Skip to main content

How adapters work

The kavachos package has zero framework dependencies. It operates entirely on the Web platform Request/Response API. Adapter packages wrap the core and expose framework-idiomatic handlers for authentication, authorization, and MCP OAuth routes. Because the core uses only Web platform APIs, KavachOS runs on edge runtimes without modification: Next.js Edge Runtime, Cloudflare Workers, Deno Deploy, Vercel Edge Functions, and Bun. The Hono and SvelteKit adapters are fully edge-compatible out of the box. The Next.js adapter works on edge when you use export const runtime = 'edge' in your route file. Each adapter follows the same pattern: accept a kavach instance, optionally accept a config object, and return something your framework knows how to mount. 
import { createKavach, createMcpModule } from 'kavachos';

const kavach = createKavach({
  database: { provider: 'sqlite', url: 'kavach.db' },
  baseUrl: 'https://auth.yourapp.com',
});

const mcp = createMcpModule(kavach); // optional — enables MCP OAuth endpoints
Pass mcp to the adapter to enable all MCP OAuth 2.1 endpoints under the same mount path.

Available adapters

PackageFrameworkMount pattern
@kavachos/honoHonoapp.route('/api/kavach', kavachHono(kavach))
@kavachos/expressExpressapp.use('/api/kavach', kavachExpress(kavach))
@kavachos/nextjsNext.js App Routercatch-all route app/api/kavach/[...kavach]/route.ts
@kavachos/fastifyFastifyapp.register(kavachFastify(kavach), { prefix: '/api/kavach' })
@kavachos/nuxtNuxt (H3)catch-all file server/api/kavach/[...].ts
@kavachos/sveltekitSvelteKitcatch-all route src/routes/api/kavach/[...path]/+server.ts
@kavachos/astroAstrocatch-all page src/pages/api/kavach/[...path].ts

Endpoints registered

All adapters register the same set of REST routes under basePath (default /api/kavach):
PathMethodsDescription
/agentsGET, POSTList and create agents
/agents/:idGET, PATCH, DELETEGet, update, revoke an agent
/agents/:id/rotatePOSTRotate an agent’s token
/authorizePOSTAuthorize an action by agent ID
/authorize/tokenPOSTAuthorize an action by bearer token
/delegationsPOSTCreate a delegation chain
/delegations/:idGET, DELETEList or revoke a delegation
/auditGETQuery audit logs
/audit/exportGETExport audit logs as JSON or CSV
When mcp is passed, additional endpoints are registered:
PathMethodsDescription
/.well-known/oauth-authorization-serverGETOAuth 2.1 server metadata (RFC 8414)
/.well-known/oauth-protected-resourceGETProtected resource metadata (RFC 9728)
/mcp/registerPOSTDynamic client registration (RFC 7591)
/mcp/authorizeGETAuthorization endpoint (PKCE + S256)
/mcp/tokenPOSTToken endpoint

Using without an adapter

If your framework is not listed, use the core handler directly. It works with any server that handles standard Request objects. 
import { createKavach, createMcpModule } from 'kavachos';

const kavach = createKavach({ /* ... */ });
const mcp = createMcpModule(kavach);

async function handler(request: Request): Promise<Response> {
  // Let KavachOS handle its own routes
  const kavachResponse = await mcp.handleRequest(request);
  if (kavachResponse) return kavachResponse;

  // Validate auth for your protected routes
  const authResult = await mcp.validateRequest(request);
  if (!authResult.valid) {
    return mcp.buildUnauthorizedResponse(request);
  }

  return new Response(JSON.stringify({ tools: [] }), {
    headers: { 'Content-Type': 'application/json' },
  });
}
handleRequest returns null when the request URL does not match any KavachOS route, so your own handlers run normally for all other paths.

Choose your framework

Hono

Lightweight, fast, runs everywhere.

Express

The most widely used Node.js framework.

Next.js

App Router with catch-all route handler.

Fastify

High-performance with plugin architecture.

Nuxt

Vue-based with H3 server routes.

SvelteKit

Svelte with +server.ts handlers.

Astro

Content-focused with API routes.