What does 'kavachOS' mean?

kavachOS is a portmanteau of 'kavach' (Sanskrit for 'armor') and 'OS' (operating system). The name describes the library's role: an operating layer that shields every identity, call, token, and delegation in an application.

How is 'kavach' pronounced?

Ka-vach. In Sanskrit (कवच), it means 'armor': the layered, protective armor warriors wore into battle.

A TypeScript library for authentication and authorization, covering both AI agents and human users. It provides identity, permissions, delegation chains, audit trails, and MCP OAuth 2.1 in a single package. MIT licensed, edge-native.

Hono quickstart

Hono. Workers. Global edge.

The Hono adapter is the reference runtime for kavachOS. Every other adapter is measured against it.

HonoCloudflare · Deno · Bun · Nodeships today

Install

Install the core library and the Hono adapter in one step.

terminalbash

pnpm add kavachos @kavachos/hono

Configure the auth module

Hono runs anywhere Web Fetch runs, and kavachOS is built on Web Crypto. Pick your database adapter, your providers, and go.

src/auth.tsts

import { createAuth } from "kavachos";
import { honoAdapter } from "@kavachos/hono";
import { d1Adapter } from "kavachos/adapters/d1";

export function buildAuth(env: Env) {
  const auth = createAuth({
    secret: env.KAVACHOS_SECRET,
    baseUrl: env.APP_URL,
    database: d1Adapter(env.DB),
    providers: [
      { id: "github", clientId: env.GITHUB_ID, clientSecret: env.GITHUB_SECRET },
    ],
  });
  return honoAdapter(auth);
}

Mount the routes

The adapter mounts sign-in, callback, session, and sign-out under /auth. Everything else is yours.

src/index.tsts

import { Hono } from "hono";
import { buildAuth } from "./auth";

const app = new Hono<{ Bindings: Env }>();

app.route("/auth", (c) => buildAuth(c.env).router());

app.use("/dashboard/*", async (c, next) => {
  const auth = buildAuth(c.env);
  const session = await auth.session(c.req.raw);
  if (!session) return c.redirect("/auth/sign-in");
  c.set("session", session);
  return next();
});

app.get("/dashboard", (c) => c.text(`hi ${c.get("session").user.name}`));

export default app;

Issue an agent token

Mint a short-lived delegation token for an AI agent scoped to a single audience.

src/agents.tsts

app.post("/agents", async (c) => {
  const auth = buildAuth(c.env);
  const session = await auth.session(c.req.raw);
  if (!session) return c.text("unauthorized", 401);

  const agent = await auth.agents.create({
    parent: session.subject.id,
    name: "research.assistant",
    scopes: ["tools:call:search"],
    ttl: "15m",
  });
  const token = await auth.agents.issueToken(agent.id, {
    audience: "https://your.mcp.server",
  });
  return c.json({ token });
});

What is next

You have a working flow. Now pick the next layer based on what you are building: agent identity, MCP OAuth, SCIM, or enterprise SSO.

· Full identity model. Read concepts.
· Agent delegation. AI agents guide.
· MCP tool servers. MCP OAuth 2.1 guide.