Security
Authentication model
Kairu uses Sign-In With Ethereum (SIWE / EIP-4361). You sign a human-readable text message with your wallet to prove ownership. No password is ever created or stored.
The signed message is verified server-side. A session token is issued and stored in your browser's localStorage, keyed to your wallet address. The token expires after 30 days.
There is no recovery mechanism. If you lose access to your wallet, you lose access to your Kairu account. Your position data is public on-chain and remains readable without an account, but your chat history, settings, and wallet groups are tied to your wallet address.
What Kairu stores
| Data | Details | Where |
|---|---|---|
| Wallet address | Your Ethereum wallet address | Database |
| Session token hash | Hashed SHA-256 of the issued token | Database |
| Preferences | Risk profile, HF threshold, notification settings | Database |
| Conversation history | AI chat sessions text | Database |
| Wallet groups | Group names and wallet addresses | Database |
What Kairu never stores
- Private keys
- Seed phrases
- Transaction signatures
- Approvals or allowances
- Any off-chain asset data
Read-only by design
Kairu never requests a transaction from your wallet. The only on-chain interaction is the SIWE text signature used for authentication. Kairu cannot:
- Submit transactions
- Approve token allowances
- Move funds
- Interact with any smart contract
This is a deliberate architectural constraint, not a missing feature. It means a compromised Kairu account cannot result in fund loss. The only data at risk from a Kairu account compromise is your conversation history and notification preferences.
MCP token security
Your MCP Bearer token grants access to query your position data via the API. It does not grant any write access. Treat it like an API key: do not share it, do not commit it to a public repository, and rotate it from Settings if you believe it has been exposed.
Reporting vulnerabilities
Security issues can be reported to: security@kairu.finance
We do not have a formal bug bounty program at this time, but we will acknowledge and address reported issues promptly.