AI agent authorization
done right
VaultDefender is a least-privilege GitHub agent that combines Auth0 Token Vault for delegated GitHub access with an app-level policy engine that restricts what the agent may do inside allowed repositories and path prefixes.
Path-level policies
GitHub scopes grant repo access. VaultDefender adds finer path-prefix and action restrictions on top.
Full audit trail
Every tool call, policy decision, and approval is logged and visible in a clear dashboard.
Risk-aware actions
Actions are classified by risk. High-risk operations require explicit human approval before execution.
Token Vault
GitHub tokens are stored by Auth0, never by the app. Credentials are fetched on demand and never exposed.
Central policy guard
Every tool invocation passes through a single policy engine before any GitHub API call is made.
Transparent boundaries
Users see exactly what the agent can do, where it can do it, and what requires their approval.
“GitHub permissions are still coarser than many safe AI workflows need, so VaultDefender overlays finer app-level path policies and approval rules.”