# KavachOS > Auth OS for AI agents. TypeScript SDK for agent identity, permissions, delegation, audit, and MCP OAuth 2.1. ## Docs - [A2A protocol](https://docs.kavachos.com/a2a.md): Authenticate Google A2A protocol traffic between agents with KavachOS bearer tokens, scoped permissions, and a shared audit trail. - [Astro](https://docs.kavachos.com/adapters/astro.md): Mount KavachOS auth routes in an Astro app with `kavachAstro(kavach)`. Returns named handlers for a catch-all API page, with full MCP OAuth 2.1 support. - [Express](https://docs.kavachos.com/adapters/express.md): Mount KavachOS auth routes on Express with `kavachExpress(kavach)`. Returns a Router with agent identity, delegation, audit, and MCP OAuth 2.1 endpoints pre-mounted. - [Fastify](https://docs.kavachos.com/adapters/fastify.md): Register KavachOS auth routes on Fastify with `kavachFastify(kavach)`. Returns an async plugin for agent identity, delegation, audit, and MCP OAuth 2.1 endpoints. - [Hono](https://docs.kavachos.com/adapters/hono.md): Mount KavachOS auth routes on a Hono app with `kavachHono(kavach)`. Web-standard Request/Response, runs on Workers, Bun, Deno, and Node. - [Overview](https://docs.kavachos.com/adapters/index.md): Drop KavachOS into Hono, Express, Next.js, Fastify, Nuxt, SvelteKit, Astro, NestJS, SolidStart, or TanStack with one adapter import. - [NestJS](https://docs.kavachos.com/adapters/nestjs.md): Wire KavachOS into NestJS with `KavachModule.forRoot(options)`. Mounts agent identity, delegation, audit, and MCP OAuth routes as Express middleware in AppModule. - [Next.js](https://docs.kavachos.com/adapters/nextjs.md): Mount KavachOS auth routes in Next.js with `kavachNextjs(kavach)`. Drop into a catch-all App Router file for agent identity, delegation, and MCP OAuth 2.1 endpoints. - [Nuxt](https://docs.kavachos.com/adapters/nuxt.md): Mount KavachOS auth routes in Nuxt with `kavachNuxt(kavach)`. Returns an H3 EventHandler for a catch-all server route, covering agent identity and OAuth. - [SolidStart](https://docs.kavachos.com/adapters/solidstart.md): Mount KavachOS auth routes in SolidStart with `kavachSolidStart(kavach)`. Returns named route handlers using Web-standard Request, with no conversion layer needed. - [SvelteKit](https://docs.kavachos.com/adapters/sveltekit.md): Mount KavachOS auth routes in SvelteKit with `kavachSvelteKit(kavach)`. Returns named server route handlers, fully edge-compatible with no conversion layer. - [TanStack Start](https://docs.kavachos.com/adapters/tanstack.md): Mount KavachOS auth routes in TanStack Start with `kavachTanStack(kavach)`. Returns named handlers for a splat route using Web-standard Request. - [Add to an existing app](https://docs.kavachos.com/add-to-existing-app.md): Drop KavachOS into an app that already has human auth. Clerk, Auth.js, better-auth, or your own. - [Additional fields](https://docs.kavachos.com/additional-fields.md): Extend the user and session schemas with typed custom fields, stored in existing metadata columns. - [Agent identity](https://docs.kavachos.com/agents.md): Issue, rotate, revoke, and audit AgentIdentity tokens. Scoped permissions, parent/child delegation, and per-agent rate limits in one API. - [Privilege analyzer](https://docs.kavachos.com/analyzer.md): Scan agent permissions with `kavach.analyzer` to surface over-privileged identities, unused scopes, wildcard risks, and stale agents across your deployment. - [Anomaly detection](https://docs.kavachos.com/anomaly.md): Identifying unusual agent behavior by scanning audit logs for denial patterns and privilege escalation attempts. - [REST API](https://docs.kavachos.com/api.md): Full HTTP endpoint reference for KavachOS: agent CRUD, token authorization, delegation chains, audit log queries, and MCP OAuth 2.1 endpoints. - [Approval flows](https://docs.kavachos.com/approval.md): CIBA-style async human-in-the-loop approval for actions that should not run unattended. - [Audit trail](https://docs.kavachos.com/audit.md): Immutable logging of every authorization decision, with