What does 'kavachOS' mean?

kavachOS is a portmanteau of 'kavach' (Sanskrit for 'armor') and 'OS' (operating system). The name describes the library's role: an operating layer that shields every identity, call, token, and delegation in an application.

How is 'kavach' pronounced?

Ka-vach. In Sanskrit (कवच), it means 'armor': the layered, protective armor warriors wore into battle.

A TypeScript library for authentication and authorization, covering both AI agents and human users. It provides identity, permissions, delegation chains, audit trails, and MCP OAuth 2.1 in a single package. MIT licensed, edge-native.

00/kavachOS vs Better Auth

Same philosophy. Different scope.

Better Auth made TypeScript-first OSS auth respectable again. kavachOS is in the same camp on license, types, and DX. The difference is where the product stops. Better Auth stops at the human session. kavachOS keeps going into agent identity, MCP OAuth 2.1, and an optional managed cloud.

Open sourcekavachOS · MIT

01/Why people land on this page

Three cases where Better Auth is the wrong tool for the job it's being asked to do.

Better Auth's core use case is a TypeScript app that wants real auth without a SaaS bill. If your use case has drifted into agents, enterprise buyers, or ops-you-don't-want-to-own, the fit gets uncomfortable.

Agent identity is not a plugin problem
Delegation proofs, per-agent token lifecycle, and MCP-compliant OAuth scopes need to be in the token format and the session model, not bolted on. Building this on Better Auth's plugin API means reimplementing most of what kavachOS already ships.
Enterprise SSO is a full-time product, not a maintained package
SAML and OIDC federation have sharp edges. IdP-specific quirks, metadata refresh, SCIM eventual consistency. Better Auth leaves this to community plugins. kavachOS ships it as a first-party feature on the Growth plan.
Someone has to run the database
Self-hosting is great until you are paged at 2am because the auth Postgres ran out of connections. kavachOS Cloud runs the same authorization server logic as the library, so you can start self-hosted and migrate to managed without changing your code.

02/Where they beat us

Better Auth wins these. We are saying so out loud.

If any of these matter more than the reasons above, stay on Better Auth. The migration will still be here when the trade-off flips.

Better Auth is better at

Plugin ecosystem and iteration speed

Better Auth has a livelier plugin ecosystem today. If your use case is slightly unusual, the odds are good that someone in the community has shipped a plugin. kavachOS is more opinionated with a tighter first-party scope, which is a feature for some teams and a bug for others.

Better Auth is better at

Zero-cost forever for solo projects

If you are building a side project with a handful of users and no commercial pressure, Better Auth with SQLite and one tiny VPS is hard to beat on cost or complexity. kavachOS cloud is free up to 1,000 MAU, but the self-host path for hobby scale is more machinery than Better Auth.

Better Auth is better at

Community velocity on new auth methods

Passkey improvements, new social providers, emerging patterns often land in Better Auth plugins first. kavachOS adds these in core releases on a slower cadence so the surface stays small and typed end-to-end.

03/Side by side

The facts on one row each.

No checkmark theater. Each row is a value you can verify against the public docs on either side.

Row

kavachOS

Better Auth

Open source license
MIT
MIT
Self-host
Yes
Yes
Managed cloud option
Yes, starts free
No, self-host only
Agent identity primitive
First-class
Not in core
MCP OAuth 2.1 server
RFC-compliant
Not available
Enterprise SSO (SAML / OIDC)
First-party, Growth plan
Community plugins
SCIM provisioning
First-party
Not available
Machine-to-machine tokens
Client credentials flow
Not in core
TypeScript-first types
End-to-end
End-to-end
Adapters (Drizzle, Prisma, Kysely)
First-party
First-party
Edge runtime support
Workers, Deno, Bun, Node
Workers, Deno, Bun, Node
Plugin ecosystem size
Smaller, first-party focus
Larger, community-driven

04/Pricing

Run the number you actually care about.

Everyone argues about pricing in the abstract. Pick the MAU count that matches next quarter and compare the two columns. Ignore the rest.

Better Auth

Library is free and MIT. You pay for the database, the compute, the monitoring, and the engineering time to run it.

Self-hosted
Hosting, DB, and ops are on you.
$0 library

kavachOS

Library is MIT. Cloud is optional and starts free. Same code runs in both.

Self-hosted library
MIT, same as Better Auth.
$0
Cloud Free
1,000 MAU
Managed infra, no credit card.
$0
Starter
10,000 MAU
Agent identity, managed hosting.
$29 / mo
Growth
50,000 MAU
SSO, SCIM, priority support.
$79 / mo
Scale
200,000 MAU
SLA, dedicated support.
$199 / mo

05/Migration

The adapter pattern is the same. Config keys, session shape, and hook names line up on purpose.

