Delegated authorization
The process relies on delegated authorization, where the user grants your AI application or AI agent permission to access protected resources without sharing their credentials directly. This is achieved through access tokens:. After a user authenticates, Auth0 issues an access token to your AI application. This token represents the user’s consent and defines the scope of permissions granted.API on Auth0
An API is an entity that represents an external resource, capable of accepting and responding to protected resource requests made by applications. These APIs are configured to accept and validate access tokens. To protect an API, it must be registered as an API using the Auth0 Dashboard.How it works for AI apps and agents
1
User authentication
A user logs into your AI application or agent interface (e.g., via Universal
Login).
2
Access token issuance
Upon successful authentication, an access token is issued to your
application.
3
AI agent makes a tool call
When the AI agent needs to access user-specific data or perform an action,
it makes a tool call to an API endpoint.
4
Token forwarding
The access token obtained in step 2 is included in the API request
(typically in the
Authorization header).5
API validation & response
The API validates the access token. If valid, it processes the request on
behalf of the user and returns the response to the AI agent.
6
AI agent receives and processes the information
The AI agent then uses this response to fulfill the user’s request.