VaultBridge | AI ↔ GitHub via Auth0 Token Vault

VaultBridge lets an AI agent use GitHub APIs without storing GitHub tokens—Auth0 for AI Agents Token Vault holds them; CIBA step-up for risky writes; exchange only when the API runs.

Comment

VaultBridge — AI Actions. Human Control.

Inspiration

AI agents are becoming increasingly powerful — from local models to browser-based automation.

However, connecting these agents to real user accounts remains unsafe.

Most current approaches rely on:

  • Long-lived API keys
  • Tokens stored in prompts or configuration files
  • Secrets leaking into agent memory

This creates a fragile and insecure model.

We wanted to redefine this interaction:

The agent should be able to propose and execute actions, but never hold sensitive credentials.

The hackathon theme — Auth0 for AI Agents and Token Vault — aligned perfectly with this vision. Identity, consent, and token custody should live in a secure identity layer, not inside the agent runtime.

What it does

VaultBridge is a secure AI-to-GitHub gateway that enables agents to act on behalf of users without exposing credentials.

Flow overview:

  1. The user authenticates with Auth0
  2. GitHub is connected as a linked account
  3. When the agent needs to act:
    • The application exchanges tokens through Auth0 Token Vault
    • A short-lived GitHub access token is issued dynamically
  4. Execution depends on risk level:
    • Read operations may proceed automatically
    • Write operations require explicit user approval via step-up authentication (CIBA + MFA)

Core principle

VaultBridge implements capability without custody:

The agent can perform actions, but:

  • It never sees tokens
  • It never stores credentials
  • It cannot bypass user control

Auth0 acts as the secure intermediary between AI agents and external systems.

How we built it

The system was designed to be simple in structure, but secure by default.

  • Web application
    Flask-based backend managing authentication, sessions, dashboard, and approval flows

  • Authentication and identity
    Auth0 with OpenID Connect and refresh token support

  • Token Vault integration
    RFC 8693-style token exchange to obtain GitHub access tokens on demand

  • Connected accounts
    GitHub linked via Auth0 instead of acting as the primary identity provider

  • Step-up authentication
    CIBA-based approval flow for high-risk operations

  • AI layer
    Groq and Gemini APIs used for planning and interaction

  • Deployment
    Serverless deployment on Vercel with Python runtime

Challenges we ran into

The main complexity was not in code, but in configuration and orchestration.

  • Auth0 configuration required precise alignment across:

    • Token Vault enablement
    • Refresh token support
    • Connected accounts setup
    • My Account API configuration

  • Debugging required tracing the full flow: login → connect GitHub → token exchange → API execution

  • OAuth-related errors were often non-obvious and required careful inspection

Accomplishments that we're proud of

Zero secrets in the agent path

No GitHub tokens, API keys, or credentials are ever exposed to the agent.
All sensitive operations are mediated through Auth0 Token Vault.

A real “authorized to act” model

The system enforces a clear policy:

  • Read operations are seamless
  • Write operations require explicit user approval

End-to-end working system

The project is fully functional:

  • Auth0 authentication
  • GitHub account connection
  • AI-driven action proposals
  • Secure execution through GitHub APIs

Transparent security experience

The system exposes:

  • Consent flows
  • Approval steps
  • Error states

This improves trust and usability in real-world scenarios.

What we learned

Token Vault changes application architecture

Traditional models store secrets within the application.

In this approach:

  • Auth0 manages identity and token custody
  • The application performs controlled token exchanges

This significantly reduces risk.

Product constraints shape implementation

Key considerations included:

  • Connected accounts versus primary login
  • Scope and consent management
  • Handling access denial and edge cases

These are critical to building a reliable system.

Visibility of policy builds trust

The system demonstrates different behaviors clearly:

  • Read operations execute immediately
  • Write operations require approval

This transparency makes the system intuitive and trustworthy.

What's next

VaultBridge can be extended in several directions.

Audit and persistence

  • Store actions and approvals
  • Build a verifiable audit trail of user decisions

Fine-grained policy control

  • Repository-level permissions
  • Action-level rules
  • Dynamic risk classification

Additional integrations

Extend the same model to other platforms:

  • Slack
  • Jira
  • Notion

Maintaining a single identity and token control layer.

Production hardening

  • Rate limiting
  • Session and CSRF protection
  • Structured logging and monitoring
  • CI/CD validation

Final thought

AI agents should not hold credentials.

They should operate based on permission:

  • Scoped
  • Time-bound
  • Explicitly approved by the user

VaultBridge demonstrates how this model can be implemented in practice.

AI actions remain powerful, while control stays with the user.

Built With

Share this project:

Updates