What does 'kavachOS' mean?

kavachOS is a portmanteau of 'kavach' (Sanskrit for 'armor') and 'OS' (operating system). The name describes the library's role: an operating layer that shields every identity, call, token, and delegation in an application.

How is 'kavach' pronounced?

Ka-vach. In Sanskrit (कवच), it means 'armor': the layered, protective armor warriors wore into battle.

A TypeScript library for authentication and authorization, covering both AI agents and human users. It provides identity, permissions, delegation chains, audit trails, and MCP OAuth 2.1 in a single package. MIT licensed, edge-native.

00/Use case · Multi-agent systems

Delegation chains for multi-agent systems.

A root agent spawns a planner. The planner spawns three tool agents. Each hop reduces scope. Each hop carries a parent. Each hop is logged. KavachOS gives you the delegation primitive so your orchestration does not become an auth rebuild.

Read the docs See the agent primitives

01/TL;DR

Three things that matter.

Every hop is a cryptographic delegation

Parent agent signs over a scope subset to a child. Child cannot exceed parent scope. Provable at the tool server.

Audit reads like a call tree

Who delegated to whom, which scope, which resource, what outcome. Query it as a tree or a flat log.

Revoke the root, the whole chain stops

Revocation cascades along the delegation graph. Offboarding a user stops every descendent agent at the next verify.

02/The problem

Orchestration frameworks ship without auth.

LangGraph, CrewAI, AutoGen, and every bespoke orchestrator give you the graph model. None of them gives you a way to prove that the research agent was allowed to invoke the file-write agent. The scopes live in a prompt. The audit lives in a console.log. The revocation does not exist.

Scopes enforced by prompt

The only thing stopping the summarizer from calling the email-send tool is a line in its system prompt. Prompt injection defeats this in one turn.

No parent subject on child agents

When a child agent calls a tool, the server cannot answer 'who is running this'. Debugging a misbehaving chain becomes archaeology.

Credentials wider than needed

The orchestrator holds a wide token and passes it to every child. Any leaked child context exposes the wide token.

Revocation is not a real concept

There is no way to 'kill the research agent but keep the planner'. The only kill switch is tearing down the whole graph.

03/How kavachOS fits

Delegation as the primitive, not the bolt-on.

KavachOS gives you a delegate() call. Pass in the parent, the scope subset, the audience, and the TTL. Get back a token the child can use. The child can delegate further. The chain is cryptographically verifiable end to end.

Chains

Parent-child delegation with scope subsetting

Each call to delegate() produces a token whose scope is a proven subset of the caller's. The tool server can verify the full chain back to the human root in a single cryptographic check.

Primitive 01

Audience

Audience-bound at every hop

Every token carries an aud claim naming exactly one resource server. A token minted for the calendar tool cannot be replayed against the email tool.

Primitive 02

Short TTL

Minutes, not hours

Child tokens default to short TTLs. Long-running workflows use refresh-via-parent rather than long-lived credentials.

Primitive 03

Audit tree

The audit log is the delegation graph

Queries return the parent, the child, the scope delta, the resource, and the outcome. Visualize it as a tree, export it to your SIEM, or diff two runs to find the first misbehaving hop.

Primitive 04

Revocation

Cascade revocation along the graph

Revoke a parent and every descendent stops verifying. Revoke a single child without affecting siblings. Revocation is a first-class operation, not a workaround.

Primitive 05

04/In code

The minimum you need to write.

Full examples with framework adapters live in the docs. This is the shape of what you wire into your app.

Open the quickstart

planner-agent.ts

typescript

A planner agent delegates to a specialist agent with a tighter scope. The specialist's token carries the planner as its parent and cannot exceed the planner's scope.

import { kavachos } from "kavachos";

// Planner was delegated scopes by the human user earlier.
const specialist = await kavachos.delegate({
  parent: planner.token,
  audience: "https://tools.example.com",
  scopes: ["files:read"], // subset of planner's scopes
  ttlSeconds: 120,
  reason: "extract_revenue_from_q3_report"
});

// The specialist calls the tool with its scoped token.
const result = await fetch("https://tools.example.com/files/read", {
  headers: { Authorization: `Bearer ${specialist.token}` }
});

// The audit log now shows: user -> planner -> specialist -> tool.
// Every hop is verifiable.

Subset

Proven at every hop

aud

Claim bound per token

Cascade

Revocation model

Tree

Audit view native

05/Before / after

The difference shows up in the audit log.

Without scoped identity

scopes enforced by prompt
no parent subject on child agents
credentials wider than needed

With kavachOS

parent-child delegation with scope subsetting
audience-bound at every hop
minutes, not hours

We had nine agents in our orchestration graph and no real answer to 'which one touched that file'. KavachOS delegation gave us the tree view on day one. Our security review got two weeks shorter.

Founding engineer· Agentic research platform

06/FAQ

What teams building for multi-agent systems usually ask.

Short answers. Link out to the docs if you want the long version.

Does this work with LangGraph?

Yes. We ship a LangGraph middleware that attaches the delegation token to every node execution and mints child tokens when a node spawns a sub-agent. The middleware writes each hop to the audit log with node id and graph id for traceability.

What about CrewAI, AutoGen, or a custom orchestrator?

The delegate() call is framework-agnostic. CrewAI and AutoGen both expose hook points where we attach the delegation context. For custom orchestrators, wrap your agent-to-agent handoff with kavachos.delegate() and pass the returned token through as the Bearer.

How deep can delegation chains go?

By default, eight hops. This is configurable. Each hop adds one link to the chain payload and one audit row. Deeper chains are supported but surface as a policy flag so you can review them.

Can a child scope be strictly greater than the parent in rare cases?

No. This is the invariant that makes delegation provable. If you need a child to have a different scope than the parent, mint a new delegation from the human root with the right scope. Scope escalation is an anti-pattern.

How do I visualize a chain for a customer report?

The dashboard renders each delegation graph as an interactive tree with timing, outcome, and scope per hop. The same data is available as JSON via the management API for your own reporting.

What happens if the parent token expires mid-chain?

Children minted from an expired parent are rejected at verification. In practice, orchestrators refresh the parent before spawning new children. For long-running graphs, configure refresh behavior at the top of the chain.

07/Related reading

Keep going.

On kavachos.com

Ship a delegation graph your security reviewer will trust.

Every hop carries a parent, a scope subset, and an audience. The audit log answers who did what. Free up to 1,000 MAU.

Join early access Read the docs Star on GitHub