Auth0 Access Shell
This shell makes Auth0 visible in the product story. Sign-in starts the app session, Google connects through Auth0, and external actions stay separate from local Warrant policy.
Session
Sign in before agents request external access.
Warrant keeps local policy separate, but Google access still begins with an Auth0 session you control.
Continue with Auth0Identity gate
Sign in before agents request external access.
Warrant keeps local policy separate, but Google access still begins with an Auth0 session you control.
Live diagnostics
auth0_configured=true | auth0_client_ready=true | has_session=false | has_refresh_token=unknown
Provider connection
Google is not connected yet.
Start with Auth0 sign-in, then connect Google so Calendar and Gmail run through delegated access instead of broad app credentials.
Delegated lifecycle: Google is not linked through Auth0 for this session.
Live diagnostics
connection_name=google-oauth2 | account_label_source=none
connected_account_evidence=none
connect_href=/auth/connect?connection=google-oauth2&returnTo=%2F&access_type=offline&prompt=consent&scopes=openid&scopes=profile&scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar.readonly&scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fgmail.compose&scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fgmail.send
connect_start_href=/api/connect/google?returnTo=%2F
lifecycle_state=not-connected | connect_flow_state=not-started
bootstrap_outcome=missing-session | bootstrap_attempted=false
bootstrap_note=Bootstrap cannot run until an Auth0 session is active.
token_exchange_attempted=false | token_exchange_outcome=not-attempted | token_exchange_failure_edge=none
token_exchange_note=Connection evaluation requires an active Auth0 session first.
Boundary
Local Warrant policy
Decides whether an agent should be allowed to attempt a category of action.
Auth0-backed external access
Decides whether the app can actually reach Gmail or Calendar through delegated Google access.
Connect contract
Google can be linked through Auth0's connected-account flow.
The shell starts a connect wrapper that forwards into /auth/connect with offline Google access and surfaces bootstrap failures before Google handoff when they happen.
This branch keeps the base session and provider connection inputs visible while the homepage exercises the live Calendar availability, Gmail draft, and send-email boundaries through Auth0-backed Google access.
Connection name
google-oauth2
Auth params
access_type=offline prompt=consent
Token Vault connection id
con_KYr4TsVRVbKAvmJC
Delegated scope
openid
Delegated scope
profile
Delegated scope
https://www.googleapis.com/auth/calendar.readonly
Delegated scope
https://www.googleapis.com/auth/gmail.compose
Delegated scope
https://www.googleapis.com/auth/gmail.send
auth0 token vault
Calendar availability cannot reach Google yet.
Start with Auth0 sign-in, then connect Google so Calendar and Gmail run through delegated access instead of broad app credentials.
Request: 2026-04-18T08:00:00.000Z to 2026-04-18T18:00:00.000Z
Provider state: not connected
Google is not connected through Auth0. Start with Auth0 sign-in, then connect Google so Calendar and Gmail run through delegated access instead of broad app credentials.
Blocked by Auth0-backed provider availability.
Failure code: provider-disconnected
Next: Sign in with Auth0
auth0 token vault
Gmail draft preparation cannot reach Google yet.
Start with Auth0 sign-in, then connect Google so Calendar and Gmail run through delegated access instead of broad app credentials.
Request: founders@northstar.vc
Provider state: not connected
Google is not connected through Auth0. Start with Auth0 sign-in, then connect Google so Calendar and Gmail run through delegated access instead of broad app credentials.
Blocked by Auth0-backed provider availability.
Failure code: provider-disconnected
Next: Sign in with Auth0
auth0 token vault
Send email cannot reach Google yet.
Start with Auth0 sign-in, then connect Google so Calendar and Gmail run through delegated access instead of broad app credentials.
Request: founders@northstar.vc
Provider state: not connected
Google is not connected through Auth0. Start with Auth0 sign-in, then connect Google so Calendar and Gmail run through delegated access instead of broad app credentials.
Blocked by Auth0-backed provider availability.
Failure code: provider-disconnected
Next: Sign in with Auth0
Visible outcomes
Auth0 can mint delegated Google access for Calendar reads and Gmail actions.
The user is signed in, but Google has not been linked through Auth0 yet.
The provider handoff started, but the delegated path is not ready to use yet.
A previous Google link exists, but Auth0 can no longer mint delegated access until the session is refreshed.
The shell is missing config or the delegated token path cannot be used right now.
Truthful readiness
Auth0 can mint delegated Google tokens right now.
Google has not been linked through Auth0 yet.
No successful connect handoff attempt has been started from this shell state.
Auth0 connect initiation started, but delegated readiness is still pending.
Auth0 failed before Google consent handoff could start.
An account identity is visible, but Auth0 still cannot mint delegated access tokens.
Auth0 app or tenant configuration is blocking connected-account readiness.
Connect callback or redirect settings are blocking completion.