How Kiauth
actually works.

For the people who read the fine print.

Hub & Spoke model

k

verification only

Business A

unique token

Business B

unique token

AI agent

unique token

Enterprise

unique token

Developer app

unique token

Business C

unique token

Every business sees a different, pairwise identifier for you — Business A and Business B cannot match you to each other by your Kiauth ID.

If you choose to share the same email or phone number with both, they can still correlate you through that — no identity system can prevent it. What Kiauth guarantees is that we never hand them a common identifier, and that you keep the single unified view of every app you are signed into.

What Kiauth stores

We StoreWe Never Store
Phone blind index (HMAC-SHA256)Raw phone number
Aadhaar blind index (HMAC-SHA256)Raw Aadhaar number
Device public keyPrivate key (never leaves device)
Session metadataBusiness user data
Consent recordsPasswords
Audit logs (IDs only)PII beyond what you approved

For developers who want to verify our claims

  • ECDSA P-256 for biometric signatures
  • RS256 for JWT issuance
  • HMAC-SHA256 blind indexes, keyed with server-side secrets, for phone and Aadhaar
  • AES-256-GCM for demographics at rest
  • Secure Enclave / Android Keystore for private key storage
  • SIM binding via ICCID at registration

Token model

Scoped tokens only

Agents cannot exceed user permissions

Time-limited

Maximum 7 days, user-set

Action-limited

Optional hard cap on total uses

Audit trail

Every action logged

Instant revocation

User can revoke any agent instantly

Token delivery

One-time via callback URL, never stored

Compliance

DPDP Act 2023 — Kiauth operates as a verification processor. You remain the Data Fiduciary.

AUA/KUA licensing — currently via licensed aggregator bridge for MVP; own license roadmap in progress.

RBI Digital Payment Security Controls — applicable controls implemented.

Data residency: India. All data stored and processed within Indian jurisdiction.

Found a vulnerability?

We take security reports seriously. Please disclose responsibly.

security@kiauth.com