Identity for agents. Sessions for humans. An audit trail for every delegation between them. OAuth 2.1 and MCP are built in.
Cloud launching May 2026. Library is MIT, TypeScript, edge-native, zero deps.
import { createKavach } from "kavachos";
const kavach = createKavach({ db: env.DB });
const token = await kavach.agents.issueToken({
agentId: "agent_claude_writer",
scopes: ["read:web", "write:storage"],
ttl: "1h",
});·Dashboard preview
Sample data · Real product ships with cloud launch
·THE NAME
कवच is Sanskrit for armor. In the Mahabharata, Karna was born wearing his: golden plates fused to his skin, part of him from the start.
That image stuck. Not something you strap on in the morning. Something you're built with.
So kavachOS. Kavach plus OS. Identity, tokens, and delegation that live inside your auth layer, not beside it.
01/INSTALL
Run one install command. Import and call. No SDK dashboard, no config wizard, no mandatory signup.
Framework adapters wire the pieces together. Your routes get type-safe session and agent context out of the box.
Ships to Cloudflare Workers, Deno Deploy, and Bun. Core has zero Node APIs, so it runs wherever fetch does.
import { createKavach } from "kavachos";
const kavach = createKavach({ db: env.DB });
// Issue a scoped token for an agent
const token = await kavach.agents.issueToken({
agentId: "agent_scraper_01",
scopes: ["read:web", "write:storage"],
expiresIn: "1h",
});
console.log(token.jwt); // standard JWT, verifiable anywhere02/WHAT IT DOES
AGENT IDENTITY
Every agent gets its own short-lived JWT with exact resource scopes. Delegation chains track who asked whom. Trust scores drift with behavior so you can rotate, revoke, or re-scope without losing audit.
Learn moreHUMAN SESSIONS
WebAuthn, passkeys, magic links, and the OAuth providers you already know. Session cookies with CSRF and rotation, MFA, recovery codes, and account impersonation guards. Same primitives your agents use.
Learn moreMCP OAUTH 2.1
RFC 9728 for protected resource metadata, 8707 for resource indicators, 8414 for authorization server metadata, 7591 for dynamic client registration. Your MCP tool server gets real OAuth, not a bearer-token shim.
Learn more·WORKS WITH THE STACK YOU ALREADY USE
Adapters for Hono, Next.js, Remix, Astro, Elysia, Express. Or drop in the framework-free core and wire it yourself.
03/WHY KAVACHOS
We make Identity the root entity. Humans and agents share the same audit log, the same permission model, the same delegation chain.
Versus
human-first; agents bolt on later
RFC 9728, 8707, 8414, 7591 implemented in core. Your MCP tool server gets real OAuth, not a bearer-token shim.
Versus
no MCP primitives
MIT-licensed library that runs anywhere. Managed cloud exists for teams that would rather not operate it. It is never required.
Versus
closed-source SaaS
Every comparison includes a migration checklist and a test matrix. If you are on a different library, there is probably a guide.
Browse all comparisonsProduct names are trademarks of their respective owners. Comparisons based on public documentation as of 2026-04-17.
04/PROOF
Trust on a marketing page is cheap. These links go to the source.
In the open
kavachos/kavachosTrust and legal
DPALicense
MIT
Core library is open source. No commercial restrictions.
Compliance
SOC 2 Type I: Q3 2026
Type II report targeting Q2 2027. Current posture in the security page.
Sub-processors
05/QUESTIONS
Filter by category. For anything not here, the docs have a full reference.
A TypeScript library for agent identity, human sessions, and delegation between them. It issues real OAuth 2.1 tokens, keeps an audit trail, and runs at the edge on Cloudflare Workers, Deno, and Bun. You import it like any other npm package.
MIT licensed and free forever. A managed cloud tier is coming for hosting, dashboards, and team billing. Until then, run it self-hosted against D1 or any SQLite/Postgres instance.
The core package has zero Node.js-specific APIs. It uses Web Crypto, Uint8Array, and standard fetch, so it runs in any edge runtime. Cloudflare Workers, Deno Deploy, Bun. No server required beyond whatever handles your requests.
Yes. Adapters exist for Next.js (App Router and Pages), Hono, Express, Fastify, and Elysia. Each wraps the core with the framework's native Request/Response. For anything else, the raw core works with any standard Request object.
Better-Auth and Clerk are human-first. They give you OAuth providers, magic links, and session cookies. KavachOS makes Identity the root primitive and treats agents as first-class, with scoped tokens and delegation chains. It also implements RFC 9728, 8707, 8414, and 7591 for MCP servers. The others do not.
Target is May 2026. Early access opens in the weeks before launch and those members lock the launch pricing for 12 months. The library is MIT and ships today. Join early access for the launch email.
? Still have a question.
05/INSTALL
Install the MIT library today and self-host. Or get on the cloud waitlist and we'll handle hosting, team billing, and compliance at launch.
MIT library is free forever. Cloud is pay-as-you-go after 1,000 MAU.