Inspiration
There's a question I couldn't stop thinking about: what happens to your judgment when you die?Your family inherits your furniture, your savings, your photographs. But the mental model you spent a lifetime building - how you weighed mission against money, what you would never compromise on, how you thought about risk when everyone around you was panicking - that disappears the moment you do.I lost a mentor two years ago. He was the kind of person who had an answer for every hard decision, not because he was always certain, but because he had thought carefully about his values for decades. After he was gone, I kept finding myself in situations where I genuinely wanted to ask him what he would do. Not to be told what to do. Just to have access to his reasoning.That feeling - wanting someone's judgment without needing their data - is what Wisdom Vault is built around. And Auth0 Token Vault turned out to be exactly the right tool for it, because inheritance isn't a storage problem. It's a consent problem. Who gets access to what, under what conditions, verified by whom, with what permanent restrictions — those are identity questions, and identity is what Auth0 is built to handle
What it does
When someone dies, their family inherits their belongings. But their way of thinking is gone forever. Right now families face a binary choice with digital accounts: they either get nothing - encrypted data that dies with the person - or they get everything, passwords and private messages handed over with no boundaries. There is no middle ground. Wisdom Vault creates a third option. A parent's AI agent learns their decision-making patterns over time. When they pass away, the child inherits those patterns through Auth0 Token Vault — cryptographically scoped tokens that grant access to wisdom while permanently blocking access to personal data. The child can ask "should I take this job?" and receive advice rooted in how their parent actually lived and decided. They cannot access emails, financial records, or private history. That boundary is enforced at the identity layer by Auth0, not by application code that someone could change later. The app covers the full inheritance journey across six features. Groq's Llama 3.3 model distills raw life decisions into anonymous behavioral patterns, discarding the original text so personal details never reach the server. Auth0 then issues a cryptographically scoped token using the token-vault-req+jwt standard, with explicit denied scopes baked in at issuance. Before any token is issued, two of three designated trustees must confirm - an attorney, a sibling, a doctor, so no single person can unilaterally unlock an inheritance. After the token issues, a Consent Receipt renders in plain English showing exactly what the child can and cannot access. The child can then delegate a narrowed sub-token to an advisor — a career counselor gets career patterns only, never financial or relationship wisdom — and the system enforces that scopes can only shrink, never expand. If a question touches grief, debt, or mental health, step-up authentication fires before any patterns are returned, even with a valid token.
How I built it
The backend is Python and Flask organized into three modules that mirror the three actors in the system. The parent agent handles wisdom extraction by sending life decisions to Groq and parsing the structured patterns back. The token vault bridge handles everything Auth0 - generating the RSA-2048 key pair, calling the Management API, recording trustee confirmations, minting and validating tokens, enforcing delegation depth, and building the lineage graph. The child agent handles the receiving end: validating tokens, filtering patterns by granted scope, and blocking any attempt to reach raw data. The Auth0 integration uses Private Key JWT authentication throughout. Every inheritance token carries explicit denied scopes in its payload - not just absent permissions, but actively denied ones — so the privacy guarantee is as strong as the RSA signing itself. The app tries the live Auth0 Token Vault endpoint first and falls back to local RSA signing if credentials aren't configured, which means the full scope enforcement model works in demo mode without any shortcuts. The frontend is a single HTML file with no framework dependencies — just vanilla JavaScript and fetch calls - organized into six tabs that walk through the complete flow. It's deployed on Railway. The real-time audit log, the consent receipt, the SVG lineage tree, and the step-up modal are all native DOM with no external libraries. The privacy model follows a simple rule: let W be the set of wisdom patterns and R be the set of raw personal data. The inheritance token grants access to some subset of W, and that subset is constructed so it never overlaps with R. This isn't enforced at runtime by checking a flag — it's enforced at issuance by construction.
Challenges I ran into
The hardest single moment was a 403 error that said "The token vault privileged access feature is not enabled for this tenant" and gave no further information. After two hours of reading docs and forum posts, I found that fixing it required five things to be true simultaneously: the application had to be a first-party confidential client rather than a SPA or native app, the Token Vault grant type had to be explicitly enabled in Advanced Settings, Private Key JWT authentication had to be configured, the public key had to be registered in the dashboard, and the JWT had to be signed with the exact right header type and payload claims. The error message was identical whether zero or four of those conditions were met. That experience became one of the most useful things I could document. The second challenge was scope semantics. Auth0 Token Vault manages what is granted, not what is explicitly forbidden. There's no native denied scopes field. I implemented explicit denial at the JWT payload level and validated it server-side on every operation, which works well but requires the developer to maintain the denied list carefully. It's a gap worth flagging. The third challenge was the AI itself. Early versions of the wisdom query let Groq hallucinate connections between unrelated questions and the inherited patterns. A judge typing "how did dinosaurs die?" was receiving a thoughtful three-paragraph response citing wp_001. Scope enforcement can't only live at the token layer - it has to live in the prompt too. Adding an explicit rule that says "if this question has no genuine connection to any pattern, say so directly" fixed it cleanly.
