What does 'kavachOS' mean?

kavachOS is a portmanteau of 'kavach' (Sanskrit for 'armor') and 'OS' (operating system). The name describes the library's role: an operating layer that shields every identity, call, token, and delegation in an application.

How is 'kavach' pronounced?

Ka-vach. In Sanskrit (कवच), it means 'armor': the layered, protective armor warriors wore into battle.

A TypeScript library for authentication and authorization, covering both AI agents and human users. It provides identity, permissions, delegation chains, audit trails, and MCP OAuth 2.1 in a single package. MIT licensed, edge-native.

00/kavachOS vs Firebase Auth

KavachOS vs Firebase Auth

Firebase Auth is a solid human-login service tied to Google Cloud. KavachOS was built for the AI era — agent identity, MCP OAuth 2.1, and human auth all without vendor lock-in.

BaaS authkavachOS · MIT

01/Why people land on this page

What usually triggers the switch from Firebase Auth.

We pulled the three reasons teams give us most often when they contact us.

No agent identity in Firebase
Firebase Auth has no concept of AI agent tokens, delegation chains, or MCP OAuth 2.1. KavachOS ships these as first-class primitives so agents get their own identity, scoped permissions, and a full audit trail.
You cannot self-host Firebase
Firebase is Google Cloud-only. There is no way to run it on your own infrastructure. KavachOS is MIT-licensed and runs on Node.js, Deno, Bun, and Cloudflare Workers — your data stays where you put it.
Firebase pricing punishes phone auth at scale
Most Firebase auth is free, but SMS verification costs $0.0055 per SMS after 50,000/month, and the broader Blaze pay-as-you-go model makes budgeting unpredictable. KavachOS uses flat monthly tiers.

02/Where they beat us

Firebase Auth wins these. We are saying so out loud.

If any of these matter more than the reasons above, stay on Firebase Auth. The migration will still be here when the trade-off flips.

Firebase Auth is better at

Firebase Auth has a longer track record

Firebase Auth has been in production at more companies for more years. If that history is load-bearing for your buyer, weigh it heavily.

Firebase Auth is better at

Their docs and community are larger

More Stack Overflow answers, more third-party tutorials, more hiring pool who already know it.

03/Side by side

The facts on one row each.

No checkmark theater. Each row is a value you can verify against the public docs on either side.

Row

kavachOS

Firebase Auth

AI agent identity
Firebase has no agent token primitive
Yes
No
MCP OAuth 2.1
KavachOS is spec-compliant; Firebase has no MCP support
Yes
No
Agent delegation chains
Yes
No
Agent permission scoping
Yes
No
Agent audit log
Yes
No
Self-hosting
Firebase is Google Cloud-only
Yes
No
Open source (MIT)
Firebase is proprietary
Yes
No
Social / OAuth providers (27+)
Yes
Yes
Passkeys / WebAuthn
Firebase has no native passkey support
Yes
No
Magic link
Firebase calls it email link sign-in
Yes
Yes
Multi-factor authentication
Firebase MFA is SMS-only
Yes
Yes
Enterprise SSO (SAML, OIDC)
Firebase has no SAML support
Yes
No
SCIM provisioning
Yes
No
Organizations / multi-tenancy
Firebase multi-tenancy requires Identity Platform upgrade
Yes
Yes
Machine-to-machine tokens
Yes
No
Custom domains
Firebase hosted auth uses firebaseapp.com domain
Yes
No
Custom email templates
Yes
Yes
Brute force protection
Yes
Yes
Breach password detection
Yes
No
Free tier
Firebase free tier is generous but tightly coupled to Google Cloud
Yes
Yes
Cloudflare Workers runtime
Yes
No

04/Pricing

Run the number you actually care about.

Everyone argues about pricing in the abstract. Pick the MAU count that matches next quarter and compare the two columns. Ignore the rest.

Firebase Auth

Firebase Auth is free for most sign-in methods on the Spark (free) plan. Phone authentication costs $0.0055 per SMS after 50,000 verifications per month. Moving to Blaze (pay-as-you-go) unlocks multi-tenancy and Identity Platform features but introduces unpredictable billing across the entire Firebase suite.

Spark (free)
Unlimited MAU
Email, social, anonymous auth free. Phone auth: 50K SMS free/month
$0
Blaze (pay-as-you-go)
Unlimited MAU
$0.0055 per SMS after free tier. Identity Platform: $0.0055/MAU after 49,999
Usage-based
Identity Platform (upgrade)
After 49,999 MAU
Required for SAML, OIDC, multi-tenancy, blocking functions
$0.0055/MAU

kavachOS

KavachOS Cloud uses flat monthly tiers with no surprise overages for SMS, organizations, or enterprise SSO.

