What does 'kavachOS' mean?

kavachOS is a portmanteau of 'kavach' (Sanskrit for 'armor') and 'OS' (operating system). The name describes the library's role: an operating layer that shields every identity, call, token, and delegation in an application.

How is 'kavach' pronounced?

Ka-vach. In Sanskrit (कवच), it means 'armor': the layered, protective armor warriors wore into battle.

A TypeScript library for authentication and authorization, covering both AI agents and human users. It provides identity, permissions, delegation chains, audit trails, and MCP OAuth 2.1 in a single package. MIT licensed, edge-native.

00/kavachOS vs Supabase Auth

KavachOS vs Supabase Auth

Supabase Auth is a solid open-source choice for human logins, especially if you are already on Supabase. KavachOS goes further — agent identity, MCP OAuth 2.1, and no PostgreSQL dependency.

BaaS authkavachOS · MIT

01/Why people land on this page

What usually triggers the switch from Supabase Auth.

We pulled the three reasons teams give us most often when they contact us.

Supabase Auth is tightly coupled to PostgreSQL
GoTrue, the engine behind Supabase Auth, stores everything in Postgres. If your stack uses SQLite, D1, MySQL, or another database, you are pulling in a heavy dependency just for auth. KavachOS supports SQLite, Postgres, MySQL, and Cloudflare D1 natively.
No agent identity or MCP OAuth
Supabase Auth has no concept of AI agent tokens, delegation chains, or MCP OAuth 2.1. KavachOS ships these as first-class primitives — not a roadmap item, not a workaround using service role keys.
Open source, but on different terms
Supabase Auth is Apache 2.0. KavachOS is MIT. Both are self-hostable. The difference is that KavachOS runs on Cloudflare Workers and edge runtimes out of the box — no Docker, no VM, no Postgres server required to get started.

02/Where they beat us

Supabase Auth wins these. We are saying so out loud.

If any of these matter more than the reasons above, stay on Supabase Auth. The migration will still be here when the trade-off flips.

Supabase Auth is better at

Supabase Auth has a longer track record

Supabase Auth has been in production at more companies for more years. If that history is load-bearing for your buyer, weigh it heavily.

Supabase Auth is better at

Their docs and community are larger

More Stack Overflow answers, more third-party tutorials, more hiring pool who already know it.

03/Side by side

The facts on one row each.

No checkmark theater. Each row is a value you can verify against the public docs on either side.

Row

kavachOS

Supabase Auth

AI agent identity
Supabase Auth has no agent token primitive
Yes
No
MCP OAuth 2.1
KavachOS is spec-compliant; Supabase has no MCP support
Yes
No
Agent delegation chains
Yes
No
Agent permission scoping
Yes
No
Agent audit log
Yes
No
Self-hosting
Supabase is self-hostable via Docker
Yes
Yes
Open source (MIT)
Supabase Auth is Apache 2.0, not MIT
Yes
No
Social / OAuth providers (27+)
Yes
Yes
Passkeys / WebAuthn
Yes
Yes
Magic link
Yes
Yes
Multi-factor authentication
Supabase MFA supports TOTP; SMS MFA is in preview
Yes
Yes
Enterprise SSO (SAML, OIDC)
Supabase SAML SSO requires Pro plan or above
Yes
Yes
SCIM provisioning
Supabase does not offer SCIM
Yes
No
Organizations / multi-tenancy
Supabase has no native multi-tenant auth primitive
Yes
No
Machine-to-machine tokens
Supabase service role keys are a workaround, not a first-class M2M primitive
Yes
No
Custom domains
Supabase custom domains require Pro plan
Yes
Yes
Custom email templates
Yes
Yes
Brute force protection
Yes
Yes
Breach password detection
Yes
No
Free tier
Supabase free tier includes 50,000 MAU
Yes
Yes
Cloudflare Workers runtime
GoTrue requires a persistent server
Yes
No

04/Pricing

Run the number you actually care about.

Everyone argues about pricing in the abstract. Pick the MAU count that matches next quarter and compare the two columns. Ignore the rest.

Supabase Auth

Supabase uses project-based pricing, not strict MAU tiers. The free tier is generous at 50,000 MAU. Beyond that, Pro at $25/month covers 100,000 MAU. SAML SSO requires Pro or above. The Team plan at $599/month adds priority support and higher limits.