Accomplishments that I am proud of
The Consent Receipt is the thing I'm proudest of technically. Most Token Vault demos show a JSON blob and expect judges to interpret it. Wisdom Vault renders a human-readable card after every token issuance: green for what the child can access, red for what is forever blocked, and a plain-English paragraph explaining that the boundary is cryptographic rather than just a database flag. Judges can understand the privacy model without reading a single line of code. Getting the 403 error resolved and building a working token-vault-req+jwt implementation is something I'm genuinely proud of because there are almost no working examples of this in public. Everything I learned about the five prerequisites is documented in the README so future developers don't lose the same two hours. Realizing that scope enforcement needs to live at two layers - the identity layer for cryptographic guarantees and the prompt layer for semantic correctness - felt like a genuine insight rather than just an engineering decision. Both are necessary. Neither is sufficient alone. The multi-generational delegation chain with depth enforcement and a live lineage visualization is, as far as I can tell, a novel demonstration of what Token Vault enables beyond simple authentication. Watching the tree update in real time as tokens are issued and delegated makes the authorization model immediately intuitive. And honestly, shipping something that proposes a credible answer to a problem that affects every family on earth - within a hackathon window, working and deployed is the accomplishment I'll remember longest.
What I learned
Token Vault is a genuinely powerful primitive for agent authorization, but the path from concept to working implementation is harder than it needs to be. The error messages are opaque, the documentation doesn't show the full JWT structure with a working example, and the five-prerequisite setup is easy to get partially right in ways that produce the same failure every time. The deeper technical insight is that identity-layer enforcement and application-layer enforcement solve different problems. Token Vault provides the cryptographic guarantee that a scope boundary cannot be crossed by modifying application code. The application layer provides semantic correctness - making sure the AI only answers questions that the inherited patterns actually address. You need both. An application that enforces scope at the token layer but lets the AI hallucinate past it has a false sense of security. An application that enforces scope in the prompt but not the token is one server deployment away from a privacy breach. Wisdom Vault also surfaced three concrete gaps in the current Token Vault API that I'd love to see addressed: native denied scopes as a first-class field with per-denial audit logging, a dedicated troubleshooting guide for the 403 error with the five prerequisites listed explicitly, and built-in support for async inheritance flows where token state needs to persist across days rather than a single session.
What's next for Wisdom Vault
The most immediate next step is a fully live Auth0 deployment with a proper database behind it. The current implementation keeps trustee confirmations in memory, which means a server restart wipes the state. Real inheritance takes days or weeks — an attorney confirms on Monday, a sibling confirms the following Friday. That flow requires persistent storage and a notification system so trustees receive email or SMS prompts rather than having to log into a dashboard. After that, the parent experience needs to become passive and continuous rather than a one-time form. A mobile app that quietly observes decisions over years — career moves, financial choices, moments where you chose principle over convenience — and periodically surfaces patterns for the parent to confirm or correct. Auth0's native mobile SDK is the right foundation for that. The legal layer is the biggest unlock. The 2-of-3 trustee model maps directly onto existing executor and power-of-attorney frameworks in estate law. Partnering with digital estate planning attorneys to make trustee confirmations legally binding — a notarized confirmation token rather than just a signed string — would turn Wisdom Vault from a technical proof of concept into something families could actually rely on. Beyond inheritance, the same Token Vault pattern applies to any scenario where one person needs to delegate their judgment to another with explicit, permanent restrictions: a founder passing institutional knowledge to their successor, a senior engineer retiring and leaving their architectural reasoning for the team, a patient giving their doctor access to their values before surgery. Wisdom Vault is one application of a pattern that is much more general. The pattern is what I want to keep building.
Bonus Blog Post
What I Actually Learned Building with Auth0 Token Vault I want to tell you about the moment this project got interesting. It was a 403 error. The message said "The token vault privileged access feature is not enabled for this tenant" and offered nothing else. I had read the documentation three times. I had the right client type, the right grant type, the right JWT library. The error gave me no signal about which of the five required conditions I was failing. Two hours later, after reading a forum comment from another developer hitting the same wall, I finally understood the full picture. All five prerequisites had to be true at the same time: a first-party confidential client, the Token Vault grant type explicitly enabled, Private Key JWT authentication configured, the public key registered in the dashboard, and a JWT signed with the exact right header and payload structure. Missing any single one produced the same opaque error. That experience shaped everything I built after it. The concept behind Wisdom Vault came from a genuinely personal place. I lost a mentor two years ago, someone whose judgment I trusted more than almost anyone's. After he was gone, I kept encountering decisions where I would have given a lot just to know how he would have thought about it. Not what he would have told me to do. Just his reasoning, his values, the principles he had refined over decades. That's the problem Wisdom Vault tries to solve. What surprised me most was how well Auth0 Token Vault maps onto the ethical structure of the problem. Inheritance isn't really about storage — it's about consent. Who gets to access what, under what conditions, authorized by whom, with what permanent restrictions. Those are identity questions, and token-scoped authorization is exactly the right model for them. The moment I understood that denied scopes weren't just absent permissions but actively blocked ones, the whole architecture clicked into place. The hardest problem wasn't Auth0. It was the AI. Early in the build, the language model would try to connect any question to the inherited patterns, no matter how unrelated. A question about dinosaurs got a three-paragraph answer citing career wisdom patterns. Scope enforcement has to live in the prompt as well as the token. Adding one explicit rule — if the question genuinely doesn't connect to any pattern, say so directly and don't try to bridge the gap — fixed it immediately. If I could give one piece of advice to any developer starting with Token Vault: read the community forum before you read the documentation. The answers that matter are in the comments, not the official pages. And when you hit a 403, assume all five prerequisites need to be verified simultaneously rather than debugging them one at a time. It will save you hours.
Log in or sign up for Devpost to join the conversation.