Before · Better Auth with Drizzle

import { betterAuth } from "better-auth";
import { drizzleAdapter } from "better-auth/adapters/drizzle";
import { db } from "./db";

export const auth = betterAuth({
  database: drizzleAdapter(db, { provider: "pg" }),
  emailAndPassword: { enabled: true },
  socialProviders: {
    github: {
      clientId: process.env.GITHUB_CLIENT_ID!,
      clientSecret: process.env.GITHUB_CLIENT_SECRET!,
    },
  },
});

After · kavachOS with Drizzle

import { kavachos } from "kavachos";
import { drizzleAdapter } from "kavachos/adapters/drizzle";
import { db } from "./db";

export const auth = kavachos({
  database: drizzleAdapter(db, { provider: "pg" }),
  emailAndPassword: { enabled: true },
  socialProviders: {
    github: {
      clientId: process.env.GITHUB_CLIENT_ID!,
      clientSecret: process.env.GITHUB_CLIENT_SECRET!,
    },
  },
  // New: opt into agent identity when you want it.
  agents: { enabled: true, defaultScopes: ["read"] },
});

Schema

Reuse the database you already have

Run kavachos migrate from-better-auth. It generates an idempotent migration that adds the columns kavachOS needs (agent identity, audit log) without touching user, session, or account data. Existing logged-in users stay logged in.

Imports

Change the package name

Find-and-replace 'better-auth' with 'kavachos'. The adapter packages, hook names, and config keys are intentionally compatible. A typical Next.js app compiles on the first try after the rename.

Agents

Enable agent identity if you want it

Add agents: { enabled: true } to the config. This is new, not a replacement for anything. Existing user flows are untouched. Use agents.issue() when you want to mint an agent token from a user session.

SSO

Replace the community SSO plugin

If you are using a community-maintained SSO plugin, remove it and configure kavachOS's first-party SSO in the dashboard or via config. SAML metadata import works the same way. Your IdP does not need to change.

Cloud, optional

Point at kavachOS Cloud when the ops burden stops being fun

The cloud runs the same authorization server as the library. Change the issuer URL and client ID, run kavachos cloud sync to push user and session data, and let us run the database. You can move back to self-hosted at any time.

06/Decide in thirty seconds

Two columns. Honest test.

Stay on Better Auth

plugin ecosystem and iteration speed
zero-cost forever for solo projects
community velocity on new auth methods

Switch to kavachOS

agent identity is not a plugin problem
enterprise sso is a full-time product, not a maintained package
someone has to run the database

07/FAQ

Questions people actually ask before they switch.

Short answers. Link to the docs if the long version matters.

Is kavachOS a fork of Better Auth?

No. Independent codebase, independent design. Both libraries share open-source values and similar adapter patterns because good ideas travel. The implementations diverge where agent identity, MCP, and enterprise SSO require schema changes the other does not have.

If Better Auth is free, why pay for kavachOS Cloud?

Better Auth is free as in the code. Running it is not. You pay for a Postgres, a monitoring stack, a backup routine, and the hours to keep it all running. Cloud Free is $0 up to 1,000 MAU. Past that, the question is whether $29 to $199 a month is less than an engineer's time on auth ops. For most teams, yes.

Will my existing Better Auth sessions survive the migration?

Yes. kavachos migrate from-better-auth ports session rows in place. The session token format is the same. Existing users keep their sessions until they expire on the normal clock.

Does kavachOS support the same databases?

Yes. SQLite, Postgres, MySQL, Cloudflare D1, and libSQL / Turso. The Drizzle, Prisma, and Kysely adapter packages have the same names on both sides.

Why build agent identity in core instead of as a plugin?

Agent tokens need a different lifecycle than user sessions: delegation proof in the token, revocation that does not cascade to the parent user, audience binding for MCP resource servers. Plugin systems built around session middleware cannot express this cleanly. It has to be in the session model.

We like Better Auth's community. What's the story with kavachOS?

Smaller, newer, and more first-party-focused. The trade-off is honest. If you want an ecosystem of contributed plugins for every edge case, Better Auth wins today. If you want fewer plugins and more of the sharp corners solved in core, kavachOS is the bet.

Stay on Better Auth until agents, SSO, or ops pushes you. Then port in an afternoon.

Switch story · Better Auth → kavachOS

The config shape is intentionally compatible. Run kavachos migrate from-better-auth against a staging branch, review the diff, and decide on facts. The library is MIT on both sides. You are not trading one lock-in for another.

Join early access Read the Better Auth migration guide Read the source Back to all comparisons