Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.kavachos.com/llms.txt

Use this file to discover all available pages before exploring further.

Get credentials

1

Register an application

Go to the Azure Portal and navigate to Microsoft Entra ID > App registrations > New registration.
  • Name: your app name
  • Supported account types: choose based on your needs (see below)
  • Redirect URI: Web, https://auth.example.com/auth/oauth/microsoft/callback
2

Create a client secret

Navigate to Certificates and secrets > New client secret. Set an expiry and copy the secret value immediately.
3

Copy the Application ID

From the app overview, copy the Application (client) ID and the Directory (tenant) ID.

Configuration

lib/kavach.ts
import { createKavach } from 'kavachos';
import { oauth } from 'kavachos/auth';

const kavach = await createKavach({
  database: { provider: 'postgres', url: process.env.DATABASE_URL! },
  secret: process.env.KAVACH_SECRET!,
  baseUrl: 'https://auth.example.com',
  plugins: [
    oauth({
      providers: [
        {
          id: 'microsoft', 
          clientId: process.env.MICROSOFT_CLIENT_ID!, 
          clientSecret: process.env.MICROSOFT_CLIENT_SECRET!, 
          // tenant: 'common' is the default. Accepts personal and work accounts.
        },
      ],
    }),
  ],
});

MICROSOFT_CLIENT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
MICROSOFT_CLIENT_SECRET=...
MICROSOFT_TENANT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx  # only for single-tenant

Account types and tenant

The tenant option maps to the Microsoft authority URL:
ValueWho can sign in
common (default)Personal Microsoft accounts and work/school accounts
organizationsWork and school accounts only
consumersPersonal Microsoft accounts only
Your tenant IDOnly users in your Azure AD directory

Scopes

Default scopes: openid email profile User.Read
ScopeWhat it unlocks
openid email profileStandard OIDC identity
User.ReadRead the signed-in user’s profile from MS Graph
Calendars.ReadRead calendar events
Mail.ReadRead email

User data returned

FieldSourceNotes
idoid claimStable object ID within the tenant
emailemail or preferred_usernameWork email or Microsoft account email
namename claimDisplay name
imageMS Graph /me/photoFetched separately; may be absent
Personal Microsoft account profile photos require an additional Graph API call with User.Read scope. Work account photos may be restricted by IT policy.
Last modified on April 29, 2026