Your AI agent. Your data. Your rules.

Sanctum connects your AI agent to Gmail and GitHub using Auth0 Token Vault to authenticate every action. Read anything. Write nothing without your approval.

Connect your services How it works

token-vault-usage.ts

// Sanctum fetches tokens from Auth0 Token Vault

const token = await tokenVault.getToken({

connection: 'google-oauth2',

scopes: ['gmail.readonly'],

});

// Token used directly - agent never stores credentials

const emails = await gmail.list({auth: token });

>Token scoped to read-only - write requires step-up auth

Auth0 Token Vault

Your OAuth tokens stay inside Auth0. Sanctum only requests scoped access when it needs it.

Authenticated RAG

The agent indexes only the data it can fetch with your active connections and keeps stores isolated per user.

Step-up Auth Gates

Every write action is staged first. You review it, re-verify if needed, and then approve execution.

How Sanctum works

Connect your services

Sign in with Auth0 and connect Gmail and GitHub. Token Vault stores the OAuth tokens securely so Sanctum never touches raw credentials.

Index your private context

Sanctum fetches emails, issues, and messages using scoped read tokens from Token Vault, then builds a private per-user retrieval index.

Chat with grounded answers

Ask questions about your own data. The agent retrieves relevant context and answers with source-aware responses powered by Gemini.

Approve before acting

If the agent drafts an email or GitHub comment, it pauses for your approval and can require fresh authentication before any write happens.