KavachOS vs Firebase Auth — Agent-first auth without the Google lock-in

Name: kavachOS
Author: kavachOS

On this page

Why switch

No agent identity in Firebase

Firebase Auth has no concept of AI agent tokens, delegation chains, or MCP OAuth 2.1. KavachOS ships these as first-class primitives so agents get their own identity, scoped permissions, and a full audit trail.

You cannot self-host Firebase

Firebase is Google Cloud-only. There is no way to run it on your own infrastructure. KavachOS is MIT-licensed and runs on Node.js, Deno, Bun, and Cloudflare Workers — your data stays where you put it.

Firebase pricing punishes phone auth at scale

Most Firebase auth is free, but SMS verification costs $0.0055 per SMS after 50,000/month, and the broader Blaze pay-as-you-go model makes budgeting unpredictable. KavachOS uses flat monthly tiers.

Try it now

npm install kavachos

Get started

Why switch

No agent identity in Firebase

You cannot self-host Firebase

Firebase pricing punishes phone auth at scale

Most Firebase auth is free, but SMS verification costs $0.0055 per SMS after 50,000/month, and the broader Blaze pay-as-you-go model makes budgeting unpredictable. KavachOS uses flat monthly tiers.

Feature comparison

14 features Firebase Auth doesn't have

Feature	KavachOS	Firebase Auth
AI agent identity Firebase has no agent token primitive
MCP OAuth 2.1 KavachOS is spec-compliant; Firebase has no MCP support
Agent delegation chains
Agent permission scoping
Agent audit log
Self-hosting Firebase is Google Cloud-only
Open source (MIT) Firebase is proprietary
Social / OAuth providers (27+)
Passkeys / WebAuthn Firebase has no native passkey support
Magic link Firebase calls it email link sign-in
Multi-factor authentication Firebase MFA is SMS-only
Enterprise SSO (SAML, OIDC) Firebase has no SAML support
SCIM provisioning
Organizations / multi-tenancy Firebase multi-tenancy requires Identity Platform upgrade
Machine-to-machine tokens
Custom domains Firebase hosted auth uses firebaseapp.com domain
Custom email templates
Brute force protection
Breach password detection
Free tier Firebase free tier is generous but tightly coupled to Google Cloud
Cloudflare Workers runtime

Pricing

Save up to 10x at scale

Firebase Auth

Firebase Auth is free for most sign-in methods on the Spark (free) plan. Phone authentication costs $0.0055 per SMS after 50,000 verifications per month. Moving to Blaze (pay-as-you-go) unlocks multi-tenancy and Identity Platform features but introduces unpredictable billing across the entire Firebase suite.

Spark (free)(Unlimited MAU)

Blaze (pay-as-you-go)(Unlimited MAU)

Usage-based

Identity Platform (upgrade)(After 49,999 MAU)

$0.0055/MAU

KavachOS

KavachOS Cloud uses flat monthly tiers with no surprise overages for SMS, organizations, or enterprise SSO.

Free(1,000 MAU)

Starter(10,000 MAU)

$29/mo

Growth(50,000 MAU)

$79/mo

Scale(200,000 MAU)

$199/mo

Enterprise(Unlimited MAU)

Custom

Migration

Switch in an afternoon

Export your Firebase users using the Firebase CLI (`firebase auth:export users.json`). KavachOS accepts this format with a one-time import command that preserves existing password hashes.

Replace the Firebase Auth SDK calls with the `kavachos` npm package. The token verification pattern is similar — swap `admin.auth().verifyIdToken()` for the KavachOS token verify function.

Update your environment variables — remove `FIREBASE_PROJECT_ID` and friends and add the KavachOS API URL and project key from the dashboard.

Re-create your social provider configurations (Google, GitHub, etc.) in the KavachOS dashboard. Redirect URIs follow the same OAuth 2.0 conventions you already have.

Test your auth flows end-to-end, then cut over DNS or swap the SDK config — no forced user password resets required.

FAQ

Common questions

Can I import my existing Firebase Auth users?+

Yes. KavachOS accepts the JSON export that Firebase CLI produces. Users who signed in with email and password do not need to reset their passwords — the hash migration handles it automatically.

Does KavachOS support anonymous sign-in like Firebase?+

KavachOS supports guest sessions, which serve the same purpose. Guest sessions can be upgraded to a full account when the user adds an email or social login, matching Firebase's anonymous-to-permanent upgrade flow.

Firebase Auth is free for most users. Why pay for KavachOS?+

The free tier math changes once you add phone auth at volume, need multi-tenancy, want SAML, or build AI agent workflows. Firebase also locks you into Google Cloud — you cannot move your auth data to another provider or self-host. KavachOS gives you a clear exit path and agent-native features Firebase cannot provide.

Does KavachOS run on Google Cloud?+

KavachOS Cloud runs on Cloudflare Workers and Cloudflare D1. The self-hosted version runs anywhere that supports Node.js, Deno, Bun, or Cloudflare Workers. It does not depend on Google infrastructure.

What about Firebase Realtime Database or Firestore — do those still work?+

KavachOS only replaces Firebase Auth. Your Firestore or Realtime Database can stay in place. You will need to verify KavachOS JWTs in your Firestore security rules instead of Firebase ID tokens, but the data layer is untouched.

What is agent identity and why does Firebase not have it?+

Agent identity gives AI agents their own cryptographic identity — separate from the human who authorized them. Firebase was designed for human sign-in flows and has no primitive for autonomous agents, delegation chains, or MCP OAuth 2.1. Those capabilities simply do not exist in the Firebase product.

Ready to try KavachOS?

MIT licensed. Self-hostable. Runs anywhere Node runs.

Get started Star on GitHub