AI agents are powerful.
But giving them your credentials?
That's terrifying.
What if an AI could act on your behalf — read your email, manage your calendar, search your files — without ever seeing a single token?
Beriwo uses Auth0 Token Vault to create a zero-trust boundary between the AI and user credentials. The AI can request tool execution, but credentials are resolved server-side — the model never sees a single token.
A 3-phase sandboxed pipeline enforces security at every layer: the AI is never simultaneously given tools and the ability to talk to users.
Produces a structured JSON plan. Cannot execute anything.
Token Vault resolves credentials. RBAC + Consent + Step-up enforced.
Formats results for the user. No tool access whatsoever.
Deep integration across the entire authorization lifecycle
Every tool wrapped with defineProtectedTool(). AI requests tool calls — credentials resolved server-side. The model never sees a token.
Custom Auth0 Action enriches JWTs with ai_tier, ai_tools, ai_can_write, ai_max_calls claims at login time.
Write tools physically removed from executor unless user explicitly approves. Code-level enforcement, not a prompt instruction.
High-risk ops check JWT auth_time. If login is older than 5 minutes, re-authentication required via Auth0 popup.
Every tool authorization decision logged: userId, action, resource, decision (allow/deny), reason, tier, timestamp.
Google social connection with offline_access. Automatic token refresh when the 1-hour access token expires.
auth_time evaluation. Sessions older than 5 minutes trigger an immediate re-authorization challenge.auth_time check with 5-minute window. Stale sessions require re-authentication for sensitive operations.Natural language request involving a write operation.
Plans: [read_email, send_email]. Cannot execute anything.
RBAC ✓ (pro tier) → Consent ✗ (not approved) → FGA logs DENY. Tool physically removed from executor.
Frontend shows blocked writes. User explicitly approves send_email.
RBAC ✓ → Consent ✓ → Step-up ✓ → FGA logs ALLOW. Email sent via Gmail API. AI never saw the token.
Problem statement: AI agents need your data, but credentials exposure is terrifying.
Beriwo reveal — 10 tools, Token Vault, zero-trust. Show live app.
Auth0 Universal Login, Post-Login Action, JWT custom claims for AI tiers.
Query emails + calendar. Show 3-phase pipeline streaming in real time.
Trigger send_email → consent card → approve → success. Show FGA audit.
5 security layers diagram. Sandboxed AI, RBAC, Consent, Step-up, FGA.
Feedback for Auth0: first-class SPA flow, built-in AI RBAC, FGA integration.
"Authorized to act — but never trusted to hold the keys." Logo + links.
Leverage read:user_idp_tokens internally so SPA developers get seamless Token Vault without the Management API hybrid workaround.
Read custom claims from Auth0 Actions to automatically filter tool availability based on user tier — no manual policy gate code needed.
Built-in audit logging and per-resource permission checks for AI tool execution. Every ALLOW/DENY recorded automatically.
Your AI assistant that's authorized to act — but never trusted to hold the keys.
Presented by Emmanuel Veranyuy Mfon — Senior Software Engineer