Frequently asked questions

KavachOS is an open source TypeScript auth library that handles both human authentication and AI agent identity. It provides scoped permissions, delegation chains, audit trails, and MCP OAuth 2.1 in one package.

Auth0 and Clerk handle human sign-in. KavachOS does that too, but also gives AI agents their own identity with cryptographic tokens, wildcard permissions, delegation depth limits, and per-action audit logs. No other auth library ships agent identity as a built-in feature.

The open source library is MIT licensed and free forever. KavachOS Cloud (managed hosting) has a free tier for up to 1,000 MAU. Paid plans start at $29/month.

SQLite, PostgreSQL, and Cloudflare D1 are supported today. MySQL and MongoDB adapters are on the roadmap for v0.2.0.

Agent identity means giving each AI agent its own cryptographic bearer token, a set of scoped permissions, and an audit trail. Instead of sharing API keys between agents, each agent has its own identity that can be independently created, rotated, and revoked.

An agent can create sub-agents and grant them a subset of its own permissions. If the parent agent is revoked, all sub-agents lose access too. You can set depth limits to prevent chains from going too deep. This mirrors how humans delegate authority in organizations.

KavachOS tracks agent behavior and assigns a trust score based on action patterns, error rates, and anomaly detection. Agents that behave consistently score higher. You can use trust scores to gate sensitive operations.

The Model Context Protocol (MCP) defines how AI agents interact with tools. KavachOS ships a spec-compliant OAuth 2.1 authorization server for MCP, supporting PKCE S256, dynamic client registration (RFC 7591), resource indicators (RFC 8707), and server metadata (RFC 8414).

No. MCP OAuth is a plugin you can enable if your agents use the Model Context Protocol. KavachOS works without it for standard auth and agent identity use cases.

Yes. KavachOS is designed to be self-hosted. Install via npm, point it at SQLite or Postgres, and mount it on your framework (Next.js, Hono, Express, etc.). No external services required.

Yes. KavachOS has three runtime dependencies (drizzle-orm, jose, zod) and runs on Cloudflare Workers with D1 as the database. No code changes needed.

There are adapters for Next.js, Hono, Express, Fastify, Nuxt, SvelteKit, Astro, NestJS, SolidStart, and TanStack Start. Client libraries exist for React, Vue, Svelte, Expo (React Native), and Electron.

Install kavachos, configure your database, map your Auth0 users to KavachOS users, update your frontend to use @kavachos/react instead of @auth0/auth0-react, and switch your API middleware. The comparison page at /compare/auth0 has a step-by-step guide.

Yes. You can run KavachOS alongside your existing auth for new features while keeping the old system for existing users. The adapter pattern makes it easy to mount KavachOS on a sub-path without touching the rest of your API.

KavachOS includes rate limiting, HIBP breach checking, CSRF protection, httpOnly cookies, email enumeration prevention, signed reset tokens, and session freshness enforcement. There are 1,945 tests passing. Security vulnerabilities can be reported via SECURITY.md.

KavachOS includes compliance report generation for EU AI Act, NIST AI RMF, SOC 2, and ISO 42001. The audit trail and agent identity features provide the transparency and accountability that these frameworks require.