filtering, export, and compliance references. - [Admin](https://docs.kavachos.com/auth/admin.md): Manage users with `kavach.admin`: list accounts, apply permanent or time-limited bans, impersonate for support debugging, and delete user data on request. - [Anonymous auth](https://docs.kavachos.com/auth/anonymous.md): Issue guest sessions with `anonymousAuth`, then upgrade them to real accounts without changing the user ID or losing data accumulated during the anonymous period. - [API keys](https://docs.kavachos.com/auth/api-keys.md): Create scoped API keys with `kavach.apiKeys.create()`, validate on every request, revoke by ID, and rotate to a new secret without changing the key's permission set. - [Apple](https://docs.kavachos.com/auth/apple.md): Add Sign in with Apple to your KavachOS application. Covers credentials, client secret generation, iOS apps, and local development. - [Atlassian](https://docs.kavachos.com/auth/atlassian.md): Authenticate users via Atlassian OAuth 2.0 with `atlassianProvider`. Covers Jira and Confluence accounts, token refresh, and scope configuration for Atlassian APIs. - [Auth0](https://docs.kavachos.com/auth/auth0.md): Authenticate users via Auth0 OIDC with `auth0Provider`. Pass your tenant domain and client credentials to attach Auth0-issued tokens to a KavachOS session. - [Bitbucket](https://docs.kavachos.com/auth/bitbucket.md): Authenticate users via Bitbucket OAuth 2.0 with `bitbucketProvider`. Covers workspace OAuth consumer setup, callback URL, and the default account read scope. - [Captcha](https://docs.kavachos.com/auth/captcha.md): Protect sign-up and sign-in endpoints with Cloudflare Turnstile, hCaptcha, or reCAPTCHA. - [Coinbase](https://docs.kavachos.com/auth/coinbase.md): Authenticate users via Coinbase OAuth 2.0 with `coinbaseProvider`. Covers app registration, redirect URI setup, and wallet read scopes for account sign-in. - [Device authorization](https://docs.kavachos.com/auth/device.md): OAuth 2.0 device flow for CLIs, smart TVs, and input-constrained devices. RFC 8628. - [Discord](https://docs.kavachos.com/auth/discord.md): Authenticate users via Discord OAuth 2.0. Register a redirect URI in the Developer Portal, pass client credentials to the `discord` provider, and request scopes. - [Dropbox](https://docs.kavachos.com/auth/dropbox.md): Authenticate users via Dropbox OAuth 2.0 with `dropboxProvider`. Covers App Console setup, redirect URI, and scopes for account info and file metadata access. - [Email OTP](https://docs.kavachos.com/auth/email-otp.md): Authenticate users with a six-digit OTP sent to their email via `emailOtp`. Provide an `onSendOtp` callback to deliver the code, then verify it to open a session. - [Email and password](https://docs.kavachos.com/auth/email-password.md): Register and sign in with email and password. Full guide covering verification, password reset, and configuration. - [Facebook](https://docs.kavachos.com/auth/facebook.md): Authenticate users via Facebook OAuth 2.0 with `facebookProvider`. Covers Developer Portal setup, redirect URI, and the default email and public profile scopes. - [Figma](https://docs.kavachos.com/auth/figma.md): Authenticate users via Figma OAuth 2.0 with `figmaProvider`. Covers app registration, redirect URI setup, and the file read scope needed for design file access. - [GitHub](https://docs.kavachos.com/auth/github.md): Wire GitHub OAuth 2.0 into KavachOS with the `oauth()` plugin. Covers app registration, callback URL, client secret setup, and optional scope expansion. - [GitLab](https://docs.kavachos.com/auth/gitlab.md): Authenticate users via GitLab OAuth 2.0, including self-hosted instances. Register a public application and configure `read_user` and `email` scopes. - [Google](https://docs.kavachos.com/auth/google.md): Wire Google OAuth 2.0 and OpenID Connect into KavachOS. Covers Cloud Console setup, People API, consent screen configuration, and profile scope access. - [Hugging Face](https://docs.kavachos.com/auth/huggingface.md): Authenticate users via Hugging Face OAuth 2.0. Configure