We will implement a method with auth0 which replicated properties of blockchain.

Built With

Share this project:

Updates