NewkavachOS v0.1.0 -- edge runtime, D1 provider, Web CryptoSee releases →
kavachOS

KavachOS vs Supabase Auth

KavachOS vs Supabase Auth

Supabase Auth is a solid open-source choice for human logins, especially if you are already on Supabase. KavachOS goes further — agent identity, MCP OAuth 2.1, and no PostgreSQL dependency.

11

unique features

10

shared

MIT

open source

Get started GitHub

Why switch

Supabase Auth is tightly coupled to PostgreSQL

GoTrue, the engine behind Supabase Auth, stores everything in Postgres. If your stack uses SQLite, D1, MySQL, or another database, you are pulling in a heavy dependency just for auth. KavachOS supports SQLite, Postgres, MySQL, and Cloudflare D1 natively.

No agent identity or MCP OAuth

Supabase Auth has no concept of AI agent tokens, delegation chains, or MCP OAuth 2.1. KavachOS ships these as first-class primitives — not a roadmap item, not a workaround using service role keys.

Open source, but on different terms

Supabase Auth is Apache 2.0. KavachOS is MIT. Both are self-hostable. The difference is that KavachOS runs on Cloudflare Workers and edge runtimes out of the box — no Docker, no VM, no Postgres server required to get started.

Feature comparison

11 features Supabase Auth doesn't have

FeatureKavachOSSupabase Auth
AI agent identity

Supabase Auth has no agent token primitive

MCP OAuth 2.1

KavachOS is spec-compliant; Supabase has no MCP support

Agent delegation chains
Agent permission scoping
Agent audit log
Self-hosting

Supabase is self-hostable via Docker

Open source (MIT)

Supabase Auth is Apache 2.0, not MIT

Social / OAuth providers (27+)
Passkeys / WebAuthn
Magic link
Multi-factor authentication

Supabase MFA supports TOTP; SMS MFA is in preview

Enterprise SSO (SAML, OIDC)

Supabase SAML SSO requires Pro plan or above

SCIM provisioning

Supabase does not offer SCIM

Organizations / multi-tenancy

Supabase has no native multi-tenant auth primitive

Machine-to-machine tokens

Supabase service role keys are a workaround, not a first-class M2M primitive

Custom domains

Supabase custom domains require Pro plan

Custom email templates
Brute force protection
Breach password detection
Free tier

Supabase free tier includes 50,000 MAU

Cloudflare Workers runtime

GoTrue requires a persistent server

Pricing

Save up to 10x at scale

Supabase Auth

Supabase uses project-based pricing, not strict MAU tiers. The free tier is generous at 50,000 MAU. Beyond that, Pro at $25/month covers 100,000 MAU. SAML SSO requires Pro or above. The Team plan at $599/month adds priority support and higher limits.

Free(50,000 MAU)
$0
Pro(100,000 MAU)
$25/mo
Team(100,000 MAU)
$599/mo
Enterprise(Custom MAU)
Custom

KavachOS

KavachOS Cloud uses flat monthly tiers with no surprise overages for SSO, organizations, or enterprise features.

Free(1,000 MAU)
$0
Starter(10,000 MAU)
$29/mo
Growth(50,000 MAU)
$79/mo
Scale(200,000 MAU)
$199/mo
Enterprise(Unlimited MAU)
Custom

Migration

Switch in an afternoon

1

Export your users from Supabase using the admin API (`supabase.auth.admin.listUsers()`). KavachOS accepts this format through the import CLI command — bcrypt password hashes migrate without user resets.

2

Replace Supabase Auth client calls with the `kavachos` SDK. Session management and token verification follow standard OAuth 2.0 conventions, so the surface area to change is small.

3

Update environment variables — swap `SUPABASE_URL` and `SUPABASE_ANON_KEY` for the KavachOS project URL and publishable key from the dashboard.

4

Re-configure your social providers in the KavachOS dashboard. OAuth redirect URIs work the same way, so your existing provider app registrations stay valid.

5

If you were using Supabase Row Level Security with `auth.uid()`, update your policies to use the KavachOS JWT claim equivalent and test your data access rules before cutting over.

FAQ

Common questions

Can I keep using Supabase (database, storage, realtime) and just switch the auth?+
Yes. KavachOS replaces only the auth layer. Your Supabase Postgres database, storage buckets, and realtime subscriptions continue working. You will need to update Row Level Security policies that reference `auth.uid()` to use KavachOS JWT claims instead.
Supabase Auth is open source. Is KavachOS also open source?+
Yes, KavachOS core is MIT-licensed. Supabase Auth (GoTrue) is Apache 2.0. Both are self-hostable. The key difference is runtime — KavachOS runs natively on Cloudflare Workers and edge environments without needing a persistent server or Docker.
Supabase has a very generous free tier (50,000 MAU). How does KavachOS compare?+
Supabase's free MAU allowance is higher, but it comes with project limits (2 active projects) and gates features like SAML SSO behind paid plans. KavachOS free tier starts at 1,000 MAU with full feature access. The right tier depends on your project count, SSO needs, and whether you need agent identity.
Does KavachOS work with PostgreSQL like Supabase Auth does?+
Yes. KavachOS supports Postgres, SQLite, MySQL, and Cloudflare D1. It is not coupled to a single database engine the way GoTrue is built around Postgres.
What is the difference between Supabase service role keys and KavachOS agent identity?+
A Supabase service role key bypasses Row Level Security and has full database access — it is a master key, not a scoped identity. KavachOS agent identity gives each AI agent its own token with specific permissions, an audit trail, and revocation without affecting other agents or the user who delegated to them.
Is MCP OAuth 2.1 on Supabase's roadmap?+
Not as of early 2026. Supabase Auth focuses on human authentication patterns. MCP OAuth 2.1 (for AI agent authorization) is a KavachOS-native feature with no equivalent in the Supabase Auth product.

Ready to try KavachOS?

MIT licensed. Self-hostable. Runs anywhere Node runs.

Get started Star on GitHub