Explainer
This demonstration shows how Auth0 and Auth0 FGA can support delegated account access — where one person acts on behalf of another within clearly defined, auditable, revocable boundaries. The blog series below explains the concepts and implementation in detail.
Blog series
Acting on behalf of: separating the actor from the account in modern identity
Why delegated access is harder than it looks, and why role-based access control alone does not solve it. Covers the three-party model (actor, subject, resource), real-world examples across healthcare, financial services, telco, media and case management, and how Auth0 and Auth0 FGA address the two complementary sides of the problem.
Implementing delegated access with Auth0 and Auth0 FGA
The implementation: how Auth0, Auth0 FGA and an application data store fit together. Covers the FGA authorisation model with time-bounded conditional tuples, the delegation lifecycle (grant → accept → revoke), MFA step-up gating and a non-obvious SDK gotcha, and an on-behalf-of token following RFC 8693 conventions where sub = represented party and act.sub = actor.
Delegated access part three: approval flows and Auth0 CIBA
The request-then-approve pattern: a user requests access they do not yet have, FGA resolves who can approve it, and Auth0 CIBA sends a Guardian push to the approver's device. Covers the bc-authorize and polling flow, the simulation fallback for demos, and why the approval creates a delegation rather than being the authorisation itself.
CIBA timeouts and durable consent: building reliable approval flows
What happens when the five-minute CIBA window closes before the approver responds. Covers the distinction between the auth_req_id delivery ticket and the durable Firestore approval request, the hybrid CIBA-push-plus-in-app-inbox architecture, the re-send mechanism, and the three-event consent audit chain that gives regulated industries a provable compliance record.
About this demo — The application is built with Next.js on Vercel, using Auth0 for authentication and Auth0 FGA for relationship-based authorisation. Delegation records are stored in Firestore; FGA relationship tuples are derived state written and removed by the application as delegations are created and revoked. All sensitive actions require MFA step-up; delegated operations use a short-lived on-behalf-of token following RFC 8693 conventions.