Security Model

Critical wallet
infrastructure, explained.

Kevo is designed around explicit user authentication, sandboxed wallet UX, and an isolated signer boundary. It is not a browser-share MPC wallet and it is not an extension wallet wrapper.

DocsGet started
Signing boundary
TEE isolated

User session

JWT + project policy

API boundary

Auth, quotas, delegation checks

Signer boundary

Key operations and zeroized signing

Output

signature, txHash, or explicit export result

Request policy
Checked

Project

pk_live_••••

User

did:kevo:project:google:••••

Action

signTypedData / sendTransaction

Gates

sessionorigindelegationsponsorshiprate limit

A sandboxed iframe separates wallet UX from the host app.

The developer's frontend embeds Kevo, but sensitive prompts run in a Kevo-controlled iframe on a separate origin. The host app can request wallet actions; it cannot directly read iframe state or silently access key material.

  • Cross-origin iframe boundary
  • Typed postMessage contract
  • Origin validation for sensitive messages
  • Parent app receives signatures and metadata, not keys
Read iframe docs

Wallet key lifecycle

Policy, key, user, chain
Step
Boundary
User visible
Provision
Signer
Address
Authenticate
API
Session
Approve
Iframe
Intent
Sign
Signer
Signature
Export
OTP + iframe
Private key

Kevo uses a TEE-isolated signer model, not browser-held MPC shares.

Users can log in from a new device and access the same embedded wallet without migrating a local share. The tradeoff is deliberate: key operations are routed through a hardware-isolated signer boundary rather than requiring the browser to co-sign every action.

  • Not classic client-server MPC/TSS
  • Hardware-isolated signer boundary
  • Private key material is not exposed to the host page
Architecture docs
Signing boundary
TEE isolated

User session

JWT + project policy

API boundary

Auth, quotas, delegation checks

Signer boundary

Key operations and zeroized signing

Output

signature, txHash, or explicit export result

Key operations run inside a hardware-backed TEE.

Kevo separates the public API from the signing boundary. The API handles auth, quotas, origin checks, sponsorship policy, and delegation policy; the TEE signer handles provisioning, signing, export, and key-operation isolation.

  • TEE-isolated key operations
  • Hardware attestation for signer integrity
  • API and signer separated by security boundary
Security reference
Request policy
Checked

Project

pk_live_••••

User

did:kevo:project:google:••••

Action

signTypedData / sendTransaction

Gates

sessionorigindelegationsponsorshiprate limit

Every sensitive path is policy-gated and auditable.

Signing, sponsorship, delegation, export, and admin actions are checked before execution. Exports require explicit OTP verification and run through the secure iframe. Webhooks give teams an external audit trail.

  • Session, origin, quota, and policy checks
  • OTP-gated private key export
  • HMAC-signed webhook delivery
Webhooks

Trust by design

A security model your users do not need to understand.

Kevo keeps wallet UX simple while giving teams clear boundaries, policies, and auditability underneath.

DocsGet started