What does 'kavachOS' mean?

kavachOS is a portmanteau of 'kavach' (Sanskrit for 'armor') and 'OS' (operating system). The name describes the library's role: an operating layer that shields every identity, call, token, and delegation in an application.

How is 'kavach' pronounced?

Ka-vach. In Sanskrit (कवच), it means 'armor': the layered, protective armor warriors wore into battle.

A TypeScript library for authentication and authorization, covering both AI agents and human users. It provides identity, permissions, delegation chains, audit trails, and MCP OAuth 2.1 in a single package. MIT licensed, edge-native.

00/Use case · SaaS platforms

Multi-tenant auth for SaaS that doesn't punish growth.

Most auth vendors charge per organization, gate SAML behind the enterprise plan, and bill SCIM as an add-on. KavachOS includes organizations, roles, SSO, and SCIM on a single flat tier from 10k MAU upward. No surprise renewal line items.

Start building See the pricing

01/TL;DR

Three things that matter.

Organizations as a primitive

Every user can belong to many orgs. Every org has its own roles, invitations, SSO config, and audit log. No extra charge per org.

SSO and SCIM at $79/mo

SAML, OIDC, and SCIM 2.0 provisioning are on the Growth plan. No enterprise upsell, no per-connection fee, no procurement detour.

Audit log your customers can read

Every auth event is tamper-evident and exportable. Your biggest customers can tap into the audit stream via webhook or query API.

02/The problem

The auth upsell curve that kills B2B SaaS margin.

You picked Auth0 or Clerk because they were easy to ship with. Two years later, every enterprise deal your team closes has the same line item: ten thousand dollars a year for an SSO connection, SCIM on the top plan, per-org pricing for each customer. The auth bill quietly becomes one of your top ten line items.

SSO gated behind the enterprise plan

Auth0 charges $800 per month for Professional before SSO. Okta Customer Identity gates SAML behind a sales call. Enterprise-only pricing for a checkbox.

Per-organization billing scales faster than revenue

Charging per org makes sense for the vendor. For the SaaS buying it, every new customer increases the auth bill before any revenue lands.

SCIM provisioning priced separately

Most vendors treat SCIM as a second SKU. Your customer wants directory sync, your vendor wants a separate contract.

Audit log only visible to you

Your customers ask for an audit log. Your vendor gives you one. You rebuild a second one so customers can see their own data. That rebuild is real engineering time.

03/How kavachOS fits

Organizations, roles, SSO, SCIM. One flat plan.

KavachOS treats every B2B primitive as part of the same object graph. Users belong to organizations. Organizations carry roles, SSO config, and audit. Roles carry scopes. Everything uses the same query API.

Organizations

Users, orgs, and memberships as first-class entities

One user, many orgs. One org, many members with roles. One role, many scopes. Invitations, leave-org, transfer-owner, and role changes are single API calls that write to the audit log automatically.

Primitive 01

SSO

SAML and OIDC included from 10k MAU

Each organization configures its own identity provider. You expose a self-serve SSO setup flow to customers, or configure it yourself for white-glove accounts. No per-connection fee.

Primitive 02

SCIM

SCIM 2.0 provisioning as default

Customers on Okta, Azure AD, Google Workspace, or JumpCloud can auto-provision and de-provision users and groups. Maps to organization roles without extra glue code.

Primitive 03

RBAC

Role-based access with scope subsets

Define roles once, attach to organizations, evaluate scopes at request time. The same scope model that powers agent tokens also powers human RBAC. One mental model across the product.

Primitive 04

Audit

Customer-readable audit log

Every org-scoped event is queryable by the customer. Expose it as a webhook, a signed CSV export, or a GraphQL endpoint. No rebuild, no second source of truth.

Primitive 05

04/In code

The minimum you need to write.

Full examples with framework adapters live in the docs. This is the shape of what you wire into your app.

Open the quickstart

org-middleware.ts

typescript

Enforce organization-scoped RBAC on a Hono route. The middleware reads the session, resolves the current org, and checks the required scope.

import { Hono } from "hono";
import { kavachosOrg } from "kavachos/org";

const app = new Hono();

app.use("/orgs/:orgId/*", kavachosOrg({
  requiredScope: "billing:read"
}));

app.get("/orgs/:orgId/invoices", async (c) => {
  const { user, org, role, scopes } = c.get("kavachos");
  // role is resolved from membership, scopes inherited from role.
  return c.json(await listInvoices(org.id));
});

export default app;

$79/mo

Growth plan with SSO + SCIM

Unlimited

Orgs per account

SAML + OIDC

SSO protocols included

SCIM 2.0

Provisioning out of the box

05/Before / after

The difference shows up in the audit log.

Without scoped identity

sso gated behind the enterprise plan
per-organization billing scales faster than revenue
scim provisioning priced separately

With kavachOS

users, orgs, and memberships as first-class entities
saml and oidc included from 10k mau
scim 2.0 provisioning as default

Our Auth0 renewal quote was forty thousand dollars a year, mostly SSO and per-org fees. We moved to KavachOS on the Growth plan for under a thousand. The migration took one engineer a week. That number still embarrasses me.

Head of engineering· B2B analytics SaaS, Series B

06/FAQ

What teams building for saas platforms usually ask.

Short answers. Link out to the docs if you want the long version.

Is SAML SSO really included without an enterprise upsell?

Yes. SAML 2.0 and OIDC-based SSO are both on the Growth plan at $79 per month. There is no per-connection fee and no gated feature on the Enterprise tier that adds connection count. Enterprise adds on-prem deployment, custom contracts, and a named account manager, not SSO.

How does per-organization pricing work?

It does not. KavachOS prices on MAU only. An MAU is a single unique human logging in that month. An organization with one hundred members counts as the sum of those members logging in, not as one hundred extra billing units. Orgs are free.

Can we white-label the auth UI for our customers?

Yes. You can use the KavachOS hosted UI with your own domain and brand colors, or ship your own UI against the SDK and headless API. Most B2B SaaS teams run a hybrid: hosted UI for edge cases like password reset, custom UI for the main sign-in.

How do we migrate from Auth0 or Clerk without breaking customers?

We support dual-run migrations. You point new logins at KavachOS while existing sessions continue on the old vendor until their natural expiry. User import accepts Auth0 and Clerk export formats with bcrypt passwords intact, so no one gets forced to reset.

Can customers configure their own SSO, or do we have to do it?

Both are supported. You can enable self-serve SSO config where the customer's admin sets up SAML against their IdP, or you can configure connections yourself via the management API or dashboard for white-glove onboarding.

What about the audit log compliance story?

The audit log is tamper-evident with hash-chained entries. It covers every auth event, every org membership change, every SSO login, and every SCIM operation. SOC 2 CC6.1 and ISO 27001 A.9.4 evidence is generated automatically. A PDF export is available from the dashboard.

07/Related reading

Keep going.

On kavachos.com

Stop paying an enterprise tax for a checkbox.

KavachOS includes orgs, SSO, SCIM, and customer-visible audit on the Growth plan. Move your existing users without password resets.

Join early access Read the docs Star on GitHub