What does 'kavachOS' mean?

kavachOS is a portmanteau of 'kavach' (Sanskrit for 'armor') and 'OS' (operating system). The name describes the library's role: an operating layer that shields every identity, call, token, and delegation in an application.

How is 'kavach' pronounced?

Ka-vach. In Sanskrit (कवच), it means 'armor': the layered, protective armor warriors wore into battle.

A TypeScript library for authentication and authorization, covering both AI agents and human users. It provides identity, permissions, delegation chains, audit trails, and MCP OAuth 2.1 in a single package. MIT licensed, edge-native.

00/kavachOS vs Auth0

The Auth0 bill is the trigger. Everything else is the excuse.

Nobody wakes up wanting to migrate auth. You do it because the pricing page surprised you, or because your AI feature needs a primitive Auth0 doesn't ship. kavachOS is MIT, edge-native, and quotes the full number up front. Here's the side-by-side.

Managed SaaSkavachOS · MIT

01/Why people land on this page

Three reasons the invoice arrives faster than you planned.

Auth0's free tier caps at 7,500 MAU. The Essential plan starts at $240 a month at 10,000 MAU, and Organizations, M2M, and breach detection are billed on top. The cliff shows up the first quarter you grow.

The per-MAU line scales faster than revenue
Essential is $0.024 per extra MAU, Professional is $0.080. A B2B product with a self-serve tier can hit $800 a month before the enterprise deal that was supposed to pay for it closes.
Agents and MCP tools have no primitive
If you ship an AI feature, each agent needs its own identity, not a shared API key. Auth0 has no agent token, no delegation chain, no MCP OAuth 2.1 authorization server.
Cloud-only. No self-host option.
Some buyers need the auth layer inside their VPC. Auth0 does not self-host, so the answer is always 'no'. kavachOS runs anywhere Node runs, and the cloud option is a choice, not a requirement.

02/Where they beat us

Auth0 wins these. We are saying so out loud.

If any of these matter more than the reasons above, stay on Auth0. The migration will still be here when the trade-off flips.

Auth0 is better at

Procurement and compliance paperwork

Auth0 has SOC 2 Type II, ISO 27001, HIPAA, and FedRAMP already filed. If your buyer's security questionnaire lists those by name with a date, Auth0 ships a satisfying answer today. kavachOS is targeting Type I at launch and Type II a year later.

Auth0 is better at

IdP compatibility depth

Auth0 has been tested against hundreds of SAML and OIDC identity providers for over a decade. The long tail of IdP quirks is handled. kavachOS covers the common IdPs but the matrix is smaller by definition.

Auth0 is better at

Universal Login and brand-safe hosted pages

Auth0's hosted login page is polished and battle-tested. If you need hosted, branded, fully compliant auth UI without writing any UI code yourself, Auth0 ships that faster than anyone.

03/Side by side

The facts on one row each.

No checkmark theater. Each row is a value you can verify against the public docs on either side.

Row

kavachOS

Auth0

Starting price
Auth0 free tier excludes custom domains and most enterprise features.
$0 up to 1,000 MAU
$0 up to 7,500 MAU
Price at 10,000 MAU
Auth0 Professional is $800 at the same MAU if you need M2M or advanced RBAC.
$29 / month
$240 / month (Essential)
Open source license
MIT
Proprietary
Self-host option
Yes, any runtime
No, SaaS only
Billing shape
Flat monthly tiers
Per-MAU with add-ons
Agent identity primitive
First-class
None
MCP OAuth 2.1 server
RFC-compliant
None
M2M tokens included
On every paid plan
Billed separately at volume
SCIM provisioning
Included from Growth ($79)
Enterprise plan only
Cloudflare Workers runtime
Supported
Not supported
Bcrypt password migration
In-place, no user reset
Source export only

04/Pricing

Run the number you actually care about.

Everyone argues about pricing in the abstract. Pick the MAU count that matches next quarter and compare the two columns. Ignore the rest.

Auth0

Per-MAU tiers with add-ons for Organizations, M2M, and enterprise features. The price you click is usually not the price you pay.

Free
7,500 MAU
No custom domains, limited features.
$0
Essential
10,000 MAU
+$0.024 per extra MAU. No M2M included.
$240 / mo
Professional
10,000 MAU
+$0.080 per extra MAU. M2M included.
$800 / mo
Enterprise
SCIM, advanced security, SLA. Annual contract.
Custom

kavachOS

Flat monthly tiers. Agent identity, M2M, organizations, and SSO come with the plan, not on top of it.

