KavachOS

Auth for AI agents and humans. One library, both sides.

by GLINR STUDIOS · a GLINCKER LLC project

Quickstart · Documentation · Examples · KavachOS Cloud

Why KavachOS

Most auth libraries stop at human sign-in. That leaves you stitching together separate systems when your AI agents need identity, scoped permissions, delegation, and audit trails. KavachOS handles both in one place.

Agent identity

Cryptographic bearer tokens (kv_...), wildcard permission matching, delegation chains with depth limits, budget policies, anomaly detection, and CIBA approval flows.

Human auth

14 methods: email/password, magic link, email OTP, phone SMS, passkey/WebAuthn, TOTP 2FA, anonymous, Google One-tap, Sign In With Ethereum, device authorization, username/password, captcha, password reset, session freshness.

OAuth

27+ providers out of the box. Google, GitHub, Apple, Microsoft, Discord, Slack, GitLab, LinkedIn, Twitter/X, Facebook, Spotify, Twitch, Reddit, Notion. There's also a generic OIDC factory if yours isn't listed.

MCP OAuth 2.1

Authorization server for the Model Context Protocol. PKCE S256, RFC 9728 / 8707 / 8414 / 7591.

Enterprise

Organizations with RBAC, SAML 2.0 and OIDC SSO, admin controls (ban/impersonate), API key management, SCIM directory sync, multi-tenant isolation, GDPR export/delete/anonymize, compliance reports for EU AI Act, NIST, SOC 2, ISO 42001.

Runs on the edge

Works on Cloudflare Workers, Deno, and Bun without code changes. Three runtime dependencies: drizzle-orm, jose, zod.

Security

Rate limiting per agent and per IP, HIBP password breach checking, CSRF protection, httpOnly secure cookies, email enumeration prevention, trusted device windows, signed expiring reset tokens, session freshness enforcement.

Install

npm install kavachos

Quick start

import { createKavach } from "kavachos";
import { emailPassword } from "kavachos/auth";
import { createHonoAdapter } from "@kavachos/hono";

const kavach = createKavach({
  database: { provider: "sqlite", url: "kavach.db" },
  plugins: [emailPassword()],
});

// Mount on any framework
const app = new Hono();
app.route("/api/kavach", createHonoAdapter(kavach));

// Create an AI agent with scoped permissions
const agent = await kavach.agent.create({
  ownerId: "user-123",
  name: "github-reader",
  type: "autonomous",
  permissions: [
    { resource: "mcp:github:*", actions: ["read"] },
    {
      resource: "mcp:deploy:production",
      actions: ["execute"],
      constraints: { requireApproval: true },
    },
  ],
});

// Authorize and audit (< 1ms)
const result = await kavach.authorize(agent.id, {
  action: "read",
  resource: "mcp:github:repos",
});
// { allowed: true, auditId: "aud_..." }

import { createKavach } from "kavachos";
import { Hono } from "hono";

type Env = { KAVACH_DB: D1Database };
const app = new Hono<{ Bindings: Env }>();

app.get("/health", async (c) => {
  const kavach = await createKavach({
    database: { provider: "d1", binding: c.env.KAVACH_DB },
  });

  const agent = await kavach.agent.create({
    ownerId: "user-1",
    name: "my-agent",
    type: "autonomous",
    permissions: [{ resource: "mcp:github:*", actions: ["read"] }],
  });

  return c.json({ agent });
});

export default app;

Packages

Core

Package	What it does
kavachos	Core SDK: agents, permissions, delegation, audit, auth plugins
@kavachos/client	TypeScript REST client, no dependencies
@kavachos/cli	kavach init, kavach migrate, kavach dashboard
@kavachos/dashboard	Embeddable React admin UI
@kavachos/gateway	Auth proxy with rate limiting

Client libraries

Package	What it does
@kavachos/react	KavachProvider + hooks
@kavachos/vue	Vue 3 plugin + composables
@kavachos/svelte	Svelte stores
@kavachos/ui	Sign-in, sign-up, user button components
@kavachos/expo	React Native / Expo with SecureStore
@kavachos/electron	Electron with safeStorage + OAuth popup
@kavachos/test-utils	Mocks, factories, test assertions

Framework adapters

Package	Framework
@kavachos/hono	Hono
@kavachos/express	Express
@kavachos/nextjs	Next.js (App Router)
@kavachos/fastify	Fastify
@kavachos/nuxt	Nuxt
@kavachos/sveltekit	SvelteKit
@kavachos/astro	Astro
@kavachos/nestjs	NestJS
@kavachos/solidstart	SolidStart
@kavachos/tanstack	TanStack Start

UI components

If you want ready-made forms, @kavachos/ui has them. Override styling with classNames, swap sub-components, or skip the package entirely and use hooks from @kavachos/react.

import { SignIn, OAUTH_PROVIDERS } from "@kavachos/ui";

<SignIn
  providers={[OAUTH_PROVIDERS.google, OAUTH_PROVIDERS.github]}
  showMagicLink
  signUpUrl="/sign-up"
  forgotPasswordUrl="/forgot-password"
  onSuccess={() => router.push("/dashboard")}
/>;

Plugins

Everything is a plugin. Auth methods, security features, integrations. Turn on what you need:

import { createKavach } from "kavachos";
import {
  emailPassword,
  magicLink,
  passkey,
  totp,
  organizations,
  sso,
  admin,
  apiKeys,
  jwtSession,
} from "kavachos/auth";

const kavach = createKavach({
  database: { provider: "postgres", url: process.env.DATABASE_URL },
  plugins: [
    emailPassword({
      passwordReset: {
        sendResetEmail: async (email, url) => {
          /* your email sender */
        },
      },
    }),
    magicLink({
      sendMagicLink: async (email, url) => {
        /* your email sender */
      },
    }),
    passkey(),
    totp(),
    organizations(),
    sso(),
    admin(),
    apiKeys(),
    jwtSession({ secret: process.env.JWT_SECRET }),
  ],
});

Docs

docs.kavachos.com

• Getting started
• Authentication
• Agent identity
• Permissions and delegation
• MCP OAuth 2.1
• Framework adapters
• API reference

KavachOS Cloud

KavachOS Cloud is the hosted version. Dashboard, billing, no infrastructure.

All plans include MCP OAuth 2.1, agent identity, delegation, trust scoring, and compliance reports.

Start free · Pricing · Self-host instead

Contributing

See CONTRIBUTING.md.

Support

• SUPPORT.md for help
• SECURITY.md to report vulnerabilities
• CODE_OF_CONDUCT.md

License

MIT

A GLINCKER LLC open source project