KavachOS

Auth for AI agents and humans. One library, both sides.

by GLINR STUDIOS · a GLINCKER LLC project

Quickstart · Documentation · Examples · Discussions · KavachOS Cloud

---

Why KavachOS

Most auth libraries stop at human sign-in. That leaves you stitching together separate systems when your AI agents need identity, scoped permissions, delegation, and audit trails. KavachOS handles both in one place.

How it differs

Ask yourself about the auth library you're using or evaluating:

• Does it model AI agents as first-class identities, with their own scoped permissions and an audit trail you can export, not just human users with API keys?
• Does it ship an MCP OAuth 2.1 authorization server that complies with the published RFC stack (9728, 8707, 8414, 7591), so your agents can talk to MCP servers without you writing the spec?
• Does it run on Cloudflare Workers, Bun, and Deno without Node-only APIs in the core?
• Does it give you delegation chains with depth limits, budget policies per agent, and CIBA-style approval flows for sensitive tool calls?

If any of those is a no, that gap is why kavachos exists.

Agent identity

Cryptographic bearer tokens (kv_...), wildcard permission matching, delegation chains with depth limits, budget policies, anomaly detection, and CIBA approval flows.

Human auth

14 methods: email/password, magic link, email OTP, phone SMS, passkey/WebAuthn, TOTP 2FA, anonymous, Google One-tap, Sign In With Ethereum, device authorization, username/password, captcha, password reset, session freshness.

OAuth

17 first-class providers: Apple, Atlassian, Discord, Dropbox, Figma, GitHub, GitLab, Google, LinkedIn, Microsoft, Notion, Reddit, Slack, Spotify, Twitch, Twitter/X, Zoom. Plus a generic OIDC factory for anything else.

MCP OAuth 2.1

Authorization server for the Model Context Protocol. PKCE S256, RFC 9728 / 8707 / 8414 / 7591.

Enterprise

Organizations with RBAC, SAML 2.0 and OIDC SSO, admin controls (ban/impersonate), API key management, SCIM directory sync, multi-tenant isolation, GDPR export/delete/anonymize, compliance reports for EU AI Act, NIST, SOC 2, ISO 42001.

Runs on the edge

Works on Cloudflare Workers, Deno, and Bun without code changes. Three runtime dependencies: drizzle-orm, jose, zod.

Security

Rate limiting per agent and per IP, HIBP password breach checking, CSRF protection, httpOnly secure cookies, email enumeration prevention, trusted device windows, signed expiring reset tokens, session freshness enforcement.

Performance

The policy engine hits 2.6M warm-cache evals/sec with a p99 of 500ns. Cold paths stay under 0.3ms p99 on direct permissions, RBAC role expansion, and ReBAC graph lookups. Numbers from pnpm bench on the policy-engine suite in packages/core/bench/, reproducible locally.

---

Install

npm install kavachos

Quick start

import { createKavach } from "kavachos";
import { emailPassword } from "kavachos/auth";
import { createHonoAdapter } from "@kavachos/hono";

const kavach = createKavach({
  database: { provider: "sqlite", url: "kavach.db" },
  plugins: [emailPassword()],
});

// Mount on any framework
const app = new Hono();
app.route("/api/kavach", createHonoAdapter(kavach));

// Create an AI agent with scoped permissions
const agent = await kavach.agent.create({
  ownerId: "user-123",
  name: "github-reader",
  type: "autonomous",
  permissions: [
    { resource: "mcp:github:*", actions: ["read"] },
    {
      resource: "mcp:deploy:production",
      actions: ["execute"],
      constraints: { requireApproval: true },
    },
  ],
});

// Authorize and audit (< 1ms)
const result = await kavach.authorize(agent.id, {
  action: "read",
  resource: "mcp:github:repos",
});
// { allowed: true, auditId: "aud_..." }

Cloudflare Workers + D1 example

import { createKavach } from "kavachos";
import { Hono } from "hono";

type Env = { KAVACH_DB: D1Database };
const app = new Hono<{ Bindings: Env }>();

app.get("/health", async (c) => {
  const kavach = await createKavach({
    database: { provider: "d1", binding: c.env.KAVACH_DB },
  });

  const agent = await kavach.agent.create({
    ownerId: "user-1",
    name: "my-agent",
    type: "autonomous",
    permissions: [{ resource: "mcp:github:*", actions: ["read"] }],
  });

  return c.json({ agent });
});

export default app;

