Name: KavachOS
Author: KavachOS

Get credentials

Create an application

Go to the Auth0 dashboard and create a Regular Web Application.

Set the Allowed Callback URL to:

https://your-app.com/api/kavach/auth/oauth/callback/auth0

Copy your credentials

From the application settings, copy the Domain, Client ID, and Client Secret.

Your domain looks like your-tenant.auth0.com.

Configuration

lib/kavach.ts

import { createKavach } from 'kavachos';
import { oauth, auth0Provider } from 'kavachos/auth';

const kavach = await createKavach({
  database: { provider: 'postgres', url: process.env.DATABASE_URL! },
  secret: process.env.KAVACH_SECRET!,
  baseUrl: 'https://your-app.com',
  plugins: [
    oauth({
      providers: [
        auth0Provider(
          process.env.AUTH0_DOMAIN!,       // your-tenant.auth0.com
          process.env.AUTH0_CLIENT_ID!,
          process.env.AUTH0_CLIENT_SECRET!,
        ),
      ],
    }),
  ],
});

AUTH0_DOMAIN=your-tenant.auth0.com
AUTH0_CLIENT_ID=...
AUTH0_CLIENT_SECRET=...

Scopes

Default scopes: openid, profile, email

Scope	What it unlocks
`openid`	OIDC authentication, issues ID token
`profile`	Name, picture, and profile metadata
`email`	Email address and verification status
`offline_access`	Refresh token support

Auth0 supports custom scopes and roles via the Management API. Standard OIDC scopes work out of the box.

Endpoints

Method	Path	Description
GET	`/auth/oauth/authorize/auth0`	Redirect to Auth0
GET	`/auth/oauth/callback/auth0`	Handle callback

Auth0