Free
50,000 MAU
2 projects, 500 MB database, community support
$0
Pro
100,000 MAU
$0.00325/MAU after 100K. SAML SSO: $0.015/MAU
$25/mo
Team
100,000 MAU
SOC2, priority support, HIPAA add-on available
$599/mo
Enterprise
Custom MAU
Dedicated infrastructure, custom contracts
Custom

kavachOS

KavachOS Cloud uses flat monthly tiers with no surprise overages for SSO, organizations, or enterprise features.

Free
1,000 MAU
Full feature access, no credit card
$0
Starter
10,000 MAU
Agent identity included
$29/mo
Growth
50,000 MAU
SSO, SCIM, priority support
$79/mo
Scale
200,000 MAU
SLA, dedicated support
$199/mo
Enterprise
Unlimited MAU
On-prem, custom contracts
Custom

05/Migration

Most of the port is an import path change and a middleware swap.

Before · Supabase Auth

// Your existing Supabase Auth integration
// See the full comparison on the rewritten
// pages for a code-level diff.

After · kavachOS

import { kavachos } from "kavachos";

export const auth = kavachos({
  adapter: /* your db */,
  providers: [/* same set you already had */],
});

Step 01

Export your users from Supabase using the admin API (`supabase

Export your users from Supabase using the admin API (`supabase.auth.admin.listUsers()`). KavachOS accepts this format through the import CLI command — bcrypt password hashes migrate without user resets.

Step 02

Replace Supabase Auth client calls with the `kavachos` SDK

Replace Supabase Auth client calls with the `kavachos` SDK. Session management and token verification follow standard OAuth 2.0 conventions, so the surface area to change is small.

Step 03

Update environment variables — swap `SUPABASE_URL` and `SUPABASE_ANON_KEY` for the KavachOS project URL and publishable key from the dashboard

Update environment variables — swap `SUPABASE_URL` and `SUPABASE_ANON_KEY` for the KavachOS project URL and publishable key from the dashboard.

Step 04

Re-configure your social providers in the KavachOS dashboard

Re-configure your social providers in the KavachOS dashboard. OAuth redirect URIs work the same way, so your existing provider app registrations stay valid.

Step 05

If you were using Supabase Row Level Security with `auth

If you were using Supabase Row Level Security with `auth.uid()`, update your policies to use the KavachOS JWT claim equivalent and test your data access rules before cutting over.

06/Decide in thirty seconds

Two columns. Honest test.

Stay on Supabase Auth

supabase auth has a longer track record
their docs and community are larger

Switch to kavachOS

supabase auth is tightly coupled to postgresql
no agent identity or mcp oauth
open source, but on different terms

07/FAQ

Questions people actually ask before they switch.

Short answers. Link to the docs if the long version matters.

Can I keep using Supabase (database, storage, realtime) and just switch the auth?

Yes. KavachOS replaces only the auth layer. Your Supabase Postgres database, storage buckets, and realtime subscriptions continue working. You will need to update Row Level Security policies that reference `auth.uid()` to use KavachOS JWT claims instead.

Supabase Auth is open source. Is KavachOS also open source?

Yes, KavachOS core is MIT-licensed. Supabase Auth (GoTrue) is Apache 2.0. Both are self-hostable. The key difference is runtime — KavachOS runs natively on Cloudflare Workers and edge environments without needing a persistent server or Docker.

Supabase has a very generous free tier (50,000 MAU). How does KavachOS compare?

Supabase's free MAU allowance is higher, but it comes with project limits (2 active projects) and gates features like SAML SSO behind paid plans. KavachOS free tier starts at 1,000 MAU with full feature access. The right tier depends on your project count, SSO needs, and whether you need agent identity.

Does KavachOS work with PostgreSQL like Supabase Auth does?

Yes. KavachOS supports Postgres, SQLite, MySQL, and Cloudflare D1. It is not coupled to a single database engine the way GoTrue is built around Postgres.

What is the difference between Supabase service role keys and KavachOS agent identity?

A Supabase service role key bypasses Row Level Security and has full database access — it is a master key, not a scoped identity. KavachOS agent identity gives each AI agent its own token with specific permissions, an audit trail, and revocation without affecting other agents or the user who delegated to them.

Is MCP OAuth 2.1 on Supabase's roadmap?

Not as of early 2026. Supabase Auth focuses on human authentication patterns. MCP OAuth 2.1 (for AI agent authorization) is a KavachOS-native feature with no equivalent in the Supabase Auth product.

Try the Supabase Auth → kavachOS migration on a branch first.

Switch story · Supabase Auth → kavachOS

The library is MIT so there's no vendor meeting involved. Install it, run the migration on a scratch branch, keep the diff small, decide on evidence.

Join early access Read the migration guide Read the source Back to all comparisons