NewkavachOS v0.1.0 -- edge runtime, D1 provider, Web CryptoSee releases →
kavachOS

Use cases

Built for how AI systems work

Whether you're building autonomous agent pipelines, operating an MCP tool server, or navigating compliance requirements, kavachOS handles the auth layer so you don't have to.

Agentic apps

Agents making API calls without identity or audit trail

Most agent frameworks bolt on a shared API key and call it auth. When something goes wrong -- or goes off-rails -- there's no record of who did what. kavachOS gives each agent its own cryptographic identity from the start.

  • Each agent gets its own token, scoped to its exact permissions
  • Delegation chains let root agents spawn sub-agents safely
  • Every action logged -- who did what, when, and whether it was allowed
  • Budget caps and rate limits enforced inline, no extra middleware
Get started with agent auth

Before kavachOS

All agents share one API key
No audit trail -- 'an agent did it'
Leaked key = all agents compromised
No way to revoke one agent

With kavachOS

Each agent has its own scoped token
Full audit log per agent, per call
Leaked token revoked in milliseconds
Delegation chains with automatic cascades

The problem

MCP clients expect servers to implement OAuth 2.1 with PKCE S256 for proper authorization. Building that from scratch -- RFC-correct, edge-ready, production-hardened -- takes weeks.

The solution

RFC 9728Protected resource metadata
RFC 8414Authorization server metadata
RFC 7591Dynamic client registration
PKCE S256Code challenge method
MCP servers

MCP servers need OAuth 2.1. Building it yourself is painful.

kavachOS ships a complete OAuth 2.1 authorization server with PKCE S256, designed to run at the edge. Drop it in front of your MCP server and get RFC-compliant auth in under an hour.

  • Full OAuth 2.1 authorization server with PKCE S256
  • RFC 9728 protected resource metadata and RFC 8414 server metadata
  • Dynamic client registration via RFC 7591
  • Works at edge -- Cloudflare Workers, Deno, and Node
Set up MCP OAuth
Enterprise compliance

Regulators want agent audit trails. Most teams don't have them.

EU AI Act Article 13 requires logging of autonomous system decisions. SOC 2 auditors want evidence of least-privilege access controls. kavachOS generates both automatically, as a side effect of normal operation.

  • Audit logs satisfy EU AI Act Article 13 transparency requirements
  • Tamper-evident records suitable for SOC 2 Type II
  • Per-agent access controls map directly to least-privilege requirements
  • Compliance reports generated automatically from audit data
View compliance features
EU AI ActArticle 13

Transparency and information to users

Covered
SOC 2 Type IICC6.1

Logical access controls and least privilege

Covered
ISO 27001A.9.4

System and application access control

Covered

Ready to add agent auth?

TypeScript-first, MIT licensed. Free up to 1,000 MAU. No credit card required to start.

Start for freeRead the docs