Captions provided by White Coat Captioning (https://whitecoatcaptioning.com/). Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.

JASON: Hello, everyone, and welcome to another episode of Learn with Jason. Today on the show, we are going to dig into, I think, one of the most important problems being solved in the AI space right now, which is how the heck do we keep the AI agents from deleting all of our private files while giving them enough access to the things they need access to to be useful? And to help us navigate that problem, were bringing on an expert in the field and a good friend of mine, Chris Sev, Chris, how are you doing?

CHRIS: Good, good, happy to be here. Happy to see you, Jason.

JASON: Im super excited to be digging into this with you today. First and foremost, Im going to direct people. Ive got your Twitter open here, Im going to send people there if they want to keep up with you. And were going to be using Auth0, where you are working now. Lets talk a little bit about who you are and what you do. And I want to jump straight in.

CHRIS: Cool. My name is Chris Sev, I recently joined as director of devrel here at Auth0. A gigantic security company in Okta. Something top of mind and here at Okta,

Auth0, and the world is auth agents. More than ever, its important to figure out how to rein these in so they dont run around deleting all of our emails, keeping bank account information to themselves and betting our mortgages on horse races.

JASON: Right. Right? Exactly what we dont want to happen. With that, I want to dig into it. Welcome to Learn with Jason. All right. Im ready. If I want to authenticate an agent, whats the first thing I should do? Where do we want to start?

CHRIS: Yes. So here we are, auth0.ai. And theres a couple things I want to talk about first before we jump in. And Auth0 released Auth0 for AI Agents back in November. This is our first take at, hey, agents are outnumbering human people at this point in time, and its only going to get bigger and bigger. Theres like, you know, 100 Jasons coming in  once you get agents.

JASON: Thats the last thing anybody wants.

CHRIS: So the ways we think about agents are four different pillars as far as how to keep them in check, how to keep them doing exactly what what we think they should do. A little higher, that one there is number one. Just allow users to log into AI agents. Authentication, everything weve talked about in the past 10, 15 years, just standard authentication. But once you start moving into agents, its like, hey, we have agents, do we just give them API keys to everything they can just hold on to and use for the next three years? Definitely not. I wouldnt give humans that kind of access.

JASON: Right.

CHRIS: So we have a feature called Token Vault, itll handle storing the tokens, refresh tokens if its a Google connection or anything like that, and this way, you can easily make sure that each agent has to go explicitly ask for a brand new token when it needs to call a tool, it needs to  it can also scope those tokens to say, like, hey, youre only allowed to read, in GitHub repos, youre not allowed to create PRs, oh, merge PRs, that would be terrifying. So thats a big one. Token Vault is second pillar. Number three, is async authorization. Show lets say we want our agent to draft us an email to respond to people. Like who doesnt want to triage their inbox? With AI. But it needs to ask us permission to send emails, right?

So sending us phone notification that says, hey, this is what I want to send, approve or deny. And thats async authorization. And then, the last one, if you have a document database, if you have all of your information in one spot, an agent shouldnt be able to read everything. Especially if you talk about medical, you shouldnt be able to read other patients data, all that stuff. Making sure agent has only the specific things it has to read, which is fine grained authorization.

JASON: And as a reminder for everybody, if you want to go deep on this, we have a whole companion episode of the WebDev podcast where Chris and I get deep in the weeds on how we can manage this future where weve got AI agents all over the place. So make sure you check that out on your favorite podcatcher on CodeTV.dev. Chris, you sent me a repo here.

CHRIS: Yes.

JASON: And Im going to  Im going to go ahead and clone this first. And while Im doing the clone, do you want to talk a little bit about what this is and what were going to get into today?

CHRIS: Yeah. So the repo here is a standard Next.js chat app. And what were going to do is add on one authentication, so you can just see how you authenticate a Next.js app. And two, were going to add on token vault. So while youre chatting with your agent, you can say, hey, go do something on my GitHub, and itll go grab the brand new token every time it needs to so it can do that specific action or tool call.

JASON: Nice. Let me  Im going to open this up. Were going to make things a little bit bigger so we can read them. And then, I need to install everything. And this is  well do that later. So let me NPM install to get everything running. And then, I think do I need to do anything else to get this thing breathing?

CHRIS: Lets go ahead and switch over. So if anybody out there wants to grab the repo, we have the URL, its public repo. Theres four stages in branches here.

JASON: All right, yes.

CHRIS: Lets go ahead and check out stage dash 1. And lets get this thing working.

JASON: Up here, and then, Im going to get in here. Were going to get check out stage 1. And then, Ill run that NPM install, again, and make sure were in the right place. And I am set to go.

