What does 'kavachOS' mean?

kavachOS is a portmanteau of 'kavach' (Sanskrit for 'armor') and 'OS' (operating system). The name describes the library's role: an operating layer that shields every identity, call, token, and delegation in an application.

How is 'kavach' pronounced?

Ka-vach. In Sanskrit (कवच), it means 'armor': the layered, protective armor warriors wore into battle.

A TypeScript library for authentication and authorization, covering both AI agents and human users. It provides identity, permissions, delegation chains, audit trails, and MCP OAuth 2.1 in a single package. MIT licensed, edge-native.

·HUMAN SESSIONS

Passwordless,
by default.

Passkeys, magic links, OAuth, SAML. Every modern auth method, one API. Your users stop memorizing passwords. You stop reporting breaches.

Read the guide Back to overview

Use passkey for KavachOS

Touch ID required for user_alice@acme.co

Cancel

Continue

The last password you'll ever ship

Every password is a future breach.

The average human reuses six passwords across their digital life. Passkeys end that.

Passkeys, first-class.

WebAuthn with FIDO2 is the default. Touch ID, Face ID, and Windows Hello all work through one API. Magic link is the fallback when the platform can't do biometrics.

Use passkey for KavachOS

Touch ID required for user_alice@acme.co

Cancel

Continue

Every OAuth provider, ready.

27 providers pre-wired. Google, GitHub, Apple, Microsoft, LinkedIn, Discord, Slack, plus regional players. One adapter interface to add your own in 40 lines.

oauth · providers27 wired

GGoogle

GGitHub

AApple

MMicrosoft

LLinkedIn

DDiscord

SSlack

NNotion

FFigma

+ 18 moreadd your own →

Session rotation you don't think about.

Cookies rotate on privilege change, IP jump, or stale inactivity. CSRF double-submit out of the box. Revocation propagates edge-wide in under 500ms.

session · user_alicerotating