Project Aegis

Aegis acts as a intermediary between your local AI and your apps ,so your AI can take actions on your behalf without holding your credentials. Every action is risk-scored and traceable back to you.

Comment

Inspiration

Upon reading the hackathon brief, one problem stood out immediately: as local AI models become more powerful, users want their AI to act in their digital lives, but handing an AI your OAuth tokens is like giving a stranger your house keys. We wanted to build the security layer that makes AI agency safe by default - and so we came up with Project Aegis (Aegis is the shield of Zeus and Athena in Greek mythology), a secure intermediary that acts as a middleman between the AI and the user.

What it does

Aegis is a secure AI agent dashboard that acts as an intermediary between your local AI and your apps. You type a task in plain English such as "create a weekly plan in Notion" and Aegis executes it on your behalf without the AI ever seeing your credentials. Every task is risk-scored before it runs, and every action is recorded in a cryptographically signed provenance chain so nothing can happen without your knowledge.

How we built it

We built Aegis with a Python FastAPI backend and a React frontend. The AI reasoning layer uses Groq (Llama 3.3 70B) for the orchestrator agent and Llama 3.1 8B for lightweight checks like risk scoring and intent drift detection. Auth0 Token Vault sits at the core - it holds all OAuth tokens and issues short-lived scoped tokens to the agent per action.

The provenance chain uses HMAC-SHA256 signing with linked hashes, making the audit trail tamper-evident. Formally, each record $r_i$ is signed as:

$$\text{sig}(r_i) = \text{HMAC}{\text{SHA256}}(k,\ r_i.\text{id}\ |\ r_i.\text{agent}\ |\ r_i.\text{action}\ |\ r_i.\text{hash}\text{prev})$$

where $k$ is the server secret and $|$ denotes concatenation. Each record also stores:

$$h_i = \text{SHA256}(r_{i-1}.\text{id}\ |\ r_{i-1}.\text{timestamp}\ |\ r_{i-1}.\text{payload_hash})$$

This forms a linked chain where tampering with any record breaks verification of all subsequent records.

The frontend streams live activity updates via Server-Sent Events (SSE) so users see exactly what the agent is doing in real time.

Challenges we ran into

The biggest challenge was the token delegation problem — Auth0 Token Vault secures the first handshake, but in a multi-agent system tokens can be passed between sub-agents invisibly. We built a provenance tracker that signs every action at every hop in the chain, solving this.

We also faced issues with Google OAuth verification blocking our Gmail integration, which led us to focus the demo solely on Notion while designing the architecture to be platform-agnostic.

Accomplishments that we're proud of

We're proud of the token provenance chain ; the idea that no single party in the system can act on your behalf alone:

Party Holds token? Can act alone?
Auth0 Token Vault
Aegis
The AI agent
You ✓ (consent key)

The natural language permissions system is also something we're proud of : typing "never delete anything" and having it automatically parsed and enforced is genuinely useful for non-technical users.

What we learned

We learned how to structure a Python FastAPI backend with modular agents and tools, how to stream real-time events from a backend to a React frontend using Server-Sent Events, and how to manage environment variables securely across local and production environments.

Deploying the backend to Render and the frontend to Vercel taught us how production deployments actually work , from pinning Python versions to debugging build failures caused by package incompatibilities. We also learned how Git history works in practice, including how to strip accidentally committed secrets from a repository before pushing to GitHub.

Perhaps most importantly, we learned that building a working product end to end : from idea to live deployed URL — involves far more infrastructure decisions than the code itself, and that getting those foundations right is what separates a demo from something real.

What's next for Project Aegis

Currently built for Notion, Aegis is designed to expand to Gmail, Slack, Google Calendar, and any OAuth-connected service via Auth0 Token Vault connections. We also want to add:

  • Real-time undo for any action within a 5-minute window
  • Visual provenance graph showing the full agent decision tree for each completed task
  • Hop-depth limits enforced cryptographically — a token that has passed through $n > 3$ agents is automatically invalidated

Bonus Blog Post

Building Aegis taught me something I didn't expect: the hardest part of AI agent security isn't the AI. It's the identity layer.

When I first started thinking about this project, the problem seemed simple : stop the AI from holding user credentials. But the moment I started building, I realised how deep that rabbit hole goes. OAuth tokens have to live somewhere. Someone has to hold them. The question is who, and what can they do with them.

Auth0 Token Vault answered that question cleanly. Instead of Aegis storing your Notion token in a database, Token Vault holds it. When the agent needs to act, Aegis requests a short-lived scoped token for that one action. The token is used, then discarded. The AI never sees it. Even Aegis doesn't hold it persistently.

What surprised me most was how this changes the threat model entirely. With traditional credential storage, a compromised agent means a compromised account — permanently. With Token Vault, a compromised agent has nothing to steal. There are no long-lived credentials sitting anywhere.

The second insight was about multi-agent systems. Token Vault secures the first handshake — the moment the user delegates to the application. But in a chain of sub-agents, tokens can be passed invisibly between agents with no audit trail. That's why I built the provenance chain so that every action at every hop is signed, linked, and verifiable. Token Vault handles the credential security. The provenance chain handles the accountability.

Deploying this end to end ( from local development to Render and Vercel ) was also a significant learning experience. Getting environment variables right across local, staging, and production, handling Python version pinning, stripping secrets from git history before pushing — these are the unglamorous parts of building real software that no tutorial covers properly.

Aegis is what I wish existed when I first started thinking about giving AI agents access to my accounts. Something that says: yes, your AI can act — but you stay in control.

Built With

  • auth0
  • fastapi
  • groqapi
  • hmac-sha256
  • javascript(react)
  • notionapi
  • python
  • python-dotenv
  • render
  • vercel
  • vite
Share this project:

Updates