CHRIS: Cool. All right. So, another thing just a little safety thing  and as we talk about not doing this, I sent you an Open AI key in private chat.

JASON: All right, let me hide the screen here, Im going to grab that.

CHRIS: Im giving you the name of the variable, too.

JASON: Toss that into the .env in the root?

CHRIS: .env .local.

JASON: OK. Saved and closed and then, well bring the screen back. OK. So  I got my .env .local is there. And Im ready to rock.

CHRIS: Yeah, you did the install. NPM run dev, and lets see what happens.

JASON: OK. So that is running. And its running at local host 3000, so Im going to pull that up here. And lets head over to the browser.

CHRIS: OK.

JASON: Theres our chat bot. This is rocking, do we 

CHRIS: Give it a test. Send it.

JASON: OK. Tell me what you know about 

CHRIS: Oh, public info. Im not good enough.

JASON: Oh, no.

CHRIS: Ive got symptom work to do.

JASON: Oh, no.

CHRIS: So, for the chat, this is using GPT5.2 via the API. So I guess Im not in public record.

JASON: Lets see. Lets see if Im in the public record. I have the benefit of 

CHRIS: Of a well known.

JASON: Im also globally unique. Im the only person in the world with my name. Its much easier to find me when you Google for me. We got it. Its running, its, you know, its doing the chat bot thing. Its what I would expect the chat bot to do.

CHRIS: Perfect. Yeah. Standard, everything youd expect. If anybody is wondering how this is working, its using one API route for connecting to Open AI and if you go to app API chat, this thing just takes your message, sends it to ChatGPT, prefixes with URL helpful assistant, right?

JASON: As simple as you can make it, right, nice and straightforward.

CHRIS: Exactly. Cool. So next up, lets add on authentication here. To do this, were going to grab an Auth0 app, go to your Auth0 dashboard.

JASON: I have it open here.

CHRIS: Cool. Lets go ahead 

JASON: Reached the limit. That means, Im going to delete one of these. I did a lot of these, that ones definitely really old. Were going to get rid of this and Ill have one more, I hope. This is what I get. I shouldve known I had too many things. Here we go. This is going to be auth0AI, agent, there we go.

CHRIS: Perfect. And for Next.js, we want regular web app, the third one.

JASON: There we go, regular web app, creating.

CHRIS: And if you click on Next.js down there. Yep. This will be the whole set up here. And  so 

JASON: All of it?

CHRIS: Yeah, lets do the skill there.

JASON: OK. Im going to see how  lets see. What happens? This is not something that I usually do. So this will actually be my first time doing a skill like this.

CHRIS: Yeah, I can walk you through what happens.

JASON: That might be my computer and not yours.

CHRIS: All right. Ill log it.

JASON: Needs to install this package, its doing the thing.

CHRIS: Could you scroll up there? I want to make sure the code is in the list.

JASON: Oh, yeah. Its asking 

CHRIS: Go higher. Go higher. Go even higher. Yeah. There you go 

JASON: GitHub CoPilot, right?

CHRIS: Yeah, those are the defaults. You can install it for this project only.

JASON: OK.

CHRIS: SIM link works.

JASON: OK, lets go. Install the fine skills skill.

CHRIS: Helps your agent find and suggest skills. No, you dont need that.

JASON: I dont need that, get out of here.

CHRIS: Get out of here. So the cool things about the skill, exactly. They go straight there, the auth0 quick start and the auth0 Next.js. So now, CoPilot knows how to add Auth0 on to the app.

JASON: Right. If I open up the CoPilot thing, which I always forget.

CHRIS: Yeah, I wish the button was  I think it might be next to the search at the top of the window. There it is.

JASON: This guy. And it has a thing to copy here. Im going to copy this, and were going to throw this in here and just let it rock?

CHRIS: Lets see what happens.

JASON: You want me to pick another model? Its defaulting here?

CHRIS: Go to opus 4.6.

JASON: OK. Were cooking.

CHRIS: Perfect. And then, Juans comment is just like staring me in the face because its pinned.

JASON: Yeah, sorry. [ Laughter ]

CHRIS: Thanks, Juan. OK.

JASON: The skills, reading package JSON. Getting through the files and its got a plan. The package is already installed, thats good. Its creating files or its going to create files. Its already got the dot  lets see if it doesnt  well see  that .env.

CHRIS: OK.

JASON: Its doing stuff.

CHRIS: Um, yes, and I know this is  also, side note, I havent done a livestream with live coding in a long time, so Im having a blast.

JASON: Im glad. Im glad. This is like the highlight of my week when I get to  I never get to code anymore.

