What does 'kavachOS' mean?

kavachOS is a portmanteau of 'kavach' (Sanskrit for 'armor') and 'OS' (operating system). The name describes the library's role: an operating layer that shields every identity, call, token, and delegation in an application.

How is 'kavach' pronounced?

Ka-vach. In Sanskrit (कवच), it means 'armor': the layered, protective armor warriors wore into battle.

A TypeScript library for authentication and authorization, covering both AI agents and human users. It provides identity, permissions, delegation chains, audit trails, and MCP OAuth 2.1 in a single package. MIT licensed, edge-native.

00/kavachOS vs Keycloak

KavachOS vs Keycloak

Keycloak is battle-tested enterprise IAM, but it is a Java monolith that takes real effort to deploy, tune, and maintain. KavachOS covers enterprise SSO and adds agent identity, MCP OAuth 2.1, and an edge-native runtime.

Open sourcekavachOS · MIT

01/Why people land on this page

What usually triggers the switch from Keycloak.

We pulled the three reasons teams give us most often when they contact us.

Keycloak is heavy to run
A production Keycloak deployment typically needs 512 MB to 1 GB of RAM at minimum, a Postgres or MySQL database, and regular JVM tuning. KavachOS Cloud is fully managed. Self-hosted KavachOS runs on Cloudflare Workers or a single Node.js process with SQLite.
No agent identity or MCP support
Keycloak's service accounts and client credentials cover M2M patterns from 2015. There is no concept of AI agent tokens, delegation chains, or MCP OAuth 2.1. KavachOS ships these as first-class primitives.
Open source, but developer experience is a decade behind
Keycloak's admin UI and configuration model were designed for enterprise IT teams, not developers. Realm exports, protocol mappers, and flow configurations have a steep learning curve. KavachOS ships with a clean dashboard and a TypeScript-first SDK.

02/Where they beat us

Keycloak wins these. We are saying so out loud.

If any of these matter more than the reasons above, stay on Keycloak. The migration will still be here when the trade-off flips.

Keycloak is better at

Keycloak has a longer track record

Keycloak has been in production at more companies for more years. If that history is load-bearing for your buyer, weigh it heavily.

Keycloak is better at

Their docs and community are larger

More Stack Overflow answers, more third-party tutorials, more hiring pool who already know it.

03/Side by side

The facts on one row each.

No checkmark theater. Each row is a value you can verify against the public docs on either side.

Row

kavachOS

Keycloak

AI agent identity
Keycloak service accounts are not agent-identity primitives
Yes
No
MCP OAuth 2.1
KavachOS is spec-compliant; Keycloak has no MCP support
Yes
No
Agent delegation chains
Yes
No
Agent permission scoping
Yes
No
Agent audit log
Yes
No
Self-hosting
Keycloak is self-host only — no SaaS option
Yes
Yes
Open source (MIT)
Keycloak is Apache 2.0, not MIT
Yes
No
Social / OAuth providers (27+)
Keycloak supports social providers via identity brokering
Yes
Yes
Passkeys / WebAuthn
Keycloak added WebAuthn support in v9
Yes
Yes
Magic link
Keycloak has no native magic link; requires a custom authenticator SPI
Yes
No
Multi-factor authentication
Yes
Yes
Enterprise SSO (SAML, OIDC)
Keycloak's strongest area — SAML, OIDC, LDAP, Kerberos
Yes
Yes
SCIM provisioning
SCIM requires a third-party Keycloak extension
Yes
No
Organizations / multi-tenancy
Keycloak uses separate realms for tenancy — complex to manage at scale
Yes
Yes
Machine-to-machine tokens
Keycloak service accounts support client credentials grant
Yes
Yes
Custom domains
Keycloak supports custom domains via reverse proxy
Yes
Yes
Custom email templates
Yes
Yes
Brute force protection
Yes
Yes
Breach password detection
Yes
No
Free tier
Keycloak is free to self-host; no managed cloud tier
Yes
Yes
Cloudflare Workers runtime
Keycloak requires a JVM — not edge-compatible
Yes
No

04/Pricing

Run the number you actually care about.

Everyone argues about pricing in the abstract. Pick the MAU count that matches next quarter and compare the two columns. Ignore the rest.

Keycloak

Keycloak itself is free to download and run. You pay for the infrastructure it runs on — typically a VM or container cluster with a Postgres database. Red Hat offers a supported enterprise distribution (RHBK) under a subscription. There is no hosted SaaS option from the Keycloak project.

Community (self-host)
Unlimited MAU
You manage infrastructure, upgrades, and security patches
$0
Red Hat Build of Keycloak
Unlimited MAU
Enterprise support, CVE patching SLA — pricing via Red Hat sales
Red Hat subscription

kavachOS

KavachOS Cloud uses flat monthly tiers with no infrastructure to manage. Self-hosting is also free under the MIT license.

