Auth0 Integration
Use Auth0 as your identity provider with AINative Studio. This guide walks through connecting your Auth0 tenant so your users can authenticate with Auth0 JWTs and access AINative APIs, ZeroDB, and ZeroMemory.
Prerequisites
- An Auth0 account with a tenant
- An AINative Studio account with a project and API key
- Your AINative project ID (found in the dashboard under Settings)
Step 1: Create an Application in Auth0
- Log in to the Auth0 Dashboard
- Navigate to Applications > Applications > Create Application
- Choose the application type that matches your use case:
- Single Page Application for React, Vue, or Svelte frontends
- Regular Web Application for Next.js or server-rendered apps
- Machine to Machine for backend services and agents
- Note your Domain, Client ID, and Client Secret (if applicable)
Your Auth0 domain follows the pattern {tenant}.us.auth0.com.
Step 2: Configure Redirect URIs and Allowed Origins
In your Auth0 application settings, configure:
| Field | Value |
|---|---|
| Allowed Callback URLs | https://your-app.com/callback, http://localhost:3000/callback |
| Allowed Logout URLs | https://your-app.com, http://localhost:3000 |
| Allowed Web Origins | https://your-app.com, http://localhost:3000 |
Create an API (Resource Server)
- Go to Applications > APIs > Create API
- Set the Identifier (Audience) to your AINative API URL, e.g.
https://api.ainative.studio - Set the Signing Algorithm to
RS256 - Note the audience value -- you will need it when requesting tokens
Step 3: Register Auth0 as an Identity Provider in AINative
Call the AINative API to register your Auth0 tenant as a trusted identity provider:
curl -X POST https://api.ainative.studio/api/v1/auth/providers \
-H "Authorization: Bearer YOUR_AINATIVE_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"provider": "auth0",
"domain": "YOUR_TENANT.us.auth0.com",
"client_id": "YOUR_AUTH0_CLIENT_ID",
"audience": "https://api.ainative.studio",
"jwks_uri": "https://YOUR_TENANT.us.auth0.com/.well-known/jwks.json",
"issuer": "https://YOUR_TENANT.us.auth0.com/",
"claim_mapping": {
"user_id": "sub",
"email": "email",
"tenant": "org_id"
}
}'
Claim Mapping
Auth0 JWTs include these claims that AINative maps automatically:
| Auth0 Claim | AINative Field | Description |
|---|---|---|
sub | user_id | Unique user identifier (e.g. auth0|abc123) |
email | email | User email address |
org_id | tenant | Auth0 Organization ID (for multi-tenant apps) |
Step 4: Test the Connection
Obtain a test token from Auth0 and verify it works with AINative:
# Get a token from Auth0
TOKEN=$(curl -s -X POST https://YOUR_TENANT.us.auth0.com/oauth/token \
-H "Content-Type: application/json" \
-d '{
"client_id": "YOUR_AUTH0_CLIENT_ID",
"client_secret": "YOUR_AUTH0_CLIENT_SECRET",
"audience": "https://api.ainative.studio",
"grant_type": "client_credentials"
}' | jq -r '.access_token')
# Verify against AINative
curl -s https://api.ainative.studio/api/v1/auth/verify \
-H "Authorization: Bearer $TOKEN"
A successful response returns:
{
"valid": true,
"provider": "auth0",
"user_id": "auth0|abc123",
"email": "user@example.com"
}
Step 5: Use Auth0 JWTs with AINative APIs
Once the provider is registered, your users can authenticate with their Auth0 tokens across all AINative services.
Chat Completions
curl -X POST https://api.ainative.studio/api/v1/chat/completions \
-H "Authorization: Bearer AUTH0_USER_JWT" \
-H "Content-Type: application/json" \
-d '{
"model": "llama-3.3-70b",
"messages": [
{"role": "user", "content": "Hello from Auth0!"}
]
}'
ZeroDB Vector Search
curl -X POST https://api.ainative.studio/api/v1/zerodb/vectors/search \
-H "Authorization: Bearer AUTH0_USER_JWT" \
-H "X-Project-ID: YOUR_PROJECT_ID" \
-H "Content-Type: application/json" \
-d '{
"query": "authentication best practices",
"top_k": 5
}'
ZeroMemory Store
curl -X POST https://api.ainative.studio/api/v1/public/memory/v2/remember \
-H "Authorization: Bearer AUTH0_USER_JWT" \
-H "Content-Type: application/json" \
-d '{
"content": "User prefers dark mode",
"entity_name": "user_preferences"
}'
Step 6: Enable Row-Level Security for ZeroDB (Optional)
Row-Level Security (RLS) ensures that each user can only access their own data in ZeroDB. When enabled, the user_id claim from the Auth0 JWT is automatically applied as a filter on all queries.
curl -X POST https://api.ainative.studio/api/v1/zerodb/projects/YOUR_PROJECT_ID/rls \
-H "Authorization: Bearer YOUR_AINATIVE_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"enabled": true,
"user_id_claim": "sub",
"policy": "strict"
}'
With RLS enabled:
- Vectors: Automatically filtered by the
user_idextracted from the JWTsubclaim - Tables: Row-level filtering applied on reads and writes
- Files: Users can only access files they uploaded
- Memory: Each user gets isolated memory namespaces
Auth0 Organizations (Multi-Tenant)
If you use Auth0 Organizations for multi-tenancy, the org_id claim is mapped to AINative's tenant field. This enables tenant-scoped data isolation across ZeroDB and ZeroMemory.
# Request a token scoped to an organization
curl -X POST https://YOUR_TENANT.us.auth0.com/oauth/token \
-H "Content-Type: application/json" \
-d '{
"client_id": "YOUR_AUTH0_CLIENT_ID",
"client_secret": "YOUR_AUTH0_CLIENT_SECRET",
"audience": "https://api.ainative.studio",
"grant_type": "client_credentials",
"organization": "org_TENANT_ID"
}'
Troubleshooting
| Issue | Cause | Fix |
|---|---|---|
401 Unauthorized | Token expired or audience mismatch | Verify the audience parameter matches what you registered |
403 Forbidden | RLS blocking access | Check that the sub claim in the JWT matches the data owner |
invalid_token error | JWKS URI unreachable | Confirm your Auth0 domain is correct and accessible |
Missing email claim | Scopes not requested | Add openid email profile to your authorization request scopes |
Missing org_id claim | Not using Auth0 Organizations | Only available when authenticating through an Auth0 Organization |
Next Steps
- ZeroMemory Guide -- Add persistent memory to your Auth0-authenticated agents
- API Reference -- Full API documentation
- SDK Quick Start -- Client SDKs for React, Next.js, Vue, Svelte, and Python