the `huggingface` provider and request `read-repos`, `read-billing`, or other scopes. - [Authentication](https://docs.kavachos.com/auth/index.md): Human sign-in methods and OAuth providers for the humans who own and manage agents. - [Kakao](https://docs.kavachos.com/auth/kakao.md): Authenticate users via Kakao OAuth 2.0. Covers app creation, Kakao Login activation, redirect URI, and `profile_nickname` and `account_email` scopes. - [Kick](https://docs.kavachos.com/auth/kick.md): Authenticate users via Kick OAuth 2.0. Register an app in the Kick developer dashboard, set a redirect URI, and configure `user:read` scope in the `oauth()` plugin. - [LINE](https://docs.kavachos.com/auth/line.md): Authenticate users via LINE OAuth 2.0 with `lineProvider()`. Create a LINE Login channel and configure `openid`, `profile`, and `email` scopes. - [Linear](https://docs.kavachos.com/auth/linear.md): Authenticate users via Linear OAuth 2.0. Register an OAuth application, configure the `linear` provider, and request `read` or `write` scopes as needed. - [LinkedIn](https://docs.kavachos.com/auth/linkedin.md): Authenticate users via LinkedIn OpenID Connect. Requires the Sign In with LinkedIn product, with `openid`, `profile`, and `email` scopes via the `oauth()` plugin. - [Magic link](https://docs.kavachos.com/auth/magic-link.md): Issue signed, single-use email links for passwordless sign-in with `magicLink()`. Configure token expiry, a send function, and the post-verification redirect. - [Microsoft](https://docs.kavachos.com/auth/microsoft.md): Authenticate users via Microsoft Entra ID OAuth 2.0. Covers app registration, tenant configuration for personal or work accounts, and the `microsoft` provider. - [Naver](https://docs.kavachos.com/auth/naver.md): Authenticate users via Naver OAuth 2.0. Create a Naver Developer application, enable Naver Login, set the redirect URI, and configure `name` and `email` scopes. - [Notion](https://docs.kavachos.com/auth/notion.md): Authenticate users via Notion OAuth 2.0. Create a public integration, configure OAuth redirect URIs in Notion settings, and wire the `notion` provider. - [OAuth overview](https://docs.kavachos.com/auth/oauth.md): `oauth()` adds social sign-in via OAuth 2.0 with PKCE. Covers provider setup, token exchange, account linking, session creation, and adding custom providers. - [OAuth proxy](https://docs.kavachos.com/auth/oauth-proxy.md): Server-side OAuth for mobile apps. Exchange authorization codes without exposing client secrets to the device. - [OIDC provider](https://docs.kavachos.com/auth/oidc-provider.md): `createOidcProviderModule()` turns KavachOS into an OpenID Connect provider. Covers RS256 key setup, client registration, PKCE, and JWKS endpoint. - [Okta](https://docs.kavachos.com/auth/okta.md): Authenticate users via Okta OpenID Connect with `oktaProvider()`. Create an OIDC web app in the Okta Admin Console, copy your domain, and configure the provider. - [Google One-tap](https://docs.kavachos.com/auth/one-tap.md): Authenticate users with Google One-tap via the `oneTap()` plugin. Verifies the Google ID token against JWKS and validates audience, issuer, expiry, and CSRF. - [Organizations](https://docs.kavachos.com/auth/organizations.md): `organization` plugin adds multi-tenant support: create orgs, invite members, assign roles, enforce per-org RBAC, and set caps on membership and orgs per user. - [Passkey](https://docs.kavachos.com/auth/passkey.md): Authenticate users with WebAuthn passkeys via the `passkey()` plugin. Covers `rpId` setup, registration and authentication ceremonies, and credential storage. - [PayPal](https://docs.kavachos.com/auth/paypal.md): Authenticate users via PayPal OAuth 2.0. Enable Log In with PayPal in your developer app and configure the `paypal` provider with `profile` or `address` scopes. - [Phone number](https://docs.kavachos.com/auth/phone.md): Authenticate users with `phoneAuth()` via SMS one-time codes. Supply an `onSendCode` callback, configure expiry, and KavachOS handles rate