Free
1,000 MAU
Full feature access, no credit card
$0
Starter
10,000 MAU
Agent identity included
$29/mo
Growth
50,000 MAU
SSO, SCIM, priority support
$79/mo
Scale
200,000 MAU
SLA, dedicated support
$199/mo
Enterprise
Unlimited MAU
On-prem, custom contracts
Custom

05/Migration

Most of the port is an import path change and a middleware swap.

Before · Firebase Auth

// Your existing Firebase Auth integration
// See the full comparison on the rewritten
// pages for a code-level diff.

After · kavachOS

import { kavachos } from "kavachos";

export const auth = kavachos({
  adapter: /* your db */,
  providers: [/* same set you already had */],
});

Step 01

Export your Firebase users using the Firebase CLI (`firebase auth:export users

Export your Firebase users using the Firebase CLI (`firebase auth:export users.json`). KavachOS accepts this format with a one-time import command that preserves existing password hashes.

Step 02

Replace the Firebase Auth SDK calls with the `kavachos` npm package

Replace the Firebase Auth SDK calls with the `kavachos` npm package. The token verification pattern is similar — swap `admin.auth().verifyIdToken()` for the KavachOS token verify function.

Step 03

Update your environment variables — remove `FIREBASE_PROJECT_ID` and friends and add the KavachOS API URL and project key from the dashboard

Update your environment variables — remove `FIREBASE_PROJECT_ID` and friends and add the KavachOS API URL and project key from the dashboard.

Step 04

Re-create your social provider configurations (Google, GitHub, etc

Re-create your social provider configurations (Google, GitHub, etc.) in the KavachOS dashboard. Redirect URIs follow the same OAuth 2.0 conventions you already have.

Step 05

Test your auth flows end-to-end, then cut over DNS or swap the SDK config — no forced user password resets required

Test your auth flows end-to-end, then cut over DNS or swap the SDK config — no forced user password resets required.

06/Decide in thirty seconds

Two columns. Honest test.

Stay on Firebase Auth

firebase auth has a longer track record
their docs and community are larger

Switch to kavachOS

no agent identity in firebase
you cannot self-host firebase
firebase pricing punishes phone auth at scale

07/FAQ

Questions people actually ask before they switch.

Short answers. Link to the docs if the long version matters.

Can I import my existing Firebase Auth users?

Yes. KavachOS accepts the JSON export that Firebase CLI produces. Users who signed in with email and password do not need to reset their passwords — the hash migration handles it automatically.

Does KavachOS support anonymous sign-in like Firebase?

KavachOS supports guest sessions, which serve the same purpose. Guest sessions can be upgraded to a full account when the user adds an email or social login, matching Firebase's anonymous-to-permanent upgrade flow.

Firebase Auth is free for most users. Why pay for KavachOS?

The free tier math changes once you add phone auth at volume, need multi-tenancy, want SAML, or build AI agent workflows. Firebase also locks you into Google Cloud — you cannot move your auth data to another provider or self-host. KavachOS gives you a clear exit path and agent-native features Firebase cannot provide.

Does KavachOS run on Google Cloud?

KavachOS Cloud runs on Cloudflare Workers and Cloudflare D1. The self-hosted version runs anywhere that supports Node.js, Deno, Bun, or Cloudflare Workers. It does not depend on Google infrastructure.

What about Firebase Realtime Database or Firestore — do those still work?

KavachOS only replaces Firebase Auth. Your Firestore or Realtime Database can stay in place. You will need to verify KavachOS JWTs in your Firestore security rules instead of Firebase ID tokens, but the data layer is untouched.

What is agent identity and why does Firebase not have it?

Agent identity gives AI agents their own cryptographic identity — separate from the human who authorized them. Firebase was designed for human sign-in flows and has no primitive for autonomous agents, delegation chains, or MCP OAuth 2.1. Those capabilities simply do not exist in the Firebase product.

Try the Firebase Auth → kavachOS migration on a branch first.

Switch story · Firebase Auth → kavachOS

The library is MIT so there's no vendor meeting involved. Install it, run the migration on a scratch branch, keep the diff small, decide on evidence.

Join early access Read the migration guide Read the source Back to all comparisons