Free
1,000 MAU
Full features, no credit card.
$0
Starter
10,000 MAU
Agent identity and M2M included.
$29 / mo
Growth
50,000 MAU
SSO, SCIM, priority support.
$79 / mo
Scale
200,000 MAU
SLA, dedicated support.
$199 / mo
Enterprise
Self-host assist, custom terms.
Custom

05/Migration

The port is an import swap, a middleware swap, and a user import command.

Before · Next.js with Auth0

// middleware.ts
import { withMiddlewareAuthRequired } from "@auth0/nextjs-auth0/edge";
export default withMiddlewareAuthRequired();

// app/api/me/route.ts
import { getSession } from "@auth0/nextjs-auth0";

export async function GET() {
  const session = await getSession();
  if (!session?.user) return new Response("Unauthorized", { status: 401 });
  return Response.json({ user: session.user });
}

After · Next.js with kavachOS

// middleware.ts
import { kavachosMiddleware } from "kavachos/next";
export default kavachosMiddleware();

// app/api/me/route.ts
import { auth } from "kavachos/next";

export async function GET() {
  const session = await auth();
  if (!session?.user) return new Response("Unauthorized", { status: 401 });
  return Response.json({ user: session.user });
}

Export

Pull the users out of Auth0

Run Auth0's Management API bulk user export. You get a gzipped JSON lines file. kavachOS imports that format directly with 'kavachos import auth0 users.json.gz'. Bcrypt password hashes move in place, so your users do not have to reset.

Swap

Replace the SDK

npm uninstall @auth0/nextjs-auth0 && npm install kavachos. The session helper names match on purpose (auth, currentUser). Most route handlers need only the import path change.

Env

Rename three environment variables

AUTH0_DOMAIN, AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET become KAVACHOS_ISSUER, KAVACHOS_CLIENT_ID, KAVACHOS_CLIENT_SECRET. Redirect URIs stay the same because the OAuth 2.0 callback shape is the same.

Connections

Re-create social and SSO connections

Copy your OAuth client IDs and secrets into the kavachOS dashboard. For SAML, paste the IdP metadata XML. kavachOS regenerates the SP metadata at the same predictable URL, so IdP admins do not have to reconfigure their end.

Verify

Run the migration checker before DNS

kavachos migrate verify scans your config for missing callbacks, unmapped providers, and import diff between the Auth0 export and the kavachOS database. Run it on staging, fix what it reports, then cut DNS.

06/Decide in thirty seconds

Two columns. Honest test.

Stay on Auth0

procurement and compliance paperwork
idp compatibility depth
universal login and brand-safe hosted pages

Switch to kavachOS

the per-mau line scales faster than revenue
agents and mcp tools have no primitive
cloud-only. no self-host option.

07/FAQ

Questions people actually ask before they switch.

Short answers. Link to the docs if the long version matters.

Can my users keep their passwords?

Yes. Auth0 exports bcrypt hashes by default, and kavachOS verifies against the same bcrypt format on the next login. There's no forced password reset flow.

Will my social providers still work?

kavachOS ships 27 OAuth providers including Google, GitHub, Microsoft, Apple, Facebook, X, LinkedIn. You reuse your existing OAuth client IDs. The redirect URI pattern is the same, so nothing on the provider side changes.

Do I have to use kavachOS Cloud, or can I self-host?

Self-host is supported from day one. The library is MIT and the same binary powers the cloud. Teams that need data residency or a VPC deployment run it themselves. Teams that don't want to operate it use the cloud.

Is there a SOC 2 report yet?

Type I is in progress and targeted to complete shortly after launch. Type II follows a year of continuous evidence. If your buyer requires Type II today and nothing else will do, Auth0 is the right choice for that deal. Switch on the next renewal.

What about machine-to-machine tokens?

Included on every paid plan with the OAuth 2.0 client credentials flow. Auth0 bills M2M separately and the line grows as your agent or service count grows. kavachOS does not meter M2M token issuance.

We use Auth0 Actions for custom hooks. What's the equivalent?

kavachOS has typed lifecycle hooks for signup, signin, tokenIssued, and sessionRefreshed. They run on the same edge runtime the rest of your app runs on, so debugging uses the same logs and the same stack traces. No separate serverless dashboard.

Try the port on a branch. Small diff. Evidence beats a pitch.

Switch story · Auth0 → kavachOS

The library is MIT. Install it, run kavachos migrate verify against an Auth0 export, push a branch, and show the diff to your team. If the savings and the agent primitives are worth the switch, finish it. If not, stay. We'll be here.

Join early access Read the Auth0 migration guide Read the source Back to all comparisons