What does 'kavachOS' mean?

kavachOS is a portmanteau of 'kavach' (Sanskrit for 'armor') and 'OS' (operating system). The name describes the library's role: an operating layer that shields every identity, call, token, and delegation in an application.

How is 'kavach' pronounced?

Ka-vach. In Sanskrit (कवच), it means 'armor': the layered, protective armor warriors wore into battle.

A TypeScript library for authentication and authorization, covering both AI agents and human users. It provides identity, permissions, delegation chains, audit trails, and MCP OAuth 2.1 in a single package. MIT licensed, edge-native.

·MCP OAUTH 2.1

Spec-compliant.
Out of the box.

Four RFCs. A complete OAuth 2.1 authorization server. Your MCP tool server gets real token issuance, discovery, and scope enforcement. Not a bearer-token shim.

Read the MCP guide Back to overview

mcp · serversRFC 9728

NNotionconnected

LLinearconnected

FFigmapending

GGitHubconnected

SSlackconnected

5 servers · 4 authorizedOAuth 2.1 ✓

Most MCP servers don't actually do OAuth

Bearer tokens aren't authorization.

A token without audience binding, scopes, or discovery is just a long password.

RFC 9728

Discovery built in.

Clients hit /.well-known/oauth-authorization-server once. They learn every endpoint, scope, grant type, and challenge method you support. Zero out-of-band config.

GET /.well-known/oauth-authorization-server200 OK

{

"issuer": "https://auth.kavachos.com",

"authorization_endpoint": ".../authorize",

"token_endpoint": ".../token",

"registration_endpoint": ".../register",

"scopes_supported": ["tools:list", "tools:call", "resources:read"],

"code_challenge_methods": ["S256"]

}

RFC 8707

Audience-bound tokens.

Every token includes a resource indicator. A token minted for Notion's MCP cannot be replayed against yours. The tool server verifies `aud` on every call.

access token · decodedJWS · ES256

HEADER

{ "alg": "ES256" }

PAYLOAD

"sub": "agent_claude_writer"

"aud": "https://your.mcp.server"

"scope": "tools:call:search"

"exp": 1776472800

audience bound · non-replayable

PKCE S256

Auth code flow. No shortcuts.

Authorization code + PKCE S256 is the only interactive grant. Implicit flow is blocked at the protocol level. No way to accidentally ship an insecure flow.

mcp · serversRFC 9728

NNotionconnected

LLinearconnected

FFigmapending

GGitHubconnected

SSlackconnected

5 servers · 4 authorizedOAuth 2.1 ✓

FULL AUDIT

Every call, logged.

Token issuance, refresh, tool invocation, audience mismatch, and revocation all write to an immutable audit stream. Export to your SIEM. Query by client or subject.

audit · livestreaming