---

Packages

Core

Package	What it does
kavachos	Core SDK: agents, permissions, delegation, audit, auth plugins
@kavachos/client	TypeScript REST client, no dependencies
@kavachos/cli	kavach init, kavach migrate, kavach dashboard
@kavachos/dashboard	Embeddable React admin UI
@kavachos/gateway	Auth proxy with rate limiting

Client libraries

Package	What it does
@kavachos/react	KavachProvider + hooks
@kavachos/vue	Vue 3 plugin + composables
@kavachos/svelte	Svelte stores
@kavachos/ui	Sign-in, sign-up, user button components
@kavachos/expo	React Native / Expo with SecureStore
@kavachos/electron	Electron with safeStorage + OAuth popup
@kavachos/test-utils	Mocks, factories, test assertions

Framework adapters

Package	Framework
@kavachos/hono	Hono
@kavachos/express	Express
@kavachos/nextjs	Next.js (App Router) — bundles the agent-management runtime
@kavachos/nextjs-auth	Next.js adapter for external auth backends — getServerSession, withAuth middleware, cookie + CSRF + token rotation
@kavachos/fastify	Fastify
@kavachos/nuxt	Nuxt
@kavachos/sveltekit	SvelteKit
@kavachos/astro	Astro
@kavachos/nestjs	NestJS
@kavachos/solidstart	SolidStart
@kavachos/tanstack	TanStack Start

Database adapters

Core ships with SQLite, Postgres, MySQL, and Cloudflare D1 providers built in. Use the Prisma adapter when your app already owns a PrismaClient and you want KavachOS to share the same connection.

Package	What it does
@kavachos/prisma	Prisma adapter, pass a PrismaClient as the KavachOS database

---

UI components

If you want ready-made forms, @kavachos/ui has them. Override styling with classNames, swap sub-components, or skip the package entirely and use hooks from @kavachos/react.

import { SignIn, OAUTH_PROVIDERS } from "@kavachos/ui";

<SignIn
  providers={[OAUTH_PROVIDERS.google, OAUTH_PROVIDERS.github]}
  showMagicLink
  signUpUrl="/sign-up"
  forgotPasswordUrl="/forgot-password"
  onSuccess={() => router.push("/dashboard")}
/>;

---

Plugins

Everything is a plugin. Auth methods, security features, integrations. Turn on what you need:

import { createKavach } from "kavachos";
import {
  emailPassword,
  magicLink,
  passkey,
  totp,
  organizations,
  sso,
  admin,
  apiKeys,
  jwtSession,
} from "kavachos/auth";

const kavach = createKavach({
  database: { provider: "postgres", url: process.env.DATABASE_URL },
  plugins: [
    emailPassword({
      passwordReset: {
        sendResetEmail: async (email, url) => {
          /* your email sender */
        },
      },
    }),
    magicLink({
      sendMagicLink: async (email, url) => {
        /* your email sender */
      },
    }),
    passkey(),
    totp(),
    organizations(),
    sso(),
    admin(),
    apiKeys(),
    jwtSession({ secret: process.env.JWT_SECRET }),
  ],
});

---

Docs

docs.kavachos.com

• Getting started
• Authentication
• Agent identity
• Permissions and delegation
• MCP OAuth 2.1
• Framework adapters
• API reference

---

KavachOS Cloud

KavachOS Cloud is the hosted version. Dashboard, billing, no infrastructure.

	Free	Starter	Growth	Scale	Enterprise
MAU	1,000	10,000	50,000	200,000	Custom
Price	$0	$29/mo	$79/mo	$199/mo	Custom

All plans include MCP OAuth 2.1, agent identity, delegation, trust scoring, and compliance reports.

Start free · Pricing · Self-host instead

---

Contributing

See CONTRIBUTING.md.

Support

• SUPPORT.md for help
• SECURITY.md to report vulnerabilities
• CODE_OF_CONDUCT.md

License

MIT

---

A GLINCKER LLC open source project