Delegated Account Demo

Explainer

This demonstration shows how Auth0 and Auth0 FGA can support delegated account access — where one person acts on behalf of another within clearly defined, auditable, revocable boundaries. The blog series below explains the concepts and implementation in detail.

Blog series

Part 1tobytes.com ↗

Acting on behalf of: separating the actor from the account in modern identity

Why delegated access is harder than it looks, and why role-based access control alone does not solve it. Covers the three-party model (actor, subject, resource), real-world examples across healthcare, financial services, telco, media and case management, and how Auth0 and Auth0 FGA address the two complementary sides of the problem.

ConceptArchitecture
Part 2tobytes.com ↗

Implementing delegated access with Auth0 and Auth0 FGA

The implementation: how Auth0, Auth0 FGA and an application data store fit together. Covers the FGA authorisation model with time-bounded conditional tuples, the delegation lifecycle (grant → accept → revoke), MFA step-up gating and a non-obvious SDK gotcha, and an on-behalf-of token following RFC 8693 conventions where sub = represented party and act.sub = actor.

ImplementationAuth0Auth0 FGA
Part 3tobytes.com ↗

Delegated access part three: approval flows and Auth0 CIBA

The request-then-approve pattern: a user requests access they do not yet have, FGA resolves who can approve it, and Auth0 CIBA sends a Guardian push to the approver's device. Covers the bc-authorize and polling flow, the simulation fallback for demos, and why the approval creates a delegation rather than being the authorisation itself.

CIBAApprovalsAuth0 FGA
Part 4tobytes.com ↗

CIBA timeouts and durable consent: building reliable approval flows

What happens when the five-minute CIBA window closes before the approver responds. Covers the distinction between the auth_req_id delivery ticket and the durable Firestore approval request, the hybrid CIBA-push-plus-in-app-inbox architecture, the re-send mechanism, and the three-event consent audit chain that gives regulated industries a provable compliance record.

CIBAResilienceCompliance

About this demo The application is built with Next.js on Vercel, using Auth0 for authentication and Auth0 FGA for relationship-based authorisation. Delegation records are stored in Firestore; FGA relationship tuples are derived state written and removed by the application as delegations are created and revoked. All sensitive actions require MFA step-up; delegated operations use a short-lived on-behalf-of token following RFC 8693 conventions.