> ## Documentation Index
> Fetch the complete documentation index at: https://docs.kavachos.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Hono

> Mount KavachOS auth routes on a Hono app with `kavachHono(kavach)`. Web-standard Request/Response, runs on Workers, Bun, Deno, and Node.

`kavachHono(kavach, options?)` returns a `Hono` app instance with all KavachOS routes pre-mounted. Use `app.route` to attach it to your main app.

## Install

```bash theme={"system"}
pnpm add kavachos @kavachos/hono hono @hono/node-server
```

## Setup

<Steps>
  <Step title="Create the kavach instance">
    Create this once and reuse it across your app (e.g. `lib/kavach.ts`):

    ```typescript theme={"system"}
    // lib/kavach.ts
    import { createKavach, createMcpModule } from 'kavachos';

    export const kavach = createKavach({
      database: { provider: 'sqlite', url: 'kavach.db' },
      baseUrl: process.env.AUTH_BASE_URL!,
      mcp: {
        issuer: process.env.AUTH_BASE_URL!,
        audience: process.env.MCP_BASE_URL!,
      },
    });

    export const mcp = createMcpModule(kavach);
    ```
  </Step>

  <Step title="Mount the adapter">
    ```typescript theme={"system"}
    // src/index.ts
    import { serve } from '@hono/node-server';
    import { Hono } from 'hono';
    import { kavachHono } from '@kavachos/hono';
    import { kavach, mcp } from './lib/kavach.js';

    const app = new Hono();

    // Mount all KavachOS routes (agents, permissions, audit, MCP OAuth)
    app.route('/api/kavach', kavachHono(kavach, { mcp }));

    serve({ fetch: app.fetch, port: 3000 });
    ```
  </Step>
</Steps>

## MCP endpoints

Pass `mcp` to enable the full MCP OAuth 2.1 authorization server. All MCP endpoints are mounted under the same `/api/kavach` prefix alongside the REST API:

```typescript theme={"system"}
app.route('/api/kavach', kavachHono(kavach, { mcp }));
// registers:
// GET  /api/kavach/.well-known/oauth-authorization-server
// GET  /api/kavach/.well-known/oauth-protected-resource
// POST /api/kavach/mcp/register
// GET  /api/kavach/mcp/authorize
// POST /api/kavach/mcp/token
```

<Info>
  MCP routes include CORS headers (`Access-Control-Allow-Origin: *`) and respond to OPTIONS preflight requests automatically.
</Info>

## Endpoint reference

| Method   | Path                    | Description               |
| -------- | ----------------------- | ------------------------- |
| `POST`   | `/agents`               | Create an agent           |
| `GET`    | `/agents`               | List agents               |
| `GET`    | `/agents/:id`           | Get an agent              |
| `PATCH`  | `/agents/:id`           | Update an agent           |
| `DELETE` | `/agents/:id`           | Revoke an agent           |
| `POST`   | `/agents/:id/rotate`    | Rotate token              |
| `POST`   | `/authorize`            | Authorize by agent ID     |
| `POST`   | `/authorize/token`      | Authorize by bearer token |
| `POST`   | `/delegations`          | Create delegation         |
| `GET`    | `/delegations/:agentId` | List delegation chains    |
| `DELETE` | `/delegations/:id`      | Revoke delegation         |
| `GET`    | `/audit`                | Query audit logs          |
| `GET`    | `/audit/export`         | Export audit logs         |

## Full example

```typescript theme={"system"}
import { serve } from '@hono/node-server';
import { Hono } from 'hono';
import { createKavach, createMcpModule } from 'kavachos';
import { kavachHono } from '@kavachos/hono';

const kavach = createKavach({
  database: { provider: 'sqlite', url: 'kavach.db' },
  baseUrl: 'https://auth.yourapp.com',
  mcp: {
    issuer: 'https://auth.yourapp.com',
    audience: 'https://mcp.yourapp.com',
  },
});

const mcp = createMcpModule(kavach);

const app = new Hono();

app.route('/api/kavach', kavachHono(kavach, { mcp }));

app.get('/health', (c) => c.json({ ok: true }));

serve({ fetch: app.fetch, port: 3000 });
```