> ## Documentation Index > Fetch the complete documentation index at: https://docs.kavachos.com/llms.txt > Use this file to discover all available pages before exploring further. # Authentication > Human sign-in methods and OAuth providers for the humans who own and manage agents.

KavachOS runs the sign-in for the humans who own agents. Each method is a plugin you opt into, use only what your app needs. Every provider is wired the same way in code. If you already run Clerk, Auth.js, or better-auth, keep them and skip the plugins. [Plug into an existing provider.](/migrate)

```ts theme={"system"} import { createKavach } from 'kavachos'; import { emailPassword, oauth } from 'kavachos/auth'; const kavach = await createKavach({ database: { provider: 'postgres', url: process.env.DATABASE_URL! }, secret: process.env.KAVACH_SECRET!, baseUrl: 'https://auth.example.com', plugins: [ emailPassword(), oauth({ providers: [ { id: 'google', clientId: process.env.GOOGLE_CLIENT_ID!, clientSecret: process.env.GOOGLE_CLIENT_SECRET! }, { id: 'github', clientId: process.env.GITHUB_CLIENT_ID!, clientSecret: process.env.GITHUB_CLIENT_SECRET! }, ], }), ], }); ``` ## Sign-in methods PBKDF2-SHA256 hashing, verification, reset. For apps that prefer handles over email. One-time link in an email, no password. Six-digit code via email. SMS code, any provider. WebAuthn / FIDO2 biometrics and security keys. EIP-4361 wallet-based sign-in. For TVs and CLIs that can't take a password. TOTP with backup codes. Turnstile, hCaptcha, reCAPTCHA. Throwaway sessions, upgrade on sign-up. Google's one-tap sign-in widget. Reverse-proxy mode for trusted ingress. ## OAuth providers Thirty-eight first-class providers, plus a generic factory for anything with a standard authorization code flow. Don't see your provider? The [generic OAuth factory](/auth/oauth) wires any authorization-code provider in about ten lines of config. ## How plugins fit Every plugin registers routes, tables, and session logic at `createKavach()` time. The resulting instance carries `auth.*` methods you call from your handlers. ```ts title="resolving a user from a request" theme={"system"} const user = await kavach.auth.resolveUser(request); if (!user) { return new Response('Unauthorized', { status: 401 }); } // user.id is the stable owner ID for creating agents ``` Once the user is resolved, KavachOS is done with human auth. The rest of the stack (agents, permissions, audit) hangs off `user.id`. ## Enterprise identity Multi-user accounts, roles, invitations. SAML 2.0 and OIDC SSO. Automated provisioning from your IdP. Ban, impersonate with TTL, audit. For machine-to-machine callers. Turn your Kavach into an IdP for other apps.