SafeGate AI - Gmail Verification Module

SafeGate AI: A zero-trust assistant for apartments. Using Auth0, it securely vets visitors via Gmail data to auto-approve deliveries, reducing notification fatigue with human-in-the-loop safety.

Comment

Inspiration Anyone who lives in a gated community or apartment complex knows the daily frustration of the security gate bottleneck. Delivery drivers (Amazon, UberEats, FedEx) stack up, guards frantically make phone calls to residents to get approval, and residents are annoyed by constant interruptions. I realized that an AI Agent could automate 90% of this process by cross-referencing incoming deliveries with a resident's actual digital footprint (like order confirmation emails). However, opening a physical security gate is a high-stakes action. An AI Agent shouldn't have unchecked power to grant physical access. I asked myself: How do I let an AI act autonomously when it is certain, but securely ask for human authorization when it is uncertain? The answer was Auth0 CIBA. What it does SafeGate AI is an intelligent security gate management system that blends AI autonomy with secure, human-in-the-loop authorization. When a delivery driver arrives at the gate, the guard enters the company name (e.g., "Amazon") and the flat number into the SafeGate Dashboard. Autonomous AI Vetting: The SafeGate AI Agent securely scans the resident's recent emails (via Gmail API) looking for delivery confirmations matching that company and timeframe. If it finds a match, it autonomously verifies the driver and the gate opens instantly. Authorized to Act (The Auth0 CIBA Flow): If the AI Agent cannot find a matching email, or if it detects anomalies, it pauses. It then uses Auth0 CIBA (Client-Initiated Backchannel Authentication) to send a secure, out-of-band push notification directly to the resident's authenticated mobile device. The resident reviews the request ("Amazon delivery at the gate") and taps "Approve" or "Deny". The AI Agent receives the Auth0 authorization token and executes the resident's decision, updating the guard's dashboard in real-time. How I built it Frontend: Built a responsive Guard Dashboard using React, Tailwind CSS, and Lucide Icons to give security personnel a clean, fast interface. Backend: Powered by Node.js and Express, handling the core logic and API routing. Real-time Communication: Implemented WebSockets (ws) to create a live connection between the backend, the Guard Dashboard, and the Resident App Simulator, ensuring approvals happen with zero latency. The AI Agent: Integrated the Gemini API and Gmail API to allow the agent to intelligently parse and verify delivery confirmation emails. The Authorization Layer: Implemented Auth0 CIBA as the critical security boundary. Instead of relying on easily spoofed SMS or phone calls, CIBA ensures that the approval request is sent securely to a pre-authenticated device, guaranteeing that the AI is authorized by the actual resident. Challenges I ran into The biggest challenge was designing the architecture for the Auth0 CIBA flow within a web-based prototype. CIBA is inherently asynchronous—the AI Agent has to make a request, wait for the user to interact with a completely different device, and then receive the token. I had to build a robust WebSocket architecture to simulate this decoupled mobile-device experience in the browser so judges could test the full end-to-end flow without needing to download a companion app. Additionally, tuning the AI Agent to accurately determine when it should act autonomously versus when it should trigger the CIBA fallback required careful logic to ensure security was never compromised. Accomplishments that I am proud of I am incredibly proud of successfully demonstrating the "Authorized to Act" paradigm. I didn't just build an AI that does things; I built an AI that knows when it isn't allowed to do things. By integrating Auth0 CIBA, we proved that AI agents can be safely deployed in high-stakes, physical-world scenarios (like physical building security) by relying on enterprise-grade identity infrastructure for human-in-the-loop approvals. What I learned CIBA is a game-changer for AI: Client-Initiated Backchannel Authentication isn't just for banking; it is the perfect protocol for AI Agents. It provides a standardized, secure way for autonomous systems to page a human for cryptographic permission to proceed. Trust requires boundaries: Users are much more comfortable with AI automation when they know there is a hard, identity-verified boundary that the AI cannot cross without their explicit tap of approval. What's next for SafeGate AI Native Mobile App: Replacing the web-based Resident Simulator with a native iOS/Android app utilizing Auth0's mobile SDKs for biometric approvals (FaceID/TouchID) before granting the AI permission to act. Logistics API Integrations: Connecting the AI Agent directly to Amazon Logistics and UberEats APIs for even faster autonomous vetting. License Plate Recognition (ALPR): Adding camera feeds so the AI Agent can automatically detect arriving delivery vehicles and initiate the vetting process before the guard even types a word.

Bonus Blog Post: Securing the Threshold with SafeGate AI Building a visitor management system for apartment complexes isn't just about logging names; it’s about establishing Zero-Trust in a high-traffic, physical environment. When I started developing SafeGate AI, the biggest hurdle wasn't the AI logic—it was the sensitive nature of the data involved. We are talking about resident addresses, visitor IDs, and access logs. Handling this data securely while keeping the user experience seamless was my primary technical challenge.

This is where Token Vault became the cornerstone of the architecture. Initially, I struggled with the "security vs. speed" trade-off. I needed to ensure that even if a database was compromised, the sensitive PII (Personally Identifiable Information) of residents remained unreadable. Integrating Token Vault allowed me to offload the heavy lifting of encryption and tokenization.

One of my most significant technical achievements was implementing a just-in-time decryption flow for security guards. By using Token Vault, the system never stores raw sensitive data. Instead, it holds non-sensitive tokens that are only exchanged for real data at the moment a visitor is verified at the gate.

This journey taught me that true security is invisible. By abstracting the complexity of key management, I could focus on refining the Gemini-powered voice interface, knowing the "digital gate" was locked tight. SafeGate AI evolved from a simple logging tool into a robust, privacy-first security assistant, proving that even in a world of open AI, data remains a sacred, protected asset.

Built With

Share this project:

Updates