Free
1,000 MAU
Full feature access, no credit card
$0
Starter
10,000 MAU
Agent identity included
$29/mo
Growth
50,000 MAU
SSO, SCIM, priority support
$79/mo
Scale
200,000 MAU
SLA, dedicated support
$199/mo
Enterprise
Unlimited MAU
On-prem, custom contracts
Custom

05/Migration

Most of the port is an import path change and a middleware swap.

Before · Keycloak

// Your existing Keycloak integration
// See the full comparison on the rewritten
// pages for a code-level diff.

After · kavachOS

import { kavachos } from "kavachos";

export const auth = kavachos({
  adapter: /* your db */,
  providers: [/* same set you already had */],
});

Step 01

Export your Keycloak realm as JSON using the Keycloak admin CLI (`kc

Export your Keycloak realm as JSON using the Keycloak admin CLI (`kc.sh export --realm myrealm`). KavachOS can import users from this format, mapping Keycloak's user representation to KavachOS identities.

Step 02

Re-create your SAML and OIDC enterprise connections in the KavachOS dashboard

Re-create your SAML and OIDC enterprise connections in the KavachOS dashboard. KavachOS uses the same redirect URI patterns, so existing IdP configurations need only minor endpoint URL updates.

Step 03

Replace Keycloak's OIDC token verification middleware in your services with the KavachOS token verify function

Replace Keycloak's OIDC token verification middleware in your services with the KavachOS token verify function. Both issue standard JWTs, so the verification logic changes are minimal.

Step 04

Migrate client applications by updating the discovery endpoint URL from your Keycloak realm URL to your KavachOS project domain

Migrate client applications by updating the discovery endpoint URL from your Keycloak realm URL to your KavachOS project domain. Most OIDC libraries auto-configure from the discovery document.

Step 05

Test your SSO flows, social logins, and MFA in staging

Test your SSO flows, social logins, and MFA in staging. Once verified, update your DNS and decommission the Keycloak instance — no forced user re-authentication required for social and SSO users.

06/Decide in thirty seconds

Two columns. Honest test.

Stay on Keycloak

keycloak has a longer track record
their docs and community are larger

Switch to kavachOS

keycloak is heavy to run
no agent identity or mcp support
open source, but developer experience is a decade behind

07/FAQ

Questions people actually ask before they switch.

Short answers. Link to the docs if the long version matters.

Keycloak is free. Why would I pay for KavachOS Cloud?

Keycloak's software is free, but running it is not. A production deployment needs a JVM, a database, monitoring, regular upgrades, and someone who knows Keycloak's configuration model. KavachOS Cloud eliminates that operational overhead. If you prefer self-hosting, the MIT license makes KavachOS free too — and it runs without a JVM.

Does KavachOS support SAML and LDAP like Keycloak?

KavachOS supports SAML and OIDC-based enterprise SSO on the Growth plan and above. LDAP directory sync is on the roadmap. If you need LDAP today, Keycloak remains the stronger choice for that specific use case.

How does multi-tenancy compare?

Keycloak uses separate realms per tenant, which works but becomes difficult to manage once you have dozens of tenants — each realm has its own configuration, upgrade path, and resource footprint. KavachOS has a native organizations primitive that handles multi-tenancy within a single deployment.

Keycloak has been around since 2013. How mature is KavachOS?

Keycloak's maturity is real — it covers a huge range of enterprise identity scenarios. KavachOS is newer and focused on a narrower, more modern problem set: TypeScript-first apps, edge runtimes, and AI agent auth. If your primary need is enterprise LDAP federation with complex authentication flows, Keycloak is still worth evaluating alongside KavachOS.

Can I run KavachOS on the same infrastructure as Keycloak?

The self-hosted version of KavachOS runs on Node.js, Deno, Bun, or Cloudflare Workers. It does not need a JVM. You can run both side-by-side during migration, then decomission Keycloak once you've validated everything.

What about Keycloak's custom authentication flows (SPI)?

Keycloak's SPI framework lets you write Java plugins for custom auth logic. KavachOS uses TypeScript middleware and hooks instead. If you have heavily customized Keycloak flows, budget time to rewrite those in TypeScript — the logic is usually straightforward, but it is not a one-click migration.

Try the Keycloak → kavachOS migration on a branch first.

Switch story · Keycloak → kavachOS

The library is MIT so there's no vendor meeting involved. Install it, run the migration on a scratch branch, keep the diff small, decide on evidence.

Join early access Read the migration guide Read the source Back to all comparisons