IntroducingkavachOS Cloud

Every auth library carries the same story arc. You install it, ship a prototype, grow a real user base, and then spend the next year patching token rotation, session edge cases, and OAuth callbacks that broke after a minor version bump.

kavachOS started because that story is worse for AI agents. A login form assumes a human is on the other end of the wire. Agent code does not take that shape. It chains calls, spawns helpers, holds delegated power from a person who is long asleep. No auth library we tried had a model for that. Agents were always retrofitted as service accounts or bare API keys.

kavachOS ships 12 human auth methods out of the box: email and password, magic links, TOTP, passkeys, GitHub, Google, and others. Every project gets a tenant-isolated database. Your users' data never shares a table with another customer's.

For AI agents specifically, you get:

• Agent identity with scoped permissions and delegation chains. An agent can act for a user without inheriting the user's full access.
• MCP OAuth 2.1, compliant with RFC 9728, 8707, 8414, and 7591, so any MCP client can authenticate against your endpoints.
• Audit trail on every agent action. You can reconstruct exactly what happened, in what order, and which agent was responsible.
• Rate limiting per agent identity, not per IP.

The dashboard handles user management (search, ban, delete, view sessions and audit trail per user), API key management with scope controls, and usage metrics by auth method. Full reference lives under the quickstart guide.

Say you're building a coding assistant. Users authorize it to access their GitHub. The assistant spins up sub-agents: one searches code, one opens pull requests, one writes comments. Each of those needs scoped permission that traces back to the original user's authorization. Not one API key that can touch everything.

With kavachOS, you model this as a delegation chain. The user authorizes the parent agent. The parent creates children with narrower scopes via kavachos.agents.delegate(). Every call every agent makes logs to the audit trail with the full chain visible. See delegation chains for the wire format and depth limits.

Install the SDK:

npm install kavachos
# or
pip install kavachos

Create a project at app.kavachos.com/sign-up. You get an API key in under 30 seconds. Then:

import { createKavach } from 'kavachos';

const kavach = createKavach({
  apiKey: process.env.KAVACHOS_API_KEY,
});

// Sign in a human
const session = await kavach.auth.signIn({
  email: 'user@example.com',
  password: 'their-password',
});

// Create an agent identity
const agent = await kavach.agents.create({
  name: 'search-agent',
  permissions: ['read:repos'],
  delegatedFrom: session.userId,
});

// Delegate to a sub-agent
const subAgent = await kavach.agents.delegate({
  from: agent.id,
  permissions: ['read:repos:search'],
  ttl: '30m',
});

Want to ship MCP OAuth instead? The MCP OAuth guide has a complete, drop-in example for Cloudflare Workers and Hono.

We undercut Auth0 and Clerk by a wide margin.

Auth0 charges around $228 a month for 10,000 MAU on their paid plan. Clerk starts at $25 for 10,000 MAU but bills per organization and has no agent support. We come in five to ten times cheaper at scale. The features most vendors reserve for enterprise pricing, including agent identity and MCP OAuth, are included on every plan.

The free tier is generous enough to ship a real side project. 1,000 MAU, unlimited agents, seven day audit history, no credit card.

The core library (kavachos on npm and PyPI) is MIT licensed. Everything in the SDK: the auth methods, agent identity model, MCP OAuth implementation, session management. Self-host the whole thing.

kavachOS Cloud is the managed layer: multi-tenant hosting, the dashboard, billing, usage metering, and the platform API. If you are comfortable running Cloudflare Workers and D1 databases, you do not need us. If you would rather not, $29 a month is cheaper than the engineering time.