Name: KavachOS
Author: KavachOS

kavachHono(kavach, options?) returns a Hono app instance with all KavachOS routes pre-mounted. Use app.route to attach it to your main app.

Install

pnpm add kavachos @kavachos/hono hono @hono/node-server

Setup

Create the kavach instance

Create this once and reuse it across your app (e.g. lib/kavach.ts):

// lib/kavach.ts
import { createKavach, createMcpModule } from 'kavachos';

export const kavach = createKavach({
  database: { provider: 'sqlite', url: 'kavach.db' },
  baseUrl: process.env.AUTH_BASE_URL!,
  mcp: {
    issuer: process.env.AUTH_BASE_URL!,
    audience: process.env.MCP_BASE_URL!,
  },
});

export const mcp = createMcpModule(kavach);

Mount the adapter

// src/index.ts
import { serve } from '@hono/node-server';
import { Hono } from 'hono';
import { kavachHono } from '@kavachos/hono';
import { kavach, mcp } from './lib/kavach.js';

const app = new Hono();

// Mount all KavachOS routes (agents, permissions, audit, MCP OAuth)
app.route('/api/kavach', kavachHono(kavach, { mcp }));

serve({ fetch: app.fetch, port: 3000 });

MCP endpoints

Pass mcp to enable the full MCP OAuth 2.1 authorization server. All MCP endpoints are mounted under the same /api/kavach prefix alongside the REST API:

app.route('/api/kavach', kavachHono(kavach, { mcp }));
// registers:
// GET  /api/kavach/.well-known/oauth-authorization-server
// GET  /api/kavach/.well-known/oauth-protected-resource
// POST /api/kavach/mcp/register
// GET  /api/kavach/mcp/authorize
// POST /api/kavach/mcp/token

MCP routes include CORS headers (Access-Control-Allow-Origin: *) and respond to OPTIONS preflight requests automatically.

Endpoint reference

Method	Path	Description
`POST`	`/agents`	Create an agent
`GET`	`/agents`	List agents
`GET`	`/agents/:id`	Get an agent
`PATCH`	`/agents/:id`	Update an agent
`DELETE`	`/agents/:id`	Revoke an agent
`POST`	`/agents/:id/rotate`	Rotate token
`POST`	`/authorize`	Authorize by agent ID
`POST`	`/authorize/token`	Authorize by bearer token
`POST`	`/delegations`	Create delegation
`GET`	`/delegations/:agentId`	List delegation chains
`DELETE`	`/delegations/:id`	Revoke delegation
`GET`	`/audit`	Query audit logs
`GET`	`/audit/export`	Export audit logs

Full example

import { serve } from '@hono/node-server';
import { Hono } from 'hono';
import { createKavach, createMcpModule } from 'kavachos';
import { kavachHono } from '@kavachos/hono';

const kavach = createKavach({
  database: { provider: 'sqlite', url: 'kavach.db' },
  baseUrl: 'https://auth.yourapp.com',
  mcp: {
    issuer: 'https://auth.yourapp.com',
    audience: 'https://mcp.yourapp.com',
  },
});

const mcp = createMcpModule(kavach);

const app = new Hono();

app.route('/api/kavach', kavachHono(kavach, { mcp }));

app.get('/health', (c) => c.json({ ok: true }));

serve({ fetch: app.fetch, port: 3000 });

Hono