What shipped
KairosAuth public beta is live on Base Sepolia. This is the first authentication protocol where the server never touches key material — not during registration, not during login, not ever.
Every authentication event generates a cryptographic proof anchored to an on-chain Merkle root. If someone claims "this user authenticated at this time," you can verify it without trusting anyone.
How it works
The flow is straightforward:
- Registration — the user's device generates a keypair inside its secure enclave (WebAuthn / Passkeys). The private key never leaves the hardware. KairosAuth receives only the public key.
- Login — the device signs a challenge. KairosAuth verifies the signature, then generates a KA-HAP proof (Kairos Authentication Hash-Anchored Proof) and submits the Merkle leaf to the on-chain registry.
- Verification — anyone can verify any authentication event against the Merkle root. No API call needed, no trust assumption.
What's enforced
All 7 security invariants apply from day one:
- INV-1: Private key never exists as raw bytes — WebAuthn secure enclave only
- INV-2: Server holds zero key material
- INV-3: Email addresses hashed before any on-chain reference
- INV-4: 2FA minimum — device + biometric or device + PIN
- INV-5: Every proof Merkle-anchored
- INV-6: Algorithm registry ready for hot-swap
- INV-7: Emergency halt available in under 1 block
Try it
The sandbox is live at sandbox.kairosauth.io. Documentation at docs.kairoslab.io.
Feedback goes to the GitHub repo or directly to the team on X.
Base Sepolia deployment. Mainnet target: Q3-Q4 2026.