kavachOS
AuthenticationAuth methods

Passkey

WebAuthn/FIDO2 biometric and hardware key authentication.

Passkey support is coming soon. This page describes the planned API. Watch the changelog for updates.

Passkeys use the WebAuthn standard (FIDO2) to authenticate users with device biometrics (Touch ID, Face ID, Windows Hello) or hardware security keys (YubiKey). No password is ever created or stored.

Planned API

lib/kavach.ts
import { createKavach } from '@kavachos/core';
import { passkey } from '@kavachos/core/plugins/passkey';

const kavach = await createKavach({
  database: { provider: 'postgres', url: process.env.DATABASE_URL! },
  secret: process.env.KAVACH_SECRET!,
  baseUrl: 'https://auth.example.com',
  plugins: [
    passkey({
      rpName: 'Example App',       // Shown in the browser prompt
      rpId: 'auth.example.com',    // Must match your domain
    }),
  ],
});

Planned endpoints

EndpointDescription
POST /auth/passkey/register/startBegin credential registration (returns challenge)
POST /auth/passkey/register/completeStore the new credential
POST /auth/passkey/authenticate/startBegin authentication (returns challenge)
POST /auth/passkey/authenticate/completeVerify assertion, set session

What to expect

  • Works alongside email/password and OAuth — a user can have multiple sign-in methods
  • Credentials are stored per-device; users can register multiple passkeys
  • Conditional UI (autofill-driven passkey prompts) will be supported from launch
  • Synced passkeys via iCloud Keychain and Google Password Manager will work automatically

Register interest

If passkey support is blocking your adoption of KavachOS, open an issue on GitHub. Upvotes help prioritize the roadmap.

Email OTP

Six-digit one-time codes sent via email for passwordless sign-in.

Two-factor auth

TOTP-based second factor with backup codes.

On this page

Planned API
Planned endpoints
What to expect
Register interest