Skip to main content
KavachOS supports multiple authentication methods for the humans who own and manage agents. Each method is a plugin you opt into, use only what your app needs.
If you already have Clerk, Auth.js, or better-auth managing sign-in, skip plugins entirely and use an auth adapter instead.

Auth methods

Email and password

Register, sign in, password reset, and email verification with argon2id hashing.

Magic link

Passwordless sign-in: send a one-time link to the user’s email.

Email OTP

Six-digit one-time codes delivered via email.

Passkey

WebAuthn/FIDO2 biometric and hardware key sign-in.

Two-factor auth

TOTP authenticator app support with backup codes.

OAuth providers

Google

Sign in with Google accounts via OAuth 2.0.

GitHub

Sign in with GitHub using user:email scope.

Apple

Sign in with Apple ID.

Discord

Sign in with Discord accounts.

Slack

Sign in with Slack workspace accounts.

Microsoft

Sign in with Microsoft / Azure AD accounts.

GitLab

Sign in with GitLab accounts (cloud or self-hosted).

LinkedIn

Sign in with LinkedIn professional accounts.

How plugins work

Pass plugins to createKavach(). Each plugin registers its own routes, database tables, and session logic:
lib/kavach.ts
import { createKavach } from 'kavachos';
import { emailPassword } from 'kavachos/auth';
import { oauth } from 'kavachos/auth';

const kavach = await createKavach({
  database: { provider: 'postgres', url: process.env.DATABASE_URL! },
  secret: process.env.KAVACH_SECRET!,
  baseUrl: 'https://auth.example.com',
  plugins: [
    emailPassword(),
    oauth({
      providers: [
        { id: 'google', clientId: process.env.GOOGLE_CLIENT_ID!, clientSecret: process.env.GOOGLE_CLIENT_SECRET! },
        { id: 'github', clientId: process.env.GITHUB_CLIENT_ID!, clientSecret: process.env.GITHUB_CLIENT_SECRET! },
      ],
    }),
  ],
});
Once a user signs in, resolve their identity from any request: 
const user = await kavach.auth.resolveUser(request);

if (!user) {
  return new Response('Unauthorized', { status: 401 });
}

// user.id is the stable owner ID for creating agents