CHRIS: Yeah.

JASON: This is the most coding I get to do is on this show. [ Laughter ] So Im always really excited. OK. So 

CHRIS: I can run you through what is happening, what its trying to do. Basically, and I think well need to add your environment variables but well cross that bridge.

JASON: Yeah, Im going to take us into this view real quick and pop my head into this .env .local and see what happened. And yeah, weve got the Auth0 secret it says replace with. And then youve got the app base URL is set to local host 3000, auth0 domain, place holder, I need to grab these from  your location?

CHRIS: Yes.

JASON: Im going to bring back the screen while I get to the right places so people can where Im going and go back in and fix that. In my application details. And I can  is there like a 

CHRIS: Yeah, are you still in that quick start?

JASON: Log in to create the app. If I log in, is it going to fill these?

CHRIS: I think itll try to create a new app. Go back to applications there on the left.

JASON: On the left.

CHRIS: Im going to follow on mine just to make sure 

JASON: Got my little buddy. Ive got my client ID, my client secret. Ive got my domain. And so Im just going to copy all of these things. Let me go back to this view so I dont leak that secret. Sorry to all of the Vinnies. Here is my client ID goes in here. Client secret goes right here. The domain, Ive got here. And then, this Auth0 secret. That doesnt appear to be on this screen.

So let me pull this back up here.

CHRIS: Yes.

JASON: Where does one go to get the Auth0 secret.

CHRIS: Let me check. I think client secret may be  let me double check for you.

JASON: OK.

CHRIS: No, we do need both, OK.

JASON: And does that live in one of the credentials things? Or is it somewhere else in my dashboard?

CHRIS: Thats a good question. Let me see. Yeah. Click on credentials in the dashboard.

JASON: Is it hidden by default?

CHRIS: Yes, its hidden, and scroll down, that guy.

JASON: This one?

CHRIS: Yeah, that ones the client secret. And the other one you had was the standard secret.

JASON: Hold on one second because I had  there was auth0 client ID and client secret, those two were together on the thing. So  theres the Auth0 secret. Thats the one Im looking at? On this other page?

CHRIS: Under credentials? Let me double check by looking at mine.

JASON: Wait. This says replace with Open SSO random hex 32. It just needs 

CHRIS: Oh, just a random 32? Yeah.

JASON: OK. So 

CHRIS: I can pace you on chat if you want to make it easy.

JASON: Yeah, if youve got one, so I dont have to remember how that works.

CHRIS: Yeah, Ill bring terminals and running random commands to 

JASON: Yeah. All right. That is all saved, Im going to close the .env .local and bring back the screen so everybody can see whats going on. I opened up the .env .local. I put in  lets go back to this page. I put in my domain. Put in my client ID, and put in my client secret. And the other thing it asked for was a random hash. And so, made one of those for me.

So we should be set now. Ive got everything going here, so it says  oh, it literally told me 

CHRIS: Oh, darn.

JASON: Had we read the instructions, we wouldve had that ready.

CHRIS: Were too fast for the instructions.

JASON: Whos got time to read? We filled in the .env .local. And then in the Auth0 dashboard, its ha regular web application. And did this  does this get autoconfigured?

CHRIS: No, you have to do that. Good call. Thank you, instructions. Scroll down now.

JASON: It is a regular web app, thats good. Log in, callback, and then Im going to save.

CHRIS: And one more for allowed log out URL. Pace what you had and remove basically, just end at 3,000.

JASON: There?

CHRIS: Yep. This tells Auth0, this is the only place youre allowed to like log in and send a person back to.

JASON: Got it. And do we want to peek at what was done?

CHRIS: Yeah, lets peek.

JASON: Dont look at that!

CHRIS: No!

JASON: Its fine, nobody saw it. [ Laughter ] The one benefit of having all of the columns open is that only allowed 12 characters. Good luck guessing the rest of it.

CHRIS: Perfect.

JASON: All of that work not to leave the secrets in there. So we got the out of the auth secret provider. And then, it  and this is in our layout. So its checking the session, its wrapping everything with the Auth0 provider, and thats all that happened in here. And our page.tsx, we grabbed the current user, and looks like it is just updating to show who the user is, auth0.ts is setting up the client and then the middleware is looking for 

looks like everything except Next internal folder, static folder, the static folder, image folder, map, and robot. That means the whole site is then authenticated, is that correct?

CHRIS: Correct, yes. And then, you can parse like whats public routes, dashboard routes, type stuff. But I have an adjustment there.

JASON: In the middleware?

CHRIS: Yep, that I ran into testing this. You have to rename middleware to proxy.

