10 Minutes Left: Building a Japanese Fashion AI When Auth0 Wouldn't Play Nice
French software engineer building a new life in Japan. My journey here is a big challenge—from learning the language to navigating the tech scene. I use this blog as a space to share what I'm learning, both in tech and in life.
ABOUT
THE SETUP
Auth0 AI Agent Hackathon. The challenge: build an AI agent with proper authentication. My pitch: a Japanese fashion advisor that checks real-time weather and suggests what to wear — kimono for clear skies, haori jacket for wind, the whole cultural package. Solo project. Streamlit for speed. LangChain for the AI agent. Auth0 for... well, that's where things got interesting.
I had maybe two hours total. The clock was my enemy from the start.
THE PLAN VS REALITY
The Plan:
Full Auth0 OAuth 2.0 with PKCE flow
AI agent using ReAct pattern to fetch weather
Japanese fashion recommendations (traditional + modern)
Clean, production-ready code
Deploy to Streamlit Cloud
What Actually Happened:
Started coding with another AI assistant. Hit my first wall immediately: the weather API integration was trying to authenticate with Auth0 tokens. Except Open-Meteo is completely free and open. No auth needed. I was adding complexity for no reason.
Cut that. Rewrote the weather tool.
Then the agent started hallucinating. User types "test" — the AI confidently suggests an outfit for a city that doesn't exist. Or worse, finds some random town called Test somewhere and runs with it.
Cut the blind trust. Added input validation: minimum 2 characters, no numbers in city names, actual error handling in the tool itself.
Then I realized the prompt was too generic. The AI was giving me "wear a t-shirt" advice, not "light indigo yukata with geta sandals" magic.
Rewrote the entire system prompt. Made it explicitly Japanese-focused. Listed clothing types: kimono, yukata, hakama, haori. Told it to be funny. Told it to ALWAYS use the weather tool first.
Scope changes:
User preference storage→ Cut (no time for database)Image generation→ Cut (DALL-E integration = another 30 minutes)Multi-language UI→ Cut (English only)Weather forecasts→ Cut (current weather only)
What stayed: The core loop. Weather → AI reasoning → Japanese outfit suggestion.
THE CRITICAL MOMENT
"10 minutes left in the hackathon."
Auth0 OAuth wasn't working. Streamlit's session state was resetting on redirect. The state parameter validation kept throwing "Invalid state parameter. Possible CSRF attack."
I had two choices:
Debug the OAuth flow (probably 30+ minutes)
Rip it out and ship something that works
My hands were shaking. I'd written all this beautiful PKCE code — code verifier generation, challenge hashing, token exchange, the works. Production-ready OAuth 2.0.
And none of it mattered if I couldn't submit.
I made the call: "Revert to simple login for the demo."
Deleted the OAuth redirect handling. Kept the Auth0 configuration variables (to show I understood the architecture). Replaced the login flow with a basic form: type any email, any password, click login, you're in.
Literally this:
if email and password:
st.session_state.authenticated = True
st.rerun()
It felt like cheating. Like I was admitting defeat.
But then I tested it. Login → instant. Type "Tokyo" → agent calls weather API → "22°C, clear sky, wear a light yukata with geta sandals..."
It worked. The AI agent worked. The weather integration worked. The Japanese fashion suggestions worked.
I had a demo.
WHAT SHIPPED
Actually Working:
Login flow (demo mode, accepts anything)
Real-time weather for any global city
AI agent with proper ReAct reasoning
Japanese clothing suggestions with cultural context
Humor in the responses ("You'll look like you stepped out of a Studio Ghibli film")
Input validation (no more "test" hallucinations)
Deployed and live on Streamlit Cloud
Duct-Taped:
Authentication (obviously)
No user persistence
No error recovery if OpenAI API fails
Session state management is basic
Completely Cut:
OAuth 2.0 flow (wrote it, couldn't ship it)
User preferences
Image generation
Historical data
The irony? The commented-out OAuth code is still there. Beautiful, production-ready, and completely unused. A monument to what could have been.
TAKEAWAY FOR THE NEXT ONE
Keep: The brutal scope cuts. Every time I removed a feature, the project got clearer. Weather API with fake auth? Gone. Hallucinating agent? Fixed with validation. Generic fashion advice? Rewrote the prompt. The final product did ONE thing really well instead of five things poorly.
Do Differently: Test the hardest part first. I should have started with Auth0 OAuth, not the fun AI stuff. If OAuth was going to break, I needed to know in minute 5, not minute 115. Build the risky infrastructure before the pretty features.
Actionable Rule: In hackathons, authentication is infrastructure, not a feature. Get it working in the first 20% of your time, or design the project to work without it. There's no middle ground at 11:50pm.
The app is live. The AI suggests kimonos based on weather. Users log in with fake credentials. And somewhere in the codebase, there's perfect OAuth 2.0 code that nobody will ever see.
That's hackathons.
.
🤖 Generated by AI from the LLM logs.
