Cloud launching May 2026. The library is MIT and shipping today.
kavachOS

00/Integrations

Works with the stack
you already have.

One library, every OAuth provider, every framework, every runtime, and every MCP-speaking agent. If we don't support it out of the box, the raw fetch-style adapter gets you there in ten lines.

27+ OAuth providers·10+ frameworks·8 databases·6 runtimes·RFC 9728 compliant MCP

01/Framework quickstarts

Pick your framework. Ship in ten minutes.

Each quickstart is a self-contained path: install, configure, protect a route, read the session, mint an agent token. Copy, paste, done.

Next.js

App Router, Pages Router, Server Components, useSession.

Node · Vercel Edge

Hono

Reference runtime. Workers, Deno, Bun, or Node.

Cloudflare · Deno · Bun

Remix

Loader guard, action helpers, typed session.

Node · Vercel · Cloudflare

Express

Classic middleware, typed req.session, no decorators.

Node 20+

02/OAuth providers

Every provider your users already have.

Every provider ships with PKCE S256, refresh rotation, and scope management. You write the provider ID, kavachOS handles the rest. Generic OIDC for anything we didn't list.

Google

OIDC, service accounts, OAuth 2.1.

GitHub

OAuth apps and GitHub Apps, with installation tokens.

Microsoft

Entra ID, personal and work accounts, PKCE S256.

Apple

Sign in with Apple, including private relay.

Discord

OAuth 2.0 with scope handling.

GitLab

Self-hosted and gitlab.com.

Bitbucket

Workspaces and repos.

Slack

User tokens and bot tokens.

Linear

OAuth 2.0, workspace access.

Notion

Public integrations with workspace scope.

Figma

Read and write scopes.

Dropbox

OAuth 2.0 with refresh tokens.

Spotify

Scoped access, refresh rotation.

Twitch

OIDC and standard OAuth 2.0.

Reddit

OAuth 2.0 with duration=permanent.

LinkedIn

OIDC login flow.

X (Twitter)

OAuth 2.0 with PKCE.

Facebook

OAuth 2.0 for Meta platforms.

Keycloak

Generic OIDC provider, self-hosted.

Okta

OIDC + SAML at launch.

Auth0

OIDC for migration paths.

WorkOS

SSO bridge, SCIM sync.

Zitadel

Self-hosted OIDC identity.

Clerk

Bridge for teams migrating off Clerk.

Supabase

Postgres-backed OAuth providers.

Firebase

Firebase Auth users and claims.

Any OIDC provider

Generic RFC 9207 adapter.

03/Framework adapters

Drop into the framework you picked.

Type-safe adapters for the big frameworks. The raw Request adapter works anywhere Web Fetch works, so nothing is locked out.

Next.js

App Router and Pages Router. Edge-safe session and agent context.

Hono

Middleware and context helpers. Works on Workers, Deno, Bun, Node.

Express

Classic Express middleware with typed request shape.

Fastify

Fastify plugin with decorator types.

Nuxt

Server middleware and composables.

SvelteKit

Hooks and server routes.

Astro

Middleware for server-rendered routes.

Elysia

Beta

Plugin with type-safe context.

Remix

Beta

Loader and action helpers.

Raw Request

Drop into any fetch-style handler. No framework needed.

04/Runtimes

Edge-first. Node when you need it.

The core uses Web Crypto and standard Request / Response objects. No Node-only APIs. That is why the library runs on Cloudflare Workers, Deno Deploy, Bun, Node, and AWS Lambda without code changes.

Cloudflare Workers

Primary runtime. Edge-native. Zero cold start.

Deno Deploy

Works out of the box. Uses Web Crypto.

Bun

Native Bun APIs supported.

Node.js 20+

Standard Node with fetch. No native extensions.

Vercel Edge

Deploys as Edge Functions or Node functions.

AWS Lambda

Custom runtime or Lambda@Edge.

05/Databases

Bring your database. We'll write the migrations.

The library ships reference adapters for the most common options. Typed queries via Drizzle or Kysely are first-class. Migrations are checked into source and versioned.

Cloudflare D1

Zero-config default. Works on any Worker.

Postgres

Any Postgres, including Neon, Supabase, AWS RDS.

SQLite

Local dev and self-host, via better-sqlite3 or bun:sqlite.

MySQL

Planet-scale MySQL and standard MySQL 8+.

Turso

libSQL edge replicas, read replica support.

Prisma

Use Prisma Client with any supported DB.

Drizzle

First-class Drizzle types and migrations.

Kysely

Typed queries across any supported DB.

06/MCP clients

If it speaks MCP,
it already speaks kavachOS.

We implement RFC 9728, 8707, 8414, 7591. That means the authorization server, the resource server metadata, the dynamic client registration, and the token exchange all behave exactly the way MCP expects.

Claude (Anthropic)

Claude Desktop, Claude.ai app, and any Claude-powered agent.

OpenAI Agents SDK

Pass scoped tokens to tools in the Agents runtime.

LangChain / LangGraph

Authenticate tool calls from LangChain agents.

LlamaIndex

Tool-using agents with scoped access.

Any MCP client

RFC 9728 + 8707 + 8414 + 7591 compliant, so anything that speaks MCP works.

07/Identity and token types

Humans, agents, services, and keys. Each gets its own lifecycle.

Not every token should live for an hour. Not every token should be stored as a cookie. Token classes in kavachOS carry their own TTL, binding rules, and rotation policy.

Human session tokens

Cookie-based, rotating refresh, device binding.

Agent delegation tokens

Scoped, time-bound, signed by parent identity.

Service tokens

For cron jobs, queue consumers, and anything non-interactive.

Passkeys

WebAuthn flow, resident credentials, attestation optional.

Magic links

Signed, one-shot, short-lived.

API keys with scopes

For developers, with fine-grained scope and rate-limit metadata.

Missing a provider, framework, or runtime you need. Email founder@kavachos.com with what you're wiring. If it's common, it'll ship in the next release.
Open line
Open an issue on GitHubRead the adapter docsEmail the founder

Ship agent auth against your real stack.

Open source library today. Managed cloud in early access. Pick a path.

Join early accessInstall the libraryStar on GitHub