JASON: The whole file?

CHRIS: Yes. So one, the whole file.

JASON: OK.

CHRIS: This was a change from Next.js 15 to Next.js 16. And then, on the  on the file itself export function middleware, you change that one to proxy, the other one stays middleware.

JASON: OK. And do I need to change this to like any of the types or anything?

CHRIS: No, all good.

JASON: OK. So thats all good. So we can restart the server and 

CHRIS: And you should have auth.

JASON: Lets do it. Go back out to our running app here, Im going to reload it. And something failed because  invalid compact JWE. What does that mean?

CHRIS: What does that mean?

JASON: Async function proxy 

CHRIS: Lets look at that file. I think I missed something when I told you to  return, wait, export function 

JASON: Did I mess anything up in the config here?

CHRIS: That looks good.

JASON: Do we have to change anything in the Auth0 setup for 

CHRIS: Yeah, go check on that. I dont see any differences.

JASON: Is it possible that I screwed up my  I feel like I got all of the pieces in here.

CHRIS: Yeah, I think this is  Juan says, clean Chrome session just in case. You know, when in doubt 

JASON: Yeah, let me close that entirely, were going to start, again, doesnt like that. So its unhappy with something in our middleware request, but its not giving us more information. Lets see if we get anything in here. JWE invalid. What the hell is a JWE?

CHRIS: Um  yeah, I would 

JASON: Lets see what cloud 

CHRIS: Yeah, read logs, please help.

JASON: OK, means, auth0 cant decrypt the cookie, Auth0 secret change, yeah, thats fine. Wasnt replaced with a real secret. Do I have to set this secret in Auth0 somewhere?

CHRIS: Juan in chat is also works at Auth0.

JASON: Use Incognito. Local host 3000. Oh, oh, oh, OK  I understand what happened, its because when we had the  the .env, it set that place holder secret and used it  encrypted tokens or encrypted cookies using that secret.

CHRIS: Yes.

JASON: So  OK, so this works, Im going to keep this just in case, but I have a hunch that if I go in here and delete the cookies 

CHRIS: Nice one.

JASON: Thank you. Lets clear them all out.

CHRIS: Clear them all.

JASON: Reload the page, and there we go. Yeah, it was that the cookies were encrypted using a place holder. OK. Thats super helpful. Now, we can log in, Im going to sign in with GitHub, yeah, thats fine.

CHRIS: Thats interesting.

JASON: Is it trying to redirect me to the wrong place? Am I supposed to change this one to 

CHRIS: That UI looks different than what the  Juan, can you confirm that? That UI looks totally different than 

JASON: Yeah, am I in the wrong place?

CHRIS: No, OK  so lets debug that. You click log in.

JASON: Sign up.

CHRIS: Sign up with GitHub.

JASON: Thats not working. Maybe Ill just do one of these.

CHRIS: Yeah, see what email does.

JASON: Wrong email. Im trying to sign up, dude.

CHRIS: Lets do this. Lets go back to your Auth0 dashboard.

JASON: Oh, I was in the log in why it didnt work the first time. This will hopefully solve the problem. Yes, I want to authorize the app, thank you so much. Were in, Im good, Im going to save that so I dont forget the temporary password is. Take a breath.

CHRIS: We did it. Cool. So a lot of that was configuration, it feels like. Looks like CoPilot did a good job as far as the code goes.

JASON: Yeah, I think the only thing wrong was me.

CHRIS: Chrome, we blame arc.

JASON: Pretty par for the course, honestly. [ Laughter ]

CHRIS: All right, so  if you chat with it, and then, the next step, lets talk about how we can give our apps access to call third party APIs on our behalf.

JASON: Mmhmm.

CHRIS: Thats the big thing we want to talk about and, yeah, give our agents access to, right?

JASON: Right.

CHRIS: Lets see. Whats the best ways to go about this? OK. So if you go into your dashboard, your Auth0 dashboard real quick.

JASON: Here we go.

CHRIS: Were on applications, were on the new app. Great. So if you go over to connections tab. Lets say  OK, perfect. And then, if you go over to APIs.

Just setting some stuff up here. OK. So Im just going to have you click around a couple places, and then, Ill explain whats going on. So if you go back to the left sidebar. I dont know if you can expand that or 

JASON: Heres the expand button.

CHRIS: One of them is APIs right there, right below applications. Cool. My Account API, lets turn that on.

JASON: OK.

CHRIS: Click into My Account API, lets go to permissions. OK. Those look good and then, application access. Lets turn on for the one you just created, that top layer. Yeah, that top app. And then, user access, and lets turn all of those on. Yeah.