limiting. - [Polar](https://docs.kavachos.com/auth/polar.md): Authenticate users via Polar OAuth 2.0. Register an OAuth app in Polar settings, configure the `polar` provider, and request `organizations:read` for org access. - [Polar payments](https://docs.kavachos.com/auth/polar-payment.md): Wire Polar subscription billing into KavachOS with the `polar()` plugin. Set an access token and webhook secret to sync checkout and subscription state. - [Railway](https://docs.kavachos.com/auth/railway.md): Authenticate users via Railway OAuth 2.0. Register an app in Railway settings, set the redirect URI, and configure `read:profile` and `read:email` scopes. - [Reddit](https://docs.kavachos.com/auth/reddit.md): Authenticate users via Reddit OAuth 2.0. Register a web app in Reddit App Preferences, copy the client ID and secret, and configure the `reddit` provider. - [Roblox](https://docs.kavachos.com/auth/roblox.md): Authenticate users via Roblox OAuth 2.0. Create credentials in the Roblox Creator Dashboard and configure the `roblox` provider with `openid` or `profile` scopes. - [Salesforce](https://docs.kavachos.com/auth/salesforce.md): Authenticate users via Salesforce OAuth 2.0 with a Connected App. Configure redirect URIs in App Manager and wire the `salesforce` provider with `openid` scopes. - [SCIM](https://docs.kavachos.com/auth/scim.md): Wire SCIM 2.0 directory sync for Okta, Azure AD, and Google Workspace. Automatically provisions and deprovisions users when your IdP roster changes. - [Sign In With Ethereum](https://docs.kavachos.com/auth/siwe.md): Authenticate users via Ethereum wallet signature using the `siwe` plugin. Covers EIP-4361 nonce generation, secp256k1 recovery, and session creation. - [Slack](https://docs.kavachos.com/auth/slack.md): Authenticate users with their Slack account via the `oauth` plugin. Uses Slack OpenID Connect with `openid`, `email`, and `profile` scopes. No Slack SDK required. - [Spotify](https://docs.kavachos.com/auth/spotify.md): Authenticate users with Spotify via `spotifyProvider`. Configures OAuth 2.0 with `user-read-email` and `user-read-private` scopes and supports scope extension. - [SSO](https://docs.kavachos.com/auth/sso.md): Wire enterprise SSO with SAML 2.0 and OIDC providers such as Okta and Azure AD. Includes JIT user provisioning and connection routing by email domain. - [Stripe](https://docs.kavachos.com/auth/stripe.md): Wire Stripe checkout sessions, billing portals, and subscription webhooks via the `stripe` plugin. No `stripe` npm package needed, calls Stripe's REST API directly. - [TikTok](https://docs.kavachos.com/auth/tiktok.md): Authenticate users with TikTok via the `oauth` plugin. Covers Login Kit setup, redirect URI configuration, and `user.info.basic` and `user.info.stats` scopes. - [Twitch](https://docs.kavachos.com/auth/twitch.md): Authenticate users with their Twitch account via the `oauth` plugin. Covers Developer Console setup and the `user:read:email` scope for profile access. - [Twitter / X](https://docs.kavachos.com/auth/twitter.md): Authenticate users with Twitter/X via `createTwitterProvider`. Covers OAuth 2.0 PKCE, Developer Portal configuration, and `users.read` and `tweet.read` scopes. - [Two-factor auth](https://docs.kavachos.com/auth/two-factor.md): Add TOTP second-factor authentication via the `twoFactor` plugin. QR code enrollment, 6-digit verification, and backup codes for any RFC 6238 authenticator. - [Username and password](https://docs.kavachos.com/auth/username.md): Authenticate users with a unique username and password via `usernamePassword`. Covers length limits, pattern validation, and uniqueness enforcement at sign-up. - [Vercel](https://docs.kavachos.com/auth/vercel.md): Authenticate users with their Vercel account via the `oauth` plugin. Covers integration setup, redirect URI, and scopes for profile and project access. - [VK](https://docs.kavachos.com/auth/vk.md): Authenticate users with VK via the `oauth` plugin. Covers dev.vk.com app setup, redirect URI config, and scopes including `email`, `profile`, and `friends`. - [WeChat](https://docs.kavachos.com/auth/wechat.md): Authenticate users with WeChat via the `oauth` plugin. Covers Open Platform registration, callback domain config, and `snsapi_login` and `snsapi_userinfo` scopes. - [Yahoo](https://docs.kavachos.com/auth/yahoo.md): Authenticate users with Yahoo via `yahooProvider`. Covers Developer Console app creation, OpenID Connect API enablement, and email and profile scopes. - [Zoom](https://docs.kavachos.com/auth/zoom.md): Authenticate users with Zoom via `zoomProvider`. Covers App Marketplace app creation, redirect URI setup, and default scopes: `openid`, `profile`, and `email`. - [Budget policies](https://docs.kavachos.com/budget-policies.md): Controlling LLM spend and call volume with per-agent, per-user, and per-tenant policies. - [TypeScript client](https://docs.kavachos.com/client-sdk.md): Issue HTTP calls to KavachOS from any runtime via `createKavachClient`. Covers agents, authorization, delegations, audit logs, and MCP registration. - [Compare KavachOS](https://docs.kavachos.com/compare/index.md): Side-by-side breakdowns of KavachOS against better-auth, Hanko, Casdoor, and paid platforms. Covers agent identity, MCP OAuth, RBAC, and deployment model. - [KavachOS vs better-auth](https://docs.kavachos.com/compare/vs-ba.md): A feature-by-feature comparison of KavachOS and better-auth for TypeScript applications. - [KavachOS vs Casdoor](https://docs.kavachos.com/compare/vs-casdoor.md): KavachOS as an in-process TypeScript library versus Casdoor as a standalone Go IAM service. Compares MCP OAuth 2.1, agent identity, LDAP, RBAC, and deployment model. - [KavachOS vs Hanko](https://docs.kavachos.com/compare/vs-hanko.md): KavachOS versus Hanko across passkey support, OAuth providers, agent identity, MCP OAuth, RBAC, and licensing. Includes a clear decision framework for each tool. - [KavachOS vs paid auth platforms](https://docs.kavachos.com/compare/vs-paid.md): KavachOS versus Clerk and Auth0: open-source self-hosted against managed platforms. Covers cost, data residency, agent identity gaps, and when each fits. - [Compliance](https://docs.kavachos.com/compliance.md): Audit infrastructure for EU AI Act, NIST, SOC 2, and ISO 42001. Agent actions write immutable records to `kavach_audit_logs` with identity, resource, and action. - [Core concepts](https://docs.kavachos.com/concepts.md): The mental model you need before touching code. Agents, permissions, delegation, audit, trust, MCP. - [Configuration](https://docs.kavachos.com/configuration.md): Reference for every `createKavach()` option in `KavachConfig`. Covers database providers, agent settings, MCP OAuth, session config, and anomaly detection. - [Cookie options](https://docs.kavachos.com/cookies.md): How KavachOS sets session cookies, how to customize them, and the defaults for cross-subdomain and cross-origin setups. - [Cost attribution](https://docs.kavachos.com/cost-attribution.md): Track LLM token spend, API call costs, and custom costs per agent, per tool, and per delegation chain. - [Custom session fields](https://docs.kavachos.com/custom-session.md): Attach arbitrary data to sessions at creation time and read it back on validation. - [Admin dashboard](https://docs.kavachos.com/dashboard.md): Embed `KavachDashboard` from `@kavachos/dashboard` to manage agents, permissions, delegation chains, and audit logs. Runs standalone via `npx kavachos dashboard`. - [Database setup](https://docs.kavachos.com/database.md): Configure KavachOS with SQLite, Postgres, MySQL, or Cloudflare D1. Covers connection setup, migration, WAL mode for SQLite, and skipping auto-migrations. - [Delegation chains](https://docs.kavachos.com/delegation.md): Grant a subset of permissions from one agent to another, with depth limits and cascading revocation. - [W3C DID identity](https://docs.kavachos.com/did.md): Issue portable Ed25519-backed identities for agents using `did:key` or `did:web`. Agents sign payloads to prove identity across services without shared secrets. - [Electron](https://docs.kavachos.com/electron.md): Add