Sign in

Reference

Security

Kyew is designed with security as a priority. Your data is private, encrypted, and isolated from other users.

Data Isolation

User Scoping

All data is scoped to your Google account:

User A: google:111111
  └─ Memories, Skills, Tools, Connections, Databases (isolated)

User B: google:222222
  └─ Memories, Skills, Tools, Connections, Databases (isolated)

There is no way for User A to access User B's data. The storage layer enforces user scoping on every query.

Multi-Tenancy

// Every database query includes user_id
const memories = await db
  .select()
  .from(memories)
  .where(eq(memories.user_id, userId));  // Always filtered

Encryption

In Transit

All connections use TLS 1.3:

  • Client to Cloudflare Workers
  • Workers to D1 Database
  • Workers to KV Store
  • Workers to Durable Objects

At Rest

  • D1 Database: Encrypted by Cloudflare
  • KV Store: Encrypted by Cloudflare
  • Connections: Additional user-specific encryption for credentials

Credential Storage

API keys and tokens stored in connections are encrypted:

Original: ghp_xxxxxxxxxxxx
Stored:   encrypted(ghp_xxxxxxxxxxxx, user_specific_key)

Authentication

OAuth 2.0

Kyew uses Google OAuth 2.0:

  1. No passwords stored
  2. Google handles authentication
  3. Only basic profile info accessed (email, name)
  4. Refresh tokens encrypted in KV

Session Management

  • JWT tokens with expiration
  • Secure session storage in KV
  • Automatic token refresh on every use

Code Tool Isolation

Code tools run in Cloudflare Sandbox — VM-isolated containers:

Sandbox Architecture

┌──────────────────────────────────────────┐
│             Kyew Worker                  │
│                                          │
│  ┌────────────────────────────────────┐  │
│  │   Cloudflare Sandbox (VM Isolated) │  │
│  │                                    │  │
│  │  • Separate memory space           │  │
│  │  • No access to worker bindings    │  │
│  │  • Restricted network access       │  │
│  │  • Timeout enforced                │  │
│  │  • Per-user container reuse        │  │
│  │                                    │  │
│  └────────────────────────────────────┘  │
└──────────────────────────────────────────┘

What Code Tools CANNOT Do

  • Access the Kyew database directly
  • Read worker environment variables
  • Access other users' data or containers
  • Make requests to non-whitelisted domains
  • Run indefinitely (timeout enforced)
  • Use eval() or new Function()

Approval Requirement

Code tools require explicit approval before they can execute. This gives you time to review the code for malicious behavior, security vulnerabilities, or unintended side effects.

Per-User SQLite Isolation

Each user's SQLite databases run inside a dedicated Durable Object:

  • DO-scoped: Each UserDataStore is keyed by user ID — no cross-user access
  • HMAC token verification: Code tools authenticate to the DB endpoint with a short-lived HMAC-SHA256 token (300-second TTL)
  • No direct access: Sandbox containers access SQLite via /internal/db HTTP endpoint, not direct file access
Sandbox → /internal/db (with HMAC token) → verify → UserDataStore DO → SQLite

Secret URL

When setting up connections, the secret_url action generates a secure browser link for credential entry:

  • Secrets are entered in the browser, never in the AI chat
  • The URL is single-use and time-limited
  • Credentials flow directly to encrypted storage
  • The AI agent never sees the raw credential values
connection(action="secret_url", connection_id="...")
→ Returns a URL the user opens in their browser
→ User enters API key / token in the browser form
→ Credential stored encrypted, never appears in chat

Sharing Security

When you share a skill or tool with another user:

  • Skills: The recipient gets a copy — changes to one don't affect the other
  • Tools: Shared tools reference connections by ID. The recipient must create their own connections — your credentials are never shared
  • Visibility: Only the sender and recipient can see shared items
  • Revocable: You can revoke shares at any time with system(action="revoke_share", share_id="...")

Rate Limiting

Per-user rate limits prevent abuse:

  • Requests per minute: Configurable (default 100)
  • Memory storage quota: Configurable
  • Skill storage quota: Configurable

API Key Security

For programmatic access, API keys:

  • Are user-specific
  • Can be rotated
  • Are stored hashed (not plaintext)

Audit Logging

All skill changes are logged:

{
  "action": "skill.approved",
  "skill_id": "skill-abc123",
  "user_id": "google:111111",
  "timestamp": "2024-01-15T10:30:00Z",
  "details": { "review_notes": "Verified against docs" }
}

View audit history:

skill(action="audit_log", skill_id="skill-abc123")

Best Practices

For Users

  1. Review code tools before approving
  2. Use specific domains in allowed_domains for code tools
  3. Rotate API keys periodically
  4. Review pending skills before approval

For Credentials

  1. Use connections instead of hardcoding secrets
  2. Use secret_url so credentials never appear in chat
  3. Scope permissions appropriately with allowed_tool_ids
  4. Don't share credentials across tools unnecessarily

Compliance

Kyew is hosted on Cloudflare's infrastructure:

  • SOC 2 Type II certified
  • GDPR compliant
  • Data stored in user-selected regions (where available)

Reporting Issues

If you discover a security vulnerability:

  • Do not disclose publicly
  • Contact support with details
  • Allow time for remediation
Previous
Architecture
Next
Troubleshooting