JASON: Authorized, and all of them?

CHRIS: Yes.

JASON: OK.

CHRIS: So this is setting up Token Vault so your app has access to what we call connected accounts.

JASON: OK.

CHRIS: From here, now, if you go back to the sidebar.

JASON: Do I need this here or anything?

CHRIS: No, I dont think so. Lets go to authentication. And social. And create connection. So the cool thing about this is these are all the list of APIs we can access, and then, by turning it on here in your dashboard, your app can now start connecting to these external APIs. We have to write a little code on our side, but that connection is handled here.

JASON: OK.

CHRIS: And if you scroll at the bottom, these are the ones you have. You can create a custom one. If you create a custom one, you answer in all of the correct URLs that need to happen. Auth0 will handle the authentication flow and the refresh tokens for you.

JASON: Nice. OK.

CHRIS: Yeah. Thats another benefit. If you go back one.

JASON: Back up here?

CHRIS: On your browser, yeah. Click on GitHub. And then, were going to scroll down and were going to adjust this here. So right now, youre using GitHub to authentication, were going to set it to authenticate and token vault.

JASON: OK.

CHRIS: And then, lets do read user. And public repo. Yeah. So thats the cool thing about doing it this way, right? If you just give your agent an API token, its going to have access to all of those.

JASON: Do I need to do this stuff?

CHRIS: Yeah, let me think. Lets see. Oh, to connect a GitHub account. Yeah, lets go do that.

JASON: OK. So I need a 

CHRIS: Developer app, basically.

JASON: OK. And here were going to say AI agents. That is teeny tiny, isnt it? And then, the home page URL is going to be my auth domain, which was in here. Applications, this is the settings, thats the domain, callback URL. Log in call back. That needs to be an HTTPS, doesnt it. Then we have webhook, active, disabled. Device flow. Webhook active disabled.

CHRIS: Disable that. And I think thats it.

JASON: Permissions, do I need to add some?

CHRIS: Yes, I think the docs have it.

JASON: Applications, I think it just says select appropriate permissions. So what you wanted was repo repository contents.

CHRIS: Yes, read only.

JASON: Is it going to be user profile, you think?

CHRIS: Yeah, if you can find it.

JASON: If we can see it. Discussions, deployments, contents.

CHRIS: How are we doing on time, by the way?

JASON: We have about 25 minutes left.

CHRIS: OK. Lets scroll down and lets do  I saw one for issues.

JASON: Issues  issues and pull requests. Read issues, got it. Metadata, that must be  that must be the user data. So lets assume that  yeah. OK cool. Im going to create the app only for my account. Thats going to give me a client ID, which Im going to need and Im going to need a client secret, which Ill have to generate, generate a private key, Im going to do that real quick. And  just going to drop this into the .env .local. Client ID is there, GitHub, client secret. Thats going to be you  what the hell? Thats not going to  thats big. Thats like a giant thing.

CHRIS: Which one?

JASON: The client secret is huge. Its a full, say private key.

CHRIS: I dont know what I did. I dont think so.

JASON: Im doing the wrong thing, then. Let me see  heres my app, generate a private key, but I dont need a full 

CHRIS: Generate secret?

JASON: Yeah. Generate secret. Thats for the webhook. Generate a new client secret. There we go.

CHRIS: There you go.

JASON: Client secret is here, got it. Putting that into there, closing, and now I can bring back up all this stuff.

CHRIS: Welcome back.

JASON: I still have the secret open on the other page, Im going to close that quick, and thats going away. Good, yeah, now I can bring it back. Looking here, I generated the secret, so its there. Ive copied that into my .env .local.

CHRIS: Wait, that one needs to go into your Auth0 dashboard.

JASON: Auth0 dashboard, great, thats fine, I can make that happen. So configure the Auth0 dashboard, go to authentication social, create connection with GitHub, and then, thats authentication. Authentication social, going into GitHub. And then, it has a client ID and secret. Im going to refill these with my correct data. So give me just a second to do that off screen.

CHRIS: Mmhmm.

JASON: Here is the client ID. Here is the secret  and Im going to save that. So thats updated now. Closing the .env .local, and were back. All right.

CHRIS: All right.

JASON: OK, back to our instructions, instructions, which are here. We have done this part, and then, in purpose, connected accounts for token vault, we did that part already. And then, we created  or wait, I think this is where were at now.

CHRIS: All right. Perfect. In purpose. Maybe scroll down  oh  OK. I think if you scroll up, we already did that one.

JASON: OK.

CHRIS: And one more configuration here. Its a ton of set up, the thing is, one time set up as far as getting your GitHub stuff.