auth to Electron apps via `createKavachElectron`. Covers OS keychain token storage, OAuth popup windows, IPC bridge, and automatic token refresh. - [Email templates](https://docs.kavachos.com/email-templates.md): Generate {subject, text, html} for every auth flow via createEmailTemplates. Covers verification, password reset, magic link, OTP, and invitation emails. - [Ephemeral sessions](https://docs.kavachos.com/ephemeral-sessions.md): Short-lived, auto-expiring agent credentials for single-task computer-use agents. - [Error codes](https://docs.kavachos.com/errors.md): KavachError carries a code, message, and optional details. All SDK functions return a Result union instead of throwing, with matching HTTP status codes on REST. - [Event streaming](https://docs.kavachos.com/event-streaming.md): Stream auth events, agent lifecycle changes, and anomaly alerts in real time via SSE using createEventStreamModule. Missed events replay from a stored cursor. - [Expo / React Native](https://docs.kavachos.com/expo.md): Wire KavachOS auth into React Native and Expo apps with @kavachos/expo. Stores tokens in AsyncStorage or SecureStore and authenticates via Authorization header. - [Agent identity federation](https://docs.kavachos.com/federation.md): Issue and verify short-lived federation tokens so an AgentIdentity can authenticate at a remote KavachOS instance without re-registration or shared databases. - [Gateway](https://docs.kavachos.com/gateway.md): An auth proxy that sits in front of any API or MCP server, enforcing auth, permissions, rate limiting, and audit without changing upstream code. - [GDPR compliance](https://docs.kavachos.com/gdpr.md): Data export, account deletion, and audit log anonymization to meet GDPR requirements. - [Password breach checking](https://docs.kavachos.com/hibp.md): Reject or warn on passwords found in known data breaches using the HaveIBeenPwned API. - [Lifecycle hooks](https://docs.kavachos.com/hooks.md): Running custom logic before and after authorization, agent creation, and policy violations. - [Internationalization](https://docs.kavachos.com/i18n.md): Translate auth error messages and email subjects into six built-in locales via createI18n. Supports per-request locale override and variable interpolation. - [KavachOS](https://docs.kavachos.com/index.md): Auth OS for AI agents. Identity, permissions, delegation, audit, and MCP OAuth in one TypeScript SDK. - [JWT sessions](https://docs.kavachos.com/jwt-sessions.md): Issue short-lived JWT access tokens and rotate refresh tokens via jwtSession. Stateless access token verification, revocation tracked in the database. - [Last login tracking](https://docs.kavachos.com/last-login.md): Record every successful authentication per user via createLastLoginModule. Retrieve last sign-in timestamp, method, and IP for security pages or anomaly checks. - [MCP OAuth 2.1](https://docs.kavachos.com/mcp.md): Configure KavachOS as an OAuth 2.1 authorization server for the Model Context Protocol. Implements PKCE S256, RFC 9728, RFC 8414, RFC 8707, and RFC 7591. - [Migrate from better-auth](https://docs.kavachos.com/migrate/from-better-auth.md): Switch a better-auth app to KavachOS. Maps betterAuth config, plugins, session types, and client hooks to KavachOS equivalents with before and after diffs. - [Migrate from Clerk](https://docs.kavachos.com/migrate/from-clerk.md): Move a Clerk app to KavachOS. Maps ClerkProvider, clerkMiddleware, useAuth, and Organizations to KavachOS, with Next.js middleware sample and data export steps. - [Migration guides](https://docs.kavachos.com/migrate/index.md): Pick a migration guide for your current auth setup. Covers moving from better-auth, Clerk, the better-auth agent plugin, and Auth0 to KavachOS. - [Multi-session](https://docs.kavachos.com/multi-session.md): Let users hold multiple active sessions and manage them from an account settings page. - [Multi-tenant isolation](https://docs.kavachos.com/multi-tenant.md): Running multiple organizations on one KavachOS instance with per-tenant