Auth for AI agents and humans. One library, both sides.
by GLINR STUDIOS · a GLINCKER LLC project
Quickstart · Documentation · Examples · KavachOS Cloud
Most auth libraries stop at human sign-in. That leaves you stitching together separate systems when your AI agents need identity, scoped permissions, delegation, and audit trails. KavachOS handles both in one place.
Cryptographic bearer tokens (kv_...), wildcard permission matching, delegation chains with depth limits, budget policies, anomaly detection, and CIBA approval flows.
14 methods: email/password, magic link, email OTP, phone SMS, passkey/WebAuthn, TOTP 2FA, anonymous, Google One-tap, Sign In With Ethereum, device authorization, username/password, captcha, password reset, session freshness.
27+ providers out of the box. Google, GitHub, Apple, Microsoft, Discord, Slack, GitLab, LinkedIn, Twitter/X, Facebook, Spotify, Twitch, Reddit, Notion. There's also a generic OIDC factory if yours isn't listed.
Authorization server for the Model Context Protocol. PKCE S256, RFC 9728 / 8707 / 8414 / 7591.
Organizations with RBAC, SAML 2.0 and OIDC SSO, admin controls (ban/impersonate), API key management, SCIM directory sync, multi-tenant isolation, GDPR export/delete/anonymize, compliance reports for EU AI Act, NIST, SOC 2, ISO 42001.
Works on Cloudflare Workers, Deno, and Bun without code changes. Three runtime dependencies: drizzle-orm, jose, zod.
Rate limiting per agent and per IP, HIBP password breach checking, CSRF protection, httpOnly secure cookies, email enumeration prevention, trusted device windows, signed expiring reset tokens, session freshness enforcement.
npm install kavachosimport { createKavach } from "kavachos";
import { emailPassword } from "kavachos/auth";
import { createHonoAdapter } from "@kavachos/hono";
const kavach = createKavach({
database: { provider: "sqlite", url: "kavach.db" },
plugins: [emailPassword()],
});
// Mount on any framework
const app = new Hono();
app.route("/api/kavach", createHonoAdapter(kavach));
// Create an AI agent with scoped permissions
const agent = await kavach.agent.create({
ownerId: "user-123",
name: "github-reader",
type: "autonomous",
permissions: [
{ resource: "mcp:github:*", actions: ["read"] },
{
resource: "mcp:deploy:production",
actions: ["execute"],
constraints: { requireApproval: true },
},
],
});
// Authorize and audit (< 1ms)
const result = await kavach.authorize(agent.id, {
action: "read",
resource: "mcp:github:repos",
});
// { allowed: true, auditId: "aud_..." }Cloudflare Workers + D1 example
import { createKavach } from "kavachos";
import { Hono } from "hono";
type Env = { KAVACH_DB: D1Database };
const app = new Hono<{ Bindings: Env }>();
app.get("/health", async (c) => {
const kavach = await createKavach({
database: { provider: "d1", binding: c.env.KAVACH_DB },
});
const agent = await kavach.agent.create({
ownerId: "user-1",
name: "my-agent",
type: "autonomous",
permissions: [{ resource: "mcp:github:*", actions: ["read"] }],
});
return c.json({ agent });
});
export default app;| Package | What it does | |
|---|---|---|
kavachos |
Core SDK: agents, permissions, delegation, audit, auth plugins |  |
@kavachos/client |
TypeScript REST client, no dependencies |  |
@kavachos/cli |
kavach init, kavach migrate, kavach dashboard |
 |
@kavachos/dashboard |
Embeddable React admin UI |  |
@kavachos/gateway |
Auth proxy with rate limiting |  |
| Package | What it does | |
|---|---|---|
@kavachos/react |
KavachProvider + hooks |
 |
@kavachos/vue |
Vue 3 plugin + composables |  |
@kavachos/svelte |
Svelte stores |  |
@kavachos/ui |
Sign-in, sign-up, user button components |  |
@kavachos/expo |
React Native / Expo with SecureStore |  |
@kavachos/electron |
Electron with safeStorage + OAuth popup |  |
@kavachos/test-utils |
Mocks, factories, test assertions |  |
| Package | Framework | |
|---|---|---|
@kavachos/hono |
Hono |  |
@kavachos/express |
Express |  |
@kavachos/nextjs |
Next.js (App Router) |  |
@kavachos/fastify |
Fastify |  |
@kavachos/nuxt |
Nuxt |  |
@kavachos/sveltekit |
SvelteKit |  |
@kavachos/astro |
Astro |  |
@kavachos/nestjs |
NestJS |  |
@kavachos/solidstart |
SolidStart |  |
@kavachos/tanstack |
TanStack Start |  |
If you want ready-made forms, @kavachos/ui has them. Override styling with classNames, swap sub-components, or skip the package entirely and use hooks from @kavachos/react.
import { SignIn, OAUTH_PROVIDERS } from "@kavachos/ui";
<SignIn
providers={[OAUTH_PROVIDERS.google, OAUTH_PROVIDERS.github]}
showMagicLink
signUpUrl="/sign-up"
forgotPasswordUrl="/forgot-password"
onSuccess={() => router.push("/dashboard")}
/>;Everything is a plugin. Auth methods, security features, integrations. Turn on what you need:
import { createKavach } from "kavachos";
import {
emailPassword,
magicLink,
passkey,
totp,
organizations,
sso,
admin,
apiKeys,
jwtSession,
} from "kavachos/auth";
const kavach = createKavach({
database: { provider: "postgres", url: process.env.DATABASE_URL },
plugins: [
emailPassword({
passwordReset: {
sendResetEmail: async (email, url) => {
/* your email sender */
},
},
}),
magicLink({
sendMagicLink: async (email, url) => {
/* your email sender */
},
}),
passkey(),
totp(),
organizations(),
sso(),
admin(),
apiKeys(),
jwtSession({ secret: process.env.JWT_SECRET }),
],
});- Getting started
- Authentication
- Agent identity
- Permissions and delegation
- MCP OAuth 2.1
- Framework adapters
- API reference
KavachOS Cloud is the hosted version. Dashboard, billing, no infrastructure.
| Free | Starter | Growth | Scale | Enterprise | |
|---|---|---|---|---|---|
| MAU | 1,000 | 10,000 | 50,000 | 200,000 | Custom |
| Price | $0 | $29/mo | $79/mo | $199/mo | Custom |
All plans include MCP OAuth 2.1, agent identity, delegation, trust scoring, and compliance reports.
Start free · Pricing · Self-host instead
See CONTRIBUTING.md.
- SUPPORT.md for help
- SECURITY.md to report vulnerabilities
- CODE_OF_CONDUCT.md
A GLINCKER LLC open source project