Name: KavachOS
Author: KavachOS

KavachOS supports multiple authentication methods for the humans who own and manage agents. Each method is a plugin you opt into — use only what your app needs.

If you already have Clerk, Auth.js, or better-auth managing sign-in, skip plugins entirely and use an auth adapter instead.

Auth methods

Email and password

Magic link

Passwordless sign-in: send a one-time link to the user's email.

Email OTP

Six-digit one-time codes delivered via email.

Passkey

WebAuthn/FIDO2 biometric and hardware key sign-in.

Two-factor auth

TOTP authenticator app support with backup codes.

OAuth providers

Google

GitHub

Apple

Discord

Slack

Microsoft

GitLab

How plugins work

Pass plugins to createKavach(). Each plugin registers its own routes, database tables, and session logic:

lib/kavach.ts

import { createKavach } from '@kavachos/core';
import { emailPassword } from '@kavachos/core/plugins/email-password';
import { oauth } from '@kavachos/core/plugins/oauth';

const kavach = await createKavach({
  database: { provider: 'postgres', url: process.env.DATABASE_URL! },
  secret: process.env.KAVACH_SECRET!,
  baseUrl: 'https://auth.example.com',
  plugins: [
    emailPassword(),
    oauth({
      providers: [
        { id: 'google', clientId: process.env.GOOGLE_CLIENT_ID!, clientSecret: process.env.GOOGLE_CLIENT_SECRET! },
        { id: 'github', clientId: process.env.GITHUB_CLIENT_ID!, clientSecret: process.env.GITHUB_CLIENT_SECRET! },
      ],
    }),
  ],
});

Once a user signs in, resolve their identity from any request:

const user = await kavach.auth.resolveUser(request);

if (!user) {
  return new Response('Unauthorized', { status: 401 });
}

// user.id is the stable owner ID for creating agents

Authentication