settings. - [One-time tokens](https://docs.kavachos.com/one-time-tokens.md): Single-use tokens for email verification, password resets, invitations, and custom flows. - [Permission engine](https://docs.kavachos.com/permissions.md): Authorize agent actions via resource pattern matching and per-permission constraints: rate limits, time windows, IP allowlists, and human approval gates. - [Policy templates](https://docs.kavachos.com/policies/templates.md): Seven copy-paste policy templates for agent authorization: tool allowlists, delegation scopes, org isolation, budget caps, business-hours gating, and ReBAC. - [Policy engine](https://docs.kavachos.com/policy-engine.md): Unified authorization combining RBAC, ABAC constraints, and ReBAC graph queries behind one evaluate() call. - [Prisma adapter](https://docs.kavachos.com/prisma.md): Query every KavachOS table through an existing PrismaClient via @kavachos/prisma. Supports Prisma transactions without requiring Drizzle as a second ORM client. - [Quickstart](https://docs.kavachos.com/quickstart.md): Install KavachOS, create your first AgentIdentity, and run an authorization check. Scaffold a full Next.js SaaS app with create-kavachos-app in one command. - [Rate limiting](https://docs.kavachos.com/rate-limiting.md): Apply IP-based limits on auth endpoints and per-agent call caps via the maxCallsPerHour constraint. Redis store supported for multi-instance deployments. - [React hooks](https://docs.kavachos.com/react.md): Wire KavachOS into React 18 apps via KavachProvider and hooks from @kavachos/react. Supports Next.js App Router, Pages Router, Vite, and edge runtime backends. - [Relationship-based access control](https://docs.kavachos.com/rebac.md): Zanzibar-inspired ReBAC engine for hierarchical resources, relationship graphs, and permission inheritance. - [Session model](https://docs.kavachos.com/sessions.md): Cookie sessions, JWT tokens, ephemeral agent sessions, CSRF protection, session freshness, and lifecycle management. - [Standards alignment](https://docs.kavachos.com/standards.md): Which IETF drafts KavachOS maps to, and how to emit the matching claims on issued tokens. - [Svelte](https://docs.kavachos.com/svelte.md): Add KavachOS auth to Svelte and SvelteKit apps via createKavachClient and createKavachHooks. Session state is reactive and server-populated on first page load. - [Terraform provider](https://docs.kavachos.com/terraform.md): Manage KavachOS agents, permissions, API keys, and organizations as Terraform resources. - [Test utilities](https://docs.kavachos.com/test-utils.md): Test auth-dependent code without a database using @kavachos/test-utils. Provides entity factories, in-memory mock auth server, and per-request user overrides. - [Trust scoring](https://docs.kavachos.com/trust.md): TrustScore is a 0 to 100 value from each agent audit log, mapping to five named levels that gate autonomy, approval requirements, and rate limit strictness. - [Trusted devices](https://docs.kavachos.com/trusted-device.md): Skip two-factor auth on verified devices via createTrustedDeviceModule. Trust is stored as an HMAC-signed fingerprint with a configurable expiry duration. - [UI components](https://docs.kavachos.com/ui-components.md): Drop-in React components for sign-in, sign-up, password reset, 2FA, and OAuth buttons from @kavachos/ui. Tailwind-based, wired to KavachProvider automatically. - [Verifiable credentials](https://docs.kavachos.com/verifiable-credentials.md): Issue and verify W3C Verifiable Credentials for agent identity, permissions, and delegation. - [Vue](https://docs.kavachos.com/vue.md): Register KavachOS auth in Vue 3 via createKavachPlugin. Provides useSession, useSignIn, useSignOut, and useUser composables for Vite, Nuxt, and Vue 3 setups. - [Webhooks](https://docs.kavachos.com/webhooks.md): Push HMAC-signed HTTP POST payloads to external URLs on auth events via createWebhookModule. Subscribe each endpoint to specific event types or all events. ## OpenAPI Specs - [openapi](https://docs.kavachos.com/api-reference/openapi.json)