Auth0

Auth0 is a leading Customer Identity and Access Management (CIAM) platform. Mandaitor integrates with Auth0 to enable customer-facing applications to create and verify mandates using Auth0-authenticated identities.

When to Use Auth0

Auth0 is the right choice when your users are customers of a SaaS application (B2C or B2B). Typical scenarios:

A SaaS platform where end-users delegate authority to AI agents
A B2B application where customer organizations manage their own delegation policies
Multi-tenant applications using Auth0 Organizations

Configuration

1. Register Mandaitor in Auth0

Create an application in your Auth0 dashboard:

Application Type: Regular Web Application
Allowed Callback URLs: Your application's callback URL
Allowed Web Origins: Your application's domain

2. Configure Mandaitor

Via the API:

curl -X PUT https://api.mandaitor.io/v1/tenants/{tenantId}/identity-providers \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "enabled_providers": ["API_KEY", "COGNITO", "AUTH0"],
    "auth0": {
      "domain": "your-tenant.auth0.com",
      "audience": "https://api.mandaitor.eu",
      "client_id": "your-client-id"
    }
  }'

Or via the Mandaitor Dashboard under Identity Providers > Auth0.

3. Configure Auth0 Actions (Optional)

Deploy an Auth0 Action to enrich tokens with delegation metadata:

// Auth0 Action: Post-Login
exports.onExecutePostLogin = async (event, api) => {
  const namespace = "https://mandaitor.io/claims";

  // Add organization context
  if (event.organization) {
    api.accessToken.setCustomClaim(`${namespace}/org_id`, event.organization.id);
  }

  // Add delegation-related claims
  api.accessToken.setCustomClaim(`${namespace}/is_delegator`, true);
};

Token Validation

When a user authenticates via Auth0 and presents their token to Mandaitor:

Provider detection: The authorizer detects the *.auth0.com issuer
JWKS verification: Token signature is verified against Auth0's JWKS endpoint
Claims extraction: sub, org_id, permissions, and custom claims are extracted
Identity resolution: Mapped to oidc:auth0:<sub> canonical subject ID

SDK Usage

// User authenticates with Auth0 and gets an access token
const auth0Token = await auth0.getAccessTokenSilently();

// Use the token with Mandaitor's token exchange for delegation
const result = await mandaitorClient.exchangeToken({
  subject_token: auth0Token,
  mandate_id: "mdt_abc123",
  scope: "construction.validation.approve",
});

// The AI agent can now use the delegation token
console.log(result.delegation.principal); // Original Auth0 user
console.log(result.delegation.delegate); // AI agent

Auth0 Organizations

If you use Auth0 Organizations for multi-tenancy, the org_id claim is extracted and can be used to scope mandates to specific organizations. This maps naturally to Mandaitor's tenant model.

OpenFGA Integration

Auth0's OpenFGA (Fine-Grained Authorization) can model complex delegation hierarchies:

type user
type agent
type mandate
  relations
    define delegator: [user]
    define delegatee: [agent]
    define owner: [organization]

This enables real-time authorization queries like "Can Agent X perform action Y on behalf of User Z within Organization W?"

When to Use Auth0​

Configuration​

1. Register Mandaitor in Auth0​

2. Configure Mandaitor​

3. Configure Auth0 Actions (Optional)​

Token Validation​

SDK Usage​

Auth0 Organizations​

OpenFGA Integration​