JASON: Ill be completely honest, it would freak me out a little bit if it didnt require connecting all of these services together.

CHRIS: Yeah, just magic APIs?

JASON: Mmhmm.

CHRIS: One more thing, go back to applications.

JASON: Applications.

CHRIS: Click on your app, scroll down to the bottom. All the way to the bottom. And under advanced settings right there.

JASON: OK.

CHRIS: Go to grant types, and turn on token vault.

JASON: Token vault.

CHRIS: Token vault. Cool.

JASON: OK. Weve enabled the token vault, weve configured GitHub to use the token vault, and weve created an app on GitHub that gives us permission to read the issues for repos. Theoretically speaking, now, we should be able to give an agent permission to read issues assuming Ive used 0auth?

CHRIS: Correct. Perfect. OK. So  there are a couple of different pieces we need to write next to get this working. One is lets go to  lets see what files you have already. Open up your lib. OK. So you have auth0. Lets create a new file in here. Called Auth0AI.ts.

JASON: OK.

CHRIS: And how do you want to do this? 14 lines of code.

JASON: I mean, if you want to talk me through it, I can type fast, or if you want to paste it into the chat, Ill throw it across.

CHRIS: Lets paste private chat, its a lot of @ type. Oh, that pasted  there we go.

JASON: All right. So we got these pieces and lets talk through what they do. So we have Auth0AI, this piece were not using yet, Auth0 from lib. We create an instance with GitHub, makes sense and weve got the token vault, makes sense, using our GitHub connection. Didnt set any scopes and the refresh token, I assume, is just sort of the magic that it knows to do?

CHRIS: Yes, so if it goes and makes a call, and the token it currently has is expired, itll go ahead and get it for you in the behind the scenes so you dont have to deal with refresh tokens.

JASON: Got it. Do we need to set scopes here?

CHRIS: No, thats an interesting question. I wonder if the scopes that weve set in your dashboard just overwrite this. When I was testing this, that didnt really matter.

JASON: OK, do I need to install this?

CHRIS: Install that, yes.

JASON: OK. And this other one, as well, or do we already have this one?

CHRIS: Lets comment that out for now. Thats for the next part of this, which Im not 100% sure well get to.

JASON: Sure. OK, so that is installed now and should  there it is, its there.

CHRIS: Nice.

JASON: Weve got our with GitHub.

CHRIS: And then, next up, we can go to  let me move some stuff around real quick.

JASON: This shirt is from Molly White if you want to get one of your own.

CHRIS: OK. Next up is were going to create under the lib folder, were creating a new folder called "tools."

JASON: Tools.

CHRIS: And were going to call listrepos.ts.

JASON: OK.

CHRIS: I love that trick. Create a new file, do the forward slash. I always forget it, though. But yeah, love it. So  OK. So this is going to be where you define a set of tools that you want to do certain things for. So for this one, were going to go grab Octokit.

JASON: OK. And then is it just named?

CHRIS: Is it cool if I drop you another copy/paste?

JASON: 100%. Lets do it. Getting one of these, getting one of those, getting one of those. And  all right. That gives us  Octokit, weve got auth0 stuff, pulled within GitHub, well be able to list repositories, and that uses our with GitHub and we pass in a tool, which is, thats from AI 

CHRIS: Yeah, its just the way to register the tool.

JASON: Got it. And were saying you can list repositories. It uses the access token from the token vault. And then, we fire up Oktokit, do standard things, get a list for authenticated users, and then, we bring it back in little nice little object. Straightforward enough.

CHRIS: Yeah, really most of that is Octokit. Get access from token vault and just passing it through is auth. Right?

JASON: And so, the magic here is basically what were saying is, instead of putting this into a .env  were saying, its registered with  with auth0.

CHRIS: Yes.

JASON: And that means, anything that is registered through Auth0s token vault, you can centrally go in and like invalidate all of those tokens.

CHRIS: Correct, yes.

JASON: Mmhmm. Which is really helpful when  and this goes back to what we were talking about in the other episode about how its starting to mimic the way that you manage humans in large companies because you have to be able to control, like, you have to log into each computer to delete the tokens, thats really silly. You want a centralized way to control where the tokens are.

CHRIS: Yes, 100%. And the cool thing about this, too, theres not an env file with an API key, right? And this will actually go grab every single time it needs to. So youll see

in  we can go into the Auth0 dashboard and go to the logs and see exactly when it was hit. What message it was sending through, all of that good stuff.

JASON: Yeah.

CHRIS: And Juans point in chat is fantastic, too, its scoped to the specific user, whereas, if you had an API key on an organization, like really hard to tell who that API key belongs to. And this is, oh, you logged in as Jason, you grabbed that token.

