We are building trust infrastructure for the AI economy. Security is not a feature — it is the product. Here is exactly how we protect your agents, your keys, and your audit data.
SHA-256 hashed
API keys
ES256 asymmetric
JWT signing
Hash-chained
Audit log
TLS 1.2+
Transport
API keys are never stored in plaintext. When you create a key, we immediately hash it using SHA-256 and store only the hash.
The original key is shown to you exactly once at creation time and cannot be recovered. If lost, a new key must be generated.
Key prefixes (the first 8 characters) are stored separately for display purposes only — they cannot be used to reconstruct the full key.
All agent tokens are signed using ES256 (ECDSA with P-256 curve and SHA-256). This is an asymmetric algorithm — your agents carry tokens signed with our private key, verified against our public key.
The signing private key never leaves our server and is never logged, stored in plaintext, or transmitted.
Our public JWKS endpoint (/.well-known/jwks.json) allows any service to verify agent tokens locally without calling our servers — no trust dependency required.
Tokens are short-lived (24 hours by default) and can be revoked instantly at any time.
Every event in the audit log is linked to the previous event via SHA-256 hash chaining. Each entry contains the hash of the entry before it.
This means the audit log is tamper-evident — any modification to a past entry would invalidate every subsequent entry's hash, making tampering immediately detectable.
Audit log entries are append-only at the database level. PostgreSQL rules prevent UPDATE and DELETE operations on the audit_log table — even by administrators.
The full hash chain can be verified by any party with access to the log.
All traffic is encrypted in transit using TLS 1.2 or higher. We do not support older TLS versions or SSL.
HTTPS is enforced on all endpoints — HTTP requests are automatically redirected.
API keys and agent tokens must be transmitted via the Authorization header, never in URL query parameters.
All data is stored in Supabase (PostgreSQL) hosted on AWS in the US East region.
Row Level Security (RLS) is enforced at the database level — your data is isolated from other tenants by policy, not just by application logic.
Sensitive fields (key hashes, JWT private keys) use Postgres-level restrictions in addition to application-level access controls.
We do not sell, share, or use your data for any purpose other than providing the KairosAI Identity service.
In the event of a security incident affecting your account or agents, we will notify you via the email address on your account within 24 hours of confirmation.
Critical infrastructure issues affecting the /verify endpoint are communicated via our status page at status.kairosaistudio.com.
You can revoke any agent instantly from your dashboard or via the API — we recommend doing so immediately if you suspect a compromise.
If you discover a security vulnerability in KairosAI Identity, please report it to us privately before disclosing publicly. We take all reports seriously and will respond within 48 hours.
Description of the vulnerability, steps to reproduce, potential impact, and your contact information.
We ask that you give us reasonable time to investigate and address the issue before any public disclosure. We will credit researchers who report valid vulnerabilities.
Last updated: June 2026 · Questions? Email hello@kairosaistudio.com