What does 'kavachOS' mean?

kavachOS is a portmanteau of 'kavach' (Sanskrit for 'armor') and 'OS' (operating system). The name describes the library's role: an operating layer that shields every identity, call, token, and delegation in an application.

How is 'kavach' pronounced?

Ka-vach. In Sanskrit (कवच), it means 'armor': the layered, protective armor warriors wore into battle.

A TypeScript library for authentication and authorization, covering both AI agents and human users. It provides identity, permissions, delegation chains, audit trails, and MCP OAuth 2.1 in a single package. MIT licensed, edge-native.

00/Founder

Built by one person,
shipping in public.

Hi. GDS K S here. I built kavachOS because the auth tools I wanted for AI agents did not exist. Every other library treats humans as the default identity and agents as an afterthought. That is backwards for where software is going, so I started writing the primitives I wished existed.

The library is MIT and stable. The cloud is launching in May 2026. I answer my own email, I read every issue, and I will tell you the truth about what works and what's still rough. If that's the kind of vendor you want, we're a fit.

01/What has shipped

The version history, in public.

Dates are real. Tags tell you what got touched. If a milestone is labeled saffron, it means it's happening now or next. Muted means it's on the list but not yet committed to a date.

2025 Q4
kavachos on npm
MIT licensed. OAuth 2.1, MCP, agent identity, seven framework adapters. First real users install it.
librarymit
2026 Q1
Marketing site and docs
Full comparison pages, product pages, eleven blog posts. Nothing generic: every page has a specific take.
sitecontent
2026 Q2
Cloud early access
Waitlist opens, cohorts onboarded one at a time. Target public launch May 2026.
cloudwaitlist
2026 H2
SOC 2 Type I, enterprise tier
Audit begins at launch. SSO, SAML, custom residency ship for Scale plan.
complianceenterprise

02/How I work

Four principles I don't negotiate on.

Principle / 01

Ship the hard thing

Most auth libraries stop at human sessions. Agents and delegation are the hard parts. They are the reason this exists.

Principle / 02

Write it like it'll be audited

RFC 9728, 8707, 8414, 7591 are implemented because the spec is the spec. If there's a corner case, the test covers it or the docs name it.

Principle / 03

No vanity metrics

I'm one person. I don't pretend to have 10,000 users. I tell you the real state and build the real thing next.

Principle / 04

Open source stays open

The library is MIT and will stay that way. The cloud pays for the dashboard, SLA, and support. Self-host is always an option.

A note for early customers

You're buying from a founder,
not a team of two hundred.

I will personally answer when something breaks. That is worse than some vendors and better than others. Know what you're signing up for.

If you need SOC 2 Type II on your procurement form today, we're probably not the right fit yet. Tell me anyway. Procurement cycles are long, and we might line up by the time you need to sign.

Open line founder@kavachos.com

I don't want to build the world's largest auth company. I want to build the one that agents and the people who write them can actually trust.

GDS K S · Founder· @thegdsks

Join early access Read the code on GitHub Read the docs

Built by one person,shipping in public.