What does 'kavachOS' mean?

kavachOS is a portmanteau of 'kavach' (Sanskrit for 'armor') and 'OS' (operating system). The name describes the library's role: an operating layer that shields every identity, call, token, and delegation in an application.

How is 'kavach' pronounced?

Ka-vach. In Sanskrit (कवच), it means 'armor': the layered, protective armor warriors wore into battle.

A TypeScript library for authentication and authorization, covering both AI agents and human users. It provides identity, permissions, delegation chains, audit trails, and MCP OAuth 2.1 in a single package. MIT licensed, edge-native.

Guides and field notes.

Engineering deep dives, tutorials, and opinions on auth for AI agents.

AllMigrationDeep DiveEngineeringGuideTutorialReferenceComplianceComparisonEnterpriseLaunch

01/FEATURED

LaunchFeatured

Introducing kavachOS Cloud

Managed auth for AI agents and humans. Full agent identity, MCP OAuth 2.1, delegation chains, and audit trails without running your own infrastructure.

Gagan Deep SinghMarch 28, 20266 min read

02/ALL POSTS

Migration

Migrating from Auth0 to kavachOS: a step-by-step guide

A full walkthrough of moving a Next.js app off Auth0. Export users, swap SDKs, preserve sessions, and cut costs by 80 percent.

April 14, 20269 min read

Deep Dive

MCP OAuth 2.1 explained for every MCP server in 2026

The four RFCs that define MCP auth, why they matter, and a flow diagram you can actually read on a Tuesday.

April 12, 202610 min read

Engineering

Agent delegation chains: the pattern everyone gets wrong

Three wrong ways to let agents spawn helpers, and one model that keeps audit trails intact.

April 10, 20268 min read

Guide

Passkeys vs magic links: which should your SaaS ship in 2026?

A decision framework for teams picking their primary human auth method. Real trade-offs, not hype.

April 8, 20267 min read

Tutorial

How to add auth to a Next.js AI agent in ten minutes

A working app with user login, agent identity, and MCP OAuth in under ten minutes. Copy the code, ship it.

April 6, 20268 min read

Tutorial

Building an MCP tool server with auth, end to end

A full tutorial: scaffold the server, wire up OAuth, write tools, test with Claude. Complete code, no skipped steps.

April 4, 202615 min read

Reference

Every auth error code in kavachOS, and how to fix it

A searchable reference of 30 plus error codes, with the cause, the symptom, and the exact change you need.

April 2, 202612 min read

Compliance

What EU AI Act Article 13 requires, in plain English

The transparency rules that kick in for high-risk AI systems, and how kavachOS audit trails map to them.

March 31, 202610 min read

Comparison

Best open source auth libraries for AI agents (2026)

I needed auth for 50+ agents talking to MCP servers. Most libraries assume you're building a login page. Here's what actually worked.

March 30, 202612 min read

Enterprise

SCIM provisioning explained, and when you actually need it

Not every B2B SaaS needs SCIM. Here is how to tell, and how to ship it when the first enterprise buyer asks.

March 29, 20268 min read

Engineering

Why we chose Cloudflare Workers for kavachOS Cloud

A technical post-mortem on picking Workers over Node, AWS Lambda, and Fly. Trade-offs, cost math, latency wins.

March 27, 20266 min read

Engineering

Why AI agents need their own auth

User auth wasn't built for autonomous agents making API calls at 3am. Here's what's different.

March 25, 20265 min read