What does 'kavachOS' mean?

kavachOS is a portmanteau of 'kavach' (Sanskrit for 'armor') and 'OS' (operating system). The name describes the library's role: an operating layer that shields every identity, call, token, and delegation in an application.

How is 'kavach' pronounced?

Ka-vach. In Sanskrit (कवच), it means 'armor': the layered, protective armor warriors wore into battle.

A TypeScript library for authentication and authorization, covering both AI agents and human users. It provides identity, permissions, delegation chains, audit trails, and MCP OAuth 2.1 in a single package. MIT licensed, edge-native.

00/Security

What we actually do
about security.

A compliance badge does not prove a system is secure. Reading the code does. Below is what ships today, what lands at launch in May 2026, and what's on the roadmap. Everything is tagged so you can tell the difference.

Read the source Report a vulnerability Send a procurement questionnaire

01/How we think

We write security like it's going to be audited,
because at some point it will be.

Principle / 01

Honest about maturity

Every security claim on this page is tagged today, launch, or roadmap. If we do not have something yet, we say so. That is the bar.

Principle / 02

Least privilege is the default

Agent tokens are scoped and time-bound. Permissions are explicit. A leaked token blasts the smallest possible radius.

Principle / 03

Open source by default

The core library is MIT. Auditors, customers, and researchers can read the code. Nothing security-critical lives in a proprietary black box.

Principle / 04

No magic silences

Security incidents get a public incident report with timeline, impact, root cause, and fix. Published within seven days.

02/Infrastructure

Runs on Cloudflare. No servers we have to keep awake.

The serverless choice is the security choice. Fewer things to forget to patch, no SSH doors to leave open, no long-lived credentials in motion. Every request terminates at the edge, runs, and ends.

Runtime
Today
Cloudflare Workers. Requests hit the nearest of 300+ edge locations. No always-on VMs, no long-lived servers.
Primary database
Today
Cloudflare D1 (SQLite). Multi-region. Daily backups, point-in-time recovery windows retained for 30 days.
Session and rate-limit store
Today
Cloudflare KV for read-heavy session lookups. Durable Objects for strongly-consistent rate limiting and per-tenant counters.
Secrets
Today
Stored in Cloudflare Secrets Store, never in source. 90 day rotation policy for signing keys. Per-tenant encryption keys at launch.
Residency
At launch · May 2026
EU and US regions at launch. Per-tenant residency selection ships with the first paid tier.

03/Data handling

We store the minimum. That's the whole policy.

Passwords are a burden we refuse. PII is a liability we minimize. Tokens that can be hashed, are hashed. If a breach happens, what leaks should be small by design, not small by luck.

Passwords
Today
Never stored. The library supports passkeys, magic links, OAuth, and SSO only. Passwords would be a liability we refuse to take on.
Tokens at rest
Today
Access tokens are not stored. Refresh tokens are hashed (argon2id) before write. Signing keys rotate on a schedule.
Audit log
Today
Every delegation, token issuance, and permission check is logged with tenant ID, actor, resource, and decision. Retention matches your plan.
PII minimization
Today
We store the identifier OAuth needs (email, provider ID). We do not store IP addresses beyond a rolling 30-day anomaly window.
Export and delete
At launch · May 2026
Self-serve export of all your tenant data as JSON. Self-serve delete that propagates to backups within 30 days.

04/Compliance roadmap

Dates are dates. Audits are audits. Both slip sometimes.

Here is the real schedule. If one of these is a hard procurement requirement today, tell us up front and we will be honest about whether we can clear your gate in time.

SOC 2 Type I
Roadmap
Auditor engaged. Observation window begins at public launch (May 2026). Type I report target within 90 days of launch.
SOC 2 Type II
Roadmap
Target twelve months after SOC 2 Type I report.
GDPR
At launch · May 2026
DPA available for review at launch. EU residency, subprocessor list, right to erasure, and data portability are product features, not policy fiction.
ISO 27001
Roadmap
On the path for the enterprise tier. No date until the auditor is scheduled.
HIPAA
Roadmap
Out of scope today. Revisit when we have a healthcare design partner.

05/Coordinated disclosure

Found something. Email security@kavachos.com.

One business day response. No bounty yet. Researchers who help us ship a fix get a public write-up with credit and an early access seat.

Ground rules

01Do not exfiltrate more than what proves the finding.
02Give us a reasonable window to ship before disclosing publicly.
03Do not touch other tenants' data. Everyone else's trust is on the line too.

If we can't say it today with a clean conscience, we won't put it on a security page.

Stance we refuse to move from

Email security Join early access

What we actually doabout security.

We write security like it's going to be audited,because at some point it will be.