Feature matrix
| Capability | KavachOS | Casdoor |
|---|---|---|
| Language | TypeScript library | Go service |
| First-party TypeScript SDK | Yes | No (third-party only) |
| Deployment model | In-process library | Standalone IAM server |
| MCP OAuth 2.1 server | Built in with agent delegation | Built in |
| Agent identity | First-class AgentIdentity entity with delegation and audit | Not shipped |
| LDAP / CAS / RADIUS | Not shipped | Yes |
| RBAC | Unified RBAC + ABAC + ReBAC | RBAC via Casbin |
| Ephemeral agent sessions | Built in | Not shipped |
| Cost attribution | Built in | Not shipped |
| Trust scoring | 5-level built in | Not shipped |
| Edge runtime | Web Crypto throughout | Go, not applicable |
| Self-hostable | Yes | Yes |
| License | MIT | Apache 2.0 |
Pick KavachOS if
- You’re building a TypeScript or edge-native app and want auth in-process, not as a sidecar.
- You need first-class agent primitives: delegation, ephemeral sessions, trust scoring, and cost attribution.
- Your MCP OAuth story needs to know which agent made which call, not just which client.
Pick Casdoor if
- You want a deployed IAM service that your whole organization can log into, including non-TypeScript services.
- You need LDAP, CAS, or RADIUS compatibility for employee SSO.
- You’re in a Go shop and want to own the full server.
import { createKavach }, KavachOS. If you’re writing docker run casdoor, Casdoor.