Auth libraries have a well-worn problem. You install one, get it working, and eventually your requirements outgrow what you configured in an afternoon. Then you're managing token rotation schedules, debugging session edge cases at 2am, and figuring out why your OAuth callback stopped working after a library update.
We built kavachOS to solve a different version of that problem. AI agents need auth too. Not just "can this user log in" auth, but identity that works across agent chains: which agent called which tool, under what permissions, with what delegation from whom. None of the existing auth libraries treat agents as first-class entities. They're bolted on as service accounts or API keys with no structure.
KavachOS Cloud is managed hosting for the open-source kavachOS library. You get the full feature set without running your own infrastructure.
What's included
kavachOS supports 12 auth methods out of the box: email/password, magic links, TOTP, passkeys, GitHub, Google, and more. Every project gets a tenant-isolated database, so your users' data never shares a table with another customer's.
For AI agents specifically, you get:
- Agent identities with scoped permissions and delegation chains. An agent can act on behalf of a user without having that user's full access.
- MCP OAuth 2.1 — fully spec-compliant (RFC 9728, 8707, 8414, 7591) so any MCP client can authenticate against your endpoints.
- Audit trail on every agent action. You can reconstruct exactly what happened, in what order, and which agent was responsible.
- Rate limiting per agent identity, not just per IP.
The dashboard handles user management: search, ban, delete, view sessions and audit trail per user. API key management with scope controls. Usage metrics broken down by auth method.
The agent problem in practice
Say you're building a coding assistant. Users authorize it to access their GitHub. The assistant spins up sub-agents: one searches code, one opens pull requests, one writes comments. Each of those should have scoped permissions tied back to the original user's authorization — not to a single API key that gives everything access to everything.
With kavachOS, you model this as a delegation chain. The user authorizes the parent agent. The parent agent creates child agents with narrower scopes via kavachos.agents.delegate(). Every action by every agent logs to the audit trail with the full chain visible. If something goes wrong, you know which agent did it and what it was allowed to do.
Without this structure, you're either using overpermissioned API keys or building the delegation logic yourself. Neither is great.
Getting started
Install the SDK:
npm install kavachos
# or
pip install kavachosCreate a project at app.kavachos.com/sign-up. You get an API key in under 30 seconds. Then:
import { createKavach } from 'kavachos';
const kavach = createKavach({
apiKey: process.env.KAVACHOS_API_KEY,
});
// Authenticate a user
const session = await kavach.auth.signIn({
email: 'user@example.com',
password: 'their-password',
});
// Create an agent identity
const agent = await kavach.agents.create({
name: 'search-agent',
permissions: ['read:repos'],
delegatedFrom: session.userId,
});
// Delegate to a sub-agent
const subAgent = await kavach.agents.delegate({
from: agent.id,
permissions: ['read:repos:search'],
ttl: '30m',
});Pricing
We're cheaper than Auth0 and Clerk by a significant margin.
| Tier | MAU | Monthly |
|---|---|---|
| Free | 1,000 | $0 |
| Starter | 10,000 | $29 |
| Growth | 50,000 | $79 |
| Scale | 200,000 | $199 |
Auth0 charges around $228/mo for 10,000 MAU on their paid plan. Clerk starts at $25 for 10,000 MAU but charges per organization and has no agent support. We're 5–10x cheaper at scale, and the thing most of them charge enterprise rates for — agent identity and MCP OAuth — is built into every plan.
The free tier is generous enough to ship a real side project. 1,000 MAU, unlimited agents, 7-day audit history, no credit card required.
What's open source
The core library (kavachos on npm and PyPI) is MIT licensed. Everything in the SDK: the auth methods, agent identity model, MCP OAuth implementation, session management. You can self-host the whole thing.
kavachOS Cloud is the managed layer: multi-tenant hosting, the dashboard, billing, usage metering, and the platform API. If you're comfortable running Cloudflare Workers and D1 databases, you don't need us. If you'd rather not, $29/mo is cheaper than the engineering time.
Public beta
We're in public beta. The core features are stable and we use kavachOS in production ourselves. Some things — SCIM provisioning, compliance reports, SAML for the dashboard — are on the roadmap but not shipped yet.
If you're building an AI product and need auth that actually handles agents, sign up and let us know what you need.
Share this post
Get started
Try kavachOS Cloud free
Free up to 1,000 MAU. No credit card required.