ShieldClaw

Landing Page
Model Exploration on Auth0
Graph Demonstrating Auth0 Calls Made By ShieldClaw Prompts
Latency Of Auth0 Over Time
Auth0 Logs

Everyone demands efficiency, but without security how useful is it really?

OpenClaw is a viral, open-source framework for autonomous AI agents that runs locally and executes real-world tasks such as file management and web browsing. But as great as it sounds, OpenClaw has its vulnerabilities. Which is why we built ShieldClaw, a secure and interpretable upgrade on OpenClaw using Auth0 AI Security/Authentication and Backboard.io's API.

What it does

ShieldClaw is the result of weaving Auth0's security and authentication measures through every step of OpenClaw's workflow, combined with Backboard.io's persistent memory and threaded execution to create a fully secured, context-aware, and traceable AI agent.

Backboard acts as the intelligence and observability layer for the system. Every request is routed through Backboard where threads maintain execution context, persistent memory stores long-term user information, and security decisions are logged to create a transparent audit trail of agent behaviour.

How we built it

Auth0 JWKS (JSON Web Key Sets)
ShieldClaw fetches Auth0's public JWKS endpoint to validate every incoming token against Auth0's actual signing keys before any business logic runs. A forged or tampered token from any third party is rejected on arrival regardless of how well-formed it looks.

Auth0 JWT Verification
Every request proxied through ShieldClaw has its token fully verified inline, checking signature, expiry, issuer, and audience before it touches any routing or agent logic. Security context values like risk_level and trust_tier are embedded directly into the signed token, so ShieldBot always reads verified, tamper-proof data about who is making the request.

Auth0 Token Endpoint (Client Credentials)
ShieldBot authenticates as its own non-human identity using Auth0's Client Credentials flow, receiving a scoped access token that proves who it is to every downstream service. This keeps ShieldBot's identity completely separate from the human user it acts on behalf of, so every action it takes is cryptographically attributable to the agent, not the person.

Auth0 Token Vault
Instead of storing third-party API keys in environment files, ShieldClaw uses Auth0's Token Vault to keep all external credentials locked on Auth0's side. At runtime, ShieldBot requests a short-lived token for the specific service it needs, meaning the raw secret is never exposed to the agent, and a compromised session can never walk away with permanent credentials.

Auth0 FGA (Fine-Grained Authorization)
Every resource in ShieldClaw is modeled as relationship tuples in OpenFGA, and every query to Backboard is gated by an FGA check before any data is returned to the agent. The authorization model explicitly blocks ShieldClaw from editing its own source code or logic, deleting anything that has not been specifically selected by the user, and making purchases or API calls that have not been explicitly instructed, making these restrictions structural rather than just rule-based. Even if ShieldBot is manipulated through a prompt injection attack, it is physically incapable of taking those actions because the permissions simply do not exist in the model.

Auth0 Agent Identity
Every agent in ShieldClaw is registered with its own unique non-human identity, meaning every action it takes is logged and attributable to the agent specifically rather than being mixed in with human user activity. This creates a clean audit trail that makes it immediately obvious when an agent has done something it should not have, and allows any individual agent to be instantly revoked without touching the human account or any other part of the system.

Backboard Threaded Execution
Every user interaction first creates a Backboard thread that acts as the execution context for the request. This allows the system to maintain conversation state, track tool calls, and run structured AI workflows instead of stateless prompt responses.

Backboard Persistent Memory
Backboard automatically extracts and stores relevant information from interactions, allowing ShieldClaw to remember user preferences, retrieve past context, and reason consistently across conversations and multi-step workflows.

Backboard Security Evaluation & Audit Trail
All agent actions are evaluated and logged through Backboard. Security decisions, risk scores, and agent actions are stored as memory records, creating a transparent audit trail that can be visualized through the Backboard dashboard.

Challenges we ran into

Getting Auth0 FGA to sit correctly between the agent and Backboard so that permission checks happened before any data was ever retrieved took a lot of iteration. We also had to figure out how to cleanly separate agent identity from human identity in a way that held up across every part of the request pipeline.

Accomplishments that we're proud of

We built a system where even if an AI agent gets manipulated or hijacked, it is physically blocked from doing anything destructive because the permissions do not exist at the authorization layer. Getting prompt injection to be a non-issue by design rather than by filtering felt like a genuinely meaningful security win.

By integrating Backboard as the system’s intelligence and observability layer, we also made every agent action traceable, context-aware, and auditable, allowing us to visualize threads, memory usage, and security decisions in real time through the Backboard dashboard.

What we learned

We learned that the right way to secure an AI agent is not to monitor what it does after the fact, but to make dangerous actions structurally impossible before they can even be attempted. Auth0's tooling made it possible to treat authorization as infrastructure rather than application logic, which completely changed how we thought about the problem.

Working with Backboard also showed us how powerful stateful AI systems can be. By introducing threaded execution, persistent memory, and observable workflows, we were able to build an agent that is not only secure but also transparent and accountable in how it reasons and acts.

What's next for ShieldClaw

Auth0 CIBA (Client-Initiated Backchannel Authentication)
The next step is implementing Auth0's CIBA flow so that any high-stakes action like deletions or purchases triggers a push notification to the user requesting explicit confirmation before anything happens. The request expires in 120 seconds, meaning if the user does not respond, the action is automatically aborted.

Built With

auth0
backboard
javascript
json
python
yaml

Submitted to

Hack Canada 2026
- Winner [MLH] Best Use of Auth0

Created by

I built the FGA system in order to limit the ai's capabilities and implement security measures. I also worked on the Token Vault and JWKS keys for secure credential management, and developed the frontend and landing page

Adam Hjouj
tutoroo

John M
Nathan Yan
Jacob John