JASON: Nice, really good. OK. Lets  is this in a place where we can try it? Can we just pop open the chat and try to get some 

CHRIS: Almost. I think so, one more thing.

JASON: OK.

CHRIS: Let me double check. Oh, boy, a lot of things.

JASON: Yeah, we need to register this somewhere, correct?

CHRIS: Yes, go to API/chat/route. And to do that  yeah, lets talk through that one  wheres our current state? Its hard to tell. Messages, basically, underneath that messages line, lets do tools.

JASON: Tools or active tools?

CHRIS: Tools. And itll be an object. And list repositories will be that. And then, that should be able to autoimport for you from the top, perfect. OK. So let me double check my code against yours. Lets test it out. Lets see what happens.

JASON: Am I going to need to authenticate with GitHub?

CHRIS: Yes, this is the part  itll show a new UI for like connecting the GitHub. But I dont think it will here because we havent registered any new components. Lets just see.

JASON: So lets try to get all of the issues for my personal site. I think its only a couple. And is it thinking? Or is it dead?

CHRIS: I cant really tell. Might be dead.

JASON: It hasnt thrown anything here. So what does that mean?

CHRIS: So, what should happen is that  yeah. It should show an error. The error would show that it has to go call the token vault, basically. I usually just do like show my repos. Yeah.

JASON: OK, so 

CHRIS: Find some logs, yeah.

JASON: Im not seeing a single log.

CHRIS: Gotcha. Huh.

JASON: And  lets see. So let me just log out and log back in. And Im going to try signing in with GitHub, again.

CHRIS: OK, cool.

JASON: OK. And now, yeah, now were doing all of the stuff. Lets try that one more time. Share my repos, its thinking and dead. .

CHRIS: And no error, thats the tough part.

JASON: No error, no logs of any sort. Is there a place that we want to attempt to log from to see if we can catch anything?

CHRIS: Yeah, I feel like this route, the chat route should definitely be a place to log something.

JASON: OK. Lets see 

CHRIS: The messages up top, too?

JASON: Messages, and lets put that right up there. And then, lets also maybe log result just to see what comes out.

CHRIS: Yeah.

JASON: And come out here, were going to refresh the page. And show new repos.

CHRIS: OK. It has the full.

JASON: Its getting something. Status is pending. And it knows the tool exists. But then, its not going through. Its like 

CHRIS: Yes, I have  I think theres a hook here we need to implement.

JASON: OK.

CHRIS: But Im not entirely sure the exact usage of it from the AI SDK.

JASON: OK. Convert to  so 

JASON: Just because I know were really short on time.

CHRIS: Yep.

JASON: Is there a way to time travel forward in this repo to get to a 

CHRIS: Yes.

JASON: To where we know works?

CHRIS: Yes. If you want to commit everything you have currently.

JASON: OK. Double check I didnt add the .env, I didnt. Were going to get commit and were going to say 

CHRIS: Good old whip.

JASON: OK.

CHRIS: Perfect. Lets check out stage dash 3 as the branch.

JASON: OK.

CHRIS: Cool. So if you want to look at this, this is the  theres two big parts here from where we were to where this is. And most of it is if you scroll down, theres with interruptions online 28.

JASON: Yep.

CHRIS: And create UI message stream. This is a Vercel SDK thing that basically says, I am able to render components directly in chat.

JASON: Yep.

CHRIS: With interruptions basically says if I want to check something back from the user, I can stop execution while I go get approvals.

JASON: Got it. OK. So hopefully, its all  I named everything the same. And so, well see  show my repos. Hey, look at that. Now, we can connect GitHub. Unexpected error.

CHRIS: Oh, no.

JASON: Im probably missing 

CHRIS: Theres definitely something in your dashboard that needs a config change, but  let me show you this. Lets go to your dashboard. Go down to monitoring.

JASON: OK.

CHRIS: And jump into logs. OK. Failed exchange there.

JASON: Mmhmm. Refresh token not found. Should I fully clear cookies and see if maybe we do this, again?

CHRIS: Lets try that and I have one more thing, and then  well go from there.

JASON: Worst case, do you have this running on your computer?

CHRIS: I do.

JASON: Maybe what we can do, if you want to get that ready to rock, if you want to share your screen, we can swap over. Just to see. I think we got caught by config.

CHRIS: 100%. Yeah.

JASON: It wasnt related to what we were trying to build, it was me not finding the right keys. I would love to at least see how this works. Yeah, I think I must have screwed something up on config. And since we dont have time to debug, why dont we look at your screen instead.

