Kairu
Reference

Security

How Kairu handles authentication, data storage, and the read-only constraint.

Authentication model

Kairu uses Sign-In With Ethereum (SIWE / EIP-4361). You sign a human-readable text message with your wallet to prove ownership. No password is ever created or stored.

The signed message is verified server-side. A session token is issued and stored in your browser's localStorage, keyed to your wallet address. The token expires after 30 days.

There is no recovery mechanism. If you lose access to your wallet, you lose access to your Kairu account. Your position data is public on-chain and remains readable without an account, but your chat history, settings, and wallet groups are tied to your wallet address.

What Kairu stores

DataDetailsWhere
Wallet addressYour Ethereum wallet addressDatabase
Session token hashHashed SHA-256 of the issued tokenDatabase
PreferencesRisk profile, HF threshold, notification settingsDatabase
Conversation historyAI chat sessions textDatabase
Wallet groupsGroup names and wallet addressesDatabase

What Kairu never stores

  • Private keys
  • Seed phrases
  • Transaction signatures
  • Approvals or allowances
  • Any off-chain asset data

Read-only by design

Kairu never requests a transaction from your wallet. The only on-chain interaction is the SIWE text signature used for authentication. Kairu cannot:

  • Submit transactions
  • Approve token allowances
  • Move funds
  • Interact with any smart contract

This is a deliberate architectural constraint, not a missing feature. It means a compromised Kairu account cannot result in fund loss. The only data at risk from a Kairu account compromise is your conversation history and notification preferences.

MCP token security

Your MCP Bearer token grants access to query your position data via the API. It does not grant any write access. Treat it like an API key: do not share it, do not commit it to a public repository, and rotate it from Settings if you believe it has been exposed.

Reporting vulnerabilities

Security issues can be reported to: security@kairu.finance

We do not have a formal bug bounty program at this time, but we will acknowledge and address reported issues promptly.

Copyright © 2026