How Kiauth
actually works.
For the people who read the fine print.
ARCHITECTURE
Hub & Spoke model
verification only
Business A
unique token
Business B
unique token
AI agent
unique token
Enterprise
unique token
Developer app
unique token
Business C
unique token
Every business sees a different, pairwise identifier for you — Business A and Business B cannot match you to each other by your Kiauth ID.
If you choose to share the same email or phone number with both, they can still correlate you through that — no identity system can prevent it. What Kiauth guarantees is that we never hand them a common identifier, and that you keep the single unified view of every app you are signed into.
DATA
What Kiauth stores
| We Store | We Never Store |
|---|---|
| Phone blind index (HMAC-SHA256) | Raw phone number |
| Aadhaar blind index (HMAC-SHA256) | Raw Aadhaar number |
| Device public key | Private key (never leaves device) |
| Session metadata | Business user data |
| Consent records | Passwords |
| Audit logs (IDs only) | PII beyond what you approved |
CRYPTOGRAPHY
For developers who want to verify our claims
- →ECDSA P-256 for biometric signatures
- →RS256 for JWT issuance
- →HMAC-SHA256 blind indexes, keyed with server-side secrets, for phone and Aadhaar
- →AES-256-GCM for demographics at rest
- →Secure Enclave / Android Keystore for private key storage
- →SIM binding via ICCID at registration
AI AGENT SECURITY
Token model
Scoped tokens only
Agents cannot exceed user permissions
Time-limited
Maximum 7 days, user-set
Action-limited
Optional hard cap on total uses
Audit trail
Every action logged
Instant revocation
User can revoke any agent instantly
Token delivery
One-time via callback URL, never stored
REGULATORY
Compliance
DPDP Act 2023 — Kiauth operates as a verification processor. You remain the Data Fiduciary.
AUA/KUA licensing — currently via licensed aggregator bridge for MVP; own license roadmap in progress.
RBI Digital Payment Security Controls — applicable controls implemented.
Data residency: India. All data stored and processed within Indian jurisdiction.
RESPONSIBLE DISCLOSURE
Found a vulnerability?
We take security reports seriously. Please disclose responsibly.
security@kiauth.com