CHRIS: Yes. Let me make sure Im set up real quick. OK. Let me share my screen.

JASON: OK. And Im going to swap us out straight up once I see it come in. OK. Theres yours, were going to take mine off, put yours on.

CHRIS: OK.

JASON: Now, were looking at your screen here.

CHRIS: Perfect. So yeah, here we are. If I say show my repos, goes  oh my gosh, me too?

JASON: Oh, no, did we hit an outage? Theres the repositories, OK.

CHRIS: Gosh. OK.

JASON: OK.

CHRIS: Theres my repos. I had another part to this demo where I would say create a GitHub issue on one of these repos, and then, it would ping my phone and say hey, agent is trying to create an issue on your repo, yes or no, and then, it would allow that to happen. So  yeah, I think  from a coding standpoint, a lot of this is  like a lot of this was AI SDK, some auth0 code, but a lot of it is configuration, which is the interesting part here.

JASON: Right. And so, really what it is is like, we  you know, were  we need to jump through the right hoops to make sure we have it will right keys and secrets in the right

places so that when my app goes to Auth0 to get a GitHub token, all of those things are lined up and properly telling each other like, yes, Im allowed to do that. Making this like  I know there are ways to make this stuff less painful, but at the same time, you dont want it to be, you should be sure that youre actually sharing these things back and forth. And so, you know, I agree with this idea, you set it up once, you do it right, make SMUR its all working. Make sure its all working. So do you have somewhere people can go? I know you didnt get through everything we wanted to show. Do you have this demo somewhere where people are able to interact with or watch you build somewhere else or anything like that?

CHRIS: Sure. Real quick, too, I want to point out. In our logs, you can start to see where this gets really fun because you can see authorization code exchange for access token, it came said I need a new access token to use the tool called list repositories. And then, its like, oh, successfully gave access to that thing and that  so now you have, like, traceability on to when things are happening. And then, also, if I go to my users, heres me  you can start to see like their history of when they did certain things. And all of this is available via the Auth0 API, so if you wanted to build in audits reporting on your app as far as like oh, this persons agent did this, you could start building a lot of that out from all of the data in here.

JASON: Got it. Very cool. And if somebody wants to dig in and learn how to build what you just built since we were able to get that screwed up config, right. How can somebody kind of step through this with you?

CHRIS: Yeah, so theres actually a demo app we have, its Our Kitchen Sink, all the things we talked about in one and even more than we talked about today. Heres chat, right, you can say, buy me a Mac Mini, and this is where you can see it say, oh, hey, I need to send you a notification to your phone or email. And if I have this fully configured, it would say, yes, and it would go in and make a fake purchase, right? And so it does everything here for Token vault and theres a demo in here for RAG. So if you upload a file here, you can share it to a person and then, you can see how this flow works. I go back to chat and say hey, whats in that file? If I dont have access to it, it wont read from it.

JASON: Got it.

CHRIS: If you search for assistant 0, you can find this at this GitHub repo here. And 

JASON: Nice.

CHRIS: Quick Google for Assistant 0 had get you there.

JASON: All right, Chris, thank you so much for taking time to show us today. I mean, Im really excited that yall are working on this space. I cant wait to see how it, you know, as it continues to improve and mature and get more powerful what thats going to enable for folks. Folks want to find you online, were going to send them one more time to your account. So Ill drop that link in the chat for people. And then, if you want to get started with Auth0, head over to auth0.ai, let me drop that in the chat one more time. Any parting words before we call this one done?

CHRIS: Yeah, I think  I dont want to be the guy thats like all doom and gloom, right? But its more of a, hey, things are moving at light speed here, its so fun to be at dev right now and be building. People talk about the one person billion dollar company is coming with like 10 million agents underneath that person. But yeah, as long as were like safe and moving and setting up the correct foundations, I think the foundations and the security and authorization are whats needed to move faster, right? Its not slowing us down, yes, theres setup, but once youre good, youll move it.

JASON: For sure. Excellent. Yeah. Well, Chris, thank you so much for taking time to hang out with us today. I am really excited to see this space moving forward. And thank you to everybodys watching along today. This has been Learn with Jason. If youre enjoying this, please, consider liking, subscribing, maybe even becoming a CodeTV supporter. Head over to CodeTV.dev, check out Learn with Jason episodes and other shows, we have the companion podcast, as well where Chris and I go deep on what it means to have agents and how to give them a little bit of a more boundaries so they cant ruin our lives. Chris, thank you, again, for being here. Thank you all for hanging out. We will see you next time.

CHRIS: Thanks, Jason. Thanks, everybody.