What does 'kavachOS' mean?

kavachOS is a portmanteau of 'kavach' (Sanskrit for 'armor') and 'OS' (operating system). The name describes the library's role: an operating layer that shields every identity, call, token, and delegation in an application.

How is 'kavach' pronounced?

Ka-vach. In Sanskrit (कवच), it means 'armor': the layered, protective armor warriors wore into battle.

A TypeScript library for authentication and authorization, covering both AI agents and human users. It provides identity, permissions, delegation chains, audit trails, and MCP OAuth 2.1 in a single package. MIT licensed, edge-native.

00/MCP OAuth 2.1

Bearer tokens are not
authorization.

The Model Context Protocol shipped with a bearer-token handshake. That was enough to demo a chatbot. It is not enough to run a tool server in front of real data. kavachOS ships the real thing: a spec-compliant OAuth 2.1 authorization server you can put in front of any MCP endpoint in one import.

Read the quickstart See the product page

RFC 9728RFC 8707RFC 8414RFC 7591PKCE S256

01/The gap

Most MCP servers still ship a long password and call it OAuth.

What most ship

Single bearer token per server
No audience claim
No discovery endpoint
No scope enforcement
Rotation is manual

What kavachOS ships

RFC 9728 authorization server
Audience-bound tokens per resource
/.well-known discovery out of the box
Scope grammar enforced server-side
Automatic rotation and revocation

02/What ships today

Five specs, implemented in the core.

Every one of these is table stakes for a serious authorization server. Rolling them yourself is two engineering quarters of work. kavachOS ships them as defaults.

RFC 9728

Resource indicators

Every token carries the tool server it was minted for. Replay against another server fails.

RFC 8707

Resource indicators for OAuth 2.0

The `resource` parameter in auth requests. Clients ask for a token bound to a specific MCP.

RFC 8414

Authorization server metadata

Clients hit `/.well-known/oauth-authorization-server` and learn every endpoint, scope, and method.

RFC 7591

Dynamic client registration

New MCP clients register themselves with a POST. No manual config per tenant.

PKCE S256

Proof key for code exchange

Auth code flow is the only interactive grant. Implicit flow is blocked at the protocol level.

03/Discovery

Every client learns your server in one request.

RFC 8414 gives MCP clients a single well-known endpoint that tells them every authorization endpoint, every scope you support, every grant type, and every challenge method. Zero out-of-band config.

GET /.well-known/oauth-authorization-server

{
  "issuer": "https://auth.kavachos.com",
  "authorization_endpoint": ".../authorize",
  "token_endpoint": ".../token",
  "registration_endpoint": ".../register",
  "scopes_supported": ["tools:list", "tools:call", "resources:read"],
  "response_types_supported": ["code"],
  "grant_types_supported": ["authorization_code", "refresh_token"],
  "code_challenge_methods_supported": ["S256"]
}

A token without audience binding, scopes, or discovery is a long password.

Working principle

04/Clients

Works with every MCP client on the market.

We implement the specs the MCP SIG wrote. Anything that speaks MCP speaks kavachOS.

Claude Desktop

Claude web and API

OpenAI Agents SDK

LangChain MCP

LlamaIndex MCP

Any RFC 9728 compliant client

Wire your MCP server with real authorization.

One import between your tool server and any MCP client. OAuth 2.1 just works.

Join early access Install the library Star on GitHub