Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.kavachos.com/llms.txt

Use this file to discover all available pages before exploring further.

KavachOS runs the sign-in for the humans who own agents. Each method is a plugin you opt into, use only what your app needs. Every provider is wired the same way in code.If you already run Clerk, Auth.js, or better-auth, keep them and skip the plugins. Plug into an existing provider.
import { createKavach } from 'kavachos';
import { emailPassword, oauth } from 'kavachos/auth';

const kavach = await createKavach({
  database: { provider: 'postgres', url: process.env.DATABASE_URL! },
  secret: process.env.KAVACH_SECRET!,
  baseUrl: 'https://auth.example.com',
  plugins: [
    emailPassword(),
    oauth({
      providers: [
        { id: 'google', clientId: process.env.GOOGLE_CLIENT_ID!, clientSecret: process.env.GOOGLE_CLIENT_SECRET! },
        { id: 'github', clientId: process.env.GITHUB_CLIENT_ID!, clientSecret: process.env.GITHUB_CLIENT_SECRET! },
      ],
    }),
  ],
});

Sign-in methods

Email and password

PBKDF2-SHA256 hashing, verification, reset.

Username and password

For apps that prefer handles over email.

Magic link

One-time link in an email, no password.

Email OTP

Six-digit code via email.

Phone OTP

SMS code, any provider.

Passkey

WebAuthn / FIDO2 biometrics and security keys.

Sign-in with Ethereum

EIP-4361 wallet-based sign-in.

Device code

For TVs and CLIs that can’t take a password.

Two-factor

TOTP with backup codes.

Captcha

Turnstile, hCaptcha, reCAPTCHA.

Anonymous

Throwaway sessions, upgrade on sign-up.

Google One Tap

Google’s one-tap sign-in widget.

OAuth proxy

Reverse-proxy mode for trusted ingress.

OAuth providers

Thirty-eight first-class providers, plus a generic factory for anything with a standard authorization code flow.
Don’t see your provider? The generic OAuth factory wires any authorization-code provider in about ten lines of config.

How plugins fit

Every plugin registers routes, tables, and session logic at createKavach() time. The resulting instance carries auth.* methods you call from your handlers.
resolving a user from a request
const user = await kavach.auth.resolveUser(request);

if (!user) {
  return new Response('Unauthorized', { status: 401 });
}

// user.id is the stable owner ID for creating agents
Once the user is resolved, KavachOS is done with human auth. The rest of the stack (agents, permissions, audit) hangs off user.id.

Enterprise identity

Organizations

Multi-user accounts, roles, invitations.

SSO / SAML

SAML 2.0 and OIDC SSO.

SCIM

Automated provisioning from your IdP.

Admin plugin

Ban, impersonate with TTL, audit.

API keys

For machine-to-machine callers.

OIDC provider

Turn your Kavach into an IdP for other apps.
Last modified on April 20, 2026