Sanctum

AI agents request too many permissions. Sanctum watches what they actually use, enforces the minimum via Auth0 Token Vault, and requires step-up auth for anything sensitive.

Comment

The Problem

Every AI agent today is over-permissioned. When a developer connects an agent to GitHub or Google Calendar, they grant every scope "just in case." Nobody audits it. Nobody shrinks it. One compromised agent means full access to everything it was ever granted.

What Sanctum Does

Sanctum is an AI-powered permission minimizer with live enforcement via Auth0 Token Vault.

  1. Connect your services (GitHub + Google Calendar) through Auth0 Token Vault
  2. Run your AI agent — Sanctum instruments every API call and logs which OAuth scopes were actually used
  3. An LLM analyzes the scope usage and proposes a minimal permission policy
  4. Sanctum re-provisions tighter tokens via Auth0 Token Vault based on the AI's recommendation
  5. High-risk actions (delete repo, bulk export) trigger step-up authentication — a temporary elevated token is issued, the action completes, and the token is immediately revoked

The Core Insight: Mission Authorization vs. Standing Permissions

Traditional OAuth gives agents standing permissions — broad, permanent, unaudited. Sanctum introduces mission authorization — every agent earns its access, scoped to exactly what the task requires, for exactly as long as needed. This is the model enterprise security teams have wanted but had no tooling for.

How Auth0 Token Vault Powers This

Token Vault sits between Sanctum and every connected service. Raw tokens never touch our application code. The AI's policy decisions are enforced at the identity layer — not as application logic that can be bypassed. When Sanctum revokes a scope, it's gone. When step-up fires, Auth0 handles the elevation and the revocation automatically.

Scalability

The architecture works with any OAuth-connected service. The demo uses 2 connections (GitHub + Google Calendar) — but the same broker pattern extends to all 35+ providers Auth0 supports. Every company running AI agents needs this.

BONUS BLOG POST

Mission Authorization: Why Your AI Agent Shouldn't Have Standing Permissions

Here's an uncomfortable truth about AI agents: they're all over-permissioned, and nobody is checking.

When you connect an AI agent to GitHub, you grant it read/write access to repos, issues, pull requests, and sometimes even delete permissions — because the OAuth consent screen makes it easier to click "Allow All" than to think carefully about what the agent actually needs. Then you forget about it. The agent keeps those permissions forever.

This is what I call the standing permissions problem, and it's the biggest unaddressed security gap in the agentic AI boom.

Standing permissions means an agent has access granted once, broadly, and indefinitely. Mission authorization means an agent earns access for a specific task, scoped to exactly what that task requires, for exactly as long as the task runs.

The difference sounds philosophical. It isn't. A standing-permission agent that gets prompt-injected, jailbroken, or compromised hands an attacker everything it was ever granted. A mission-authorized agent hands an attacker nothing — because by the time anyone notices, the token has already expired.

Sanctum is built on this principle. It uses Auth0 Token Vault to enforce mission authorization in practice: watching what scopes an agent actually uses, using an LLM to propose the minimum viable permission set, and re-provisioning tighter tokens through Auth0's identity layer. The AI decides the policy. Auth0 enforces it. The agent earns its access. Nothing more.

The reason this matters at scale: every company deploying AI agents is making the same mistake right now. They're trusting agents with standing permissions because they have no tooling to do otherwise. Sanctum — and the mission authorization pattern it demonstrates — is that tooling. Token Vault makes it possible because custody of credentials stays in the identity layer, not scattered across application code where it can be leaked, logged, or stolen.

Agent safety isn't just about what the model decides to do. It's about what the model is physically capable of doing. Mission authorization, enforced through Auth0 Token Vault, closes that gap.

Built With

Share this project:

Updates