-
-
AgentVault
Inspiration
AI agents are getting powerful. They can send your emails, book your meetings, even handle payments. But here's the question nobody's asking — who's watching what they do?
I watched a Calendar Agent during testing enthusiastically book 14 meetings in a row because I asked it to "find time for my weekly syncs." It wasn't malicious. It was just thorough. And it had write:calendar scope with zero guardrails.
That moment is what built AgentVault.
What it does
AgentVault is a real-time AI agent authorization control center powered by Auth0 Token Vault.
It lets you:
- See exactly what each agent can do — scopes listed per agent, not buried in config files
- Revoke any agent's token instantly — one click cuts off access via Token Vault, no code change needed
- Require step-up authentication for high-risk actions — payments, deletions, and bulk sends trigger an MFA challenge before the agent receives an elevated token
- Audit every action — full log of what each agent did, what scope it used, and whether it was allowed, denied, or escalated
Agents should operate like contractors with access badges — scoped to what they need, auditable at all times, and unable to enter restricted areas without explicit human approval.
How we built it
Stack: Next.js 14 (App Router), @auth0/nextjs-auth0, Auth0 Token Vault, TypeScript, Tailwind CSS, Vercel.
Auth0 Token Vault integration
Each AI agent is assigned a set of OAuth scopes at registration. Those scopes — and the credentials backing them — live in Token Vault, never in environment variables or application memory.
When an agent performs an action:
Agent requests token → Token Vault validates scope → Short-lived token issued (1hr TTL)
For high-stakes actions (payments, mass sends, deletions):
Agent action flagged → Step-up modal shown to user → Auth0 MFA challenge
→ Elevated token issued (5 min TTL, scoped to one action) → Action proceeds + logged
Revocation calls the Auth0 Management API to delete the credential from Token Vault — immediately cutting off the agent with zero redeployment.
API routes
/api/auth/[auth0] → Auth0 login / logout / callback
/api/agents → List agents + their scopes and status
/api/agents/revoke → POST to revoke a token from Token Vault
/api/agents/stepup → POST to approve or deny a high-risk action
/api/audit → Full action history log
Challenges we faced
Making step-up feel like safety, not friction. Step-up modals can feel like roadblocks. We designed it to clearly show what the agent wants to do, why approval is needed, and what issuing the token means — 5-minute TTL, one action, fully logged. The goal was confidence, not anxiety.
Token lifecycle UX. Showing expiry countdowns and helping users understand what "revoke" actually does at the Token Vault level required careful UI copy. We added an expandable Details panel to each agent card for exactly this.
Scope granularity. Too coarse (write:*) and the security model is meaningless. Too fine (send:email:to:specific-domain) and it's unmanageable. We landed on action-level scopes — send:email, write:calendar, read:finance — as the right abstraction for real-world agent use cases.
What we learned
- Token Vault solves the hardest part of agent auth — credential rotation and instant revocation. Without it, you're storing secrets in env vars (risky) or building your own vault (expensive).
- Step-up auth is underused in agentic systems. It's exactly the right pattern for the "human in the loop" moment that high-stakes workflows need.
- Most agent developers haven't thought about what happens when an agent misbehaves. Revocation needs to be one click — not a code change, not a redeployment.
What's next
- Webhook alerts — Slack notification when a step-up is triggered
- Scope recommendations — analyze agent behavior and suggest tightening over-permissioned scopes
- Agent-to-agent delegation — one agent requests a sub-token from another with reduced scope
- Auth0 Actions integration — custom logic on every token request (rate limiting, geo-fencing)
## Bonus Blog Post
Teaching AI Agents to Ask for Permission
There's a quiet assumption baked into most AI agent demos: the agent has access to everything it needs, and that's fine because it's smart enough not to abuse it.
I stopped believing that the moment a Calendar Agent booked 14 meetings in a row.
The central idea behind AgentVault is borrowed from enterprise security: least privilege. Give the agent exactly the access it needs, for exactly the task at hand. No more. And make it revocable the moment something goes sideways.
Auth0 Token Vault turned out to be the right foundation. The problem I kept hitting was: where do you actually store agent credentials? Environment variables felt wrong — they don't rotate, they don't scope, and one leaked .env file hands an attacker your agent's full access forever. Token Vault solves this cleanly. Credentials live in Auth0's infrastructure, are fetched at request time, and can be revoked without touching a single line of code.
The step-up auth pattern was the real unlock for high-risk operations. The idea: an agent proceeds autonomously for low-risk actions. But the moment it wants to do something irreversible — send a payment, delete records, email 500 people — it pauses and puts the decision back in the human's hands. Auth0 issues a 5-minute elevated token if you approve. One operation. Then access expires automatically.
Building the audit log forced me to think clearly about what "visibility" actually means in an agentic system. It's not enough to know an agent ran. You need to know what scope it exercised, on what resource, at what time, and what the outcome was. That's the level of auditability that makes agents trustworthy in professional contexts.
The thing I'd tell any developer building AI agents: authorization is not a feature you add later. It's the foundation. Build the control plane first — then give your agents the keys.
Built With
- auth0
- next.js
- tailwind-css
- typescript
- vercel
Log in or sign up for Devpost to join the conversation.