Blog Our Story Learn More Back to Home
Authorized to Act: Auth0 for AI Agents
TOKEN VAULT
By the Kodez Team

Why We Built Auth0 Token Vault Into Kodez CheckMate From Day One

When we started building Kodez CheckMate, the hardest problem wasn't the AI Agent, the scan orchestration, or the JIRA integration. It was a question we kept coming back to: where do the tokens live?

CheckMate connects to GitHub, JIRA, Confluence, and Microsoft Teams on your behalf. That means OAuth access tokens. Refresh tokens. Credentials with real write permissions. The naive path — storing them in a database, passing them through the app layer, caching them in the browser — felt wrong from the first whiteboard session. Not wrong in a theoretical way. Wrong in a this will cause an incident one day way.

We evaluated several approaches. Environment variables felt too brittle at scale. A secrets manager added operational overhead we didn't want to impose on users. Then we looked harder at Auth0 Token Vault, and something clicked.

Before we even got to Token Vault, we had to solve a related challenge: Auth0 doesn't have a social connection for every service we needed. GitHub was straightforward — Auth0 ships with a GitHub connector out of the box. JIRA, Confluence, and Microsoft Teams were a different story. What made this tractable is that Auth0 supports any OIDC-compliant connection. Each of those three services exposes an OIDC-compatible identity layer, so we registered them as custom social connections and Auth0 handled the rest — including the token lifecycle. No custom OAuth dance, no hand-rolled callback handlers.

That's where Token Vault came in. It keeps every credential inside the Auth0 infrastructure, completely isolated from the client application. The app never holds a token. The browser never sees one. When the AI Agent needs to create a JIRA ticket or post to Teams, it calls through the vault — the token is used, but never exposed. The attack surface for credential theft essentially collapses.

What surprised us was how naturally this composed with Auth0's session model. Users were already authenticating through Auth0 to access CheckMate. Managing integration credentials through the same trust boundary — via OIDC connections feeding directly into Token Vault — felt like a coherent system, not a patchwork.

The compliance angle mattered too. Teams operating under SOC 2 or ISO 27001 need demonstrable controls around third-party credentials. Token Vault provided that without adding any operational burden to customers.

The architectural decision that took the most deliberation ended up being the one we'd change least.

Kodez CheckMate — AI-Powered SecOps Orchestration for Auth0.

Back to Top