KairoGuard|Documentation
DocsreferenceGlossary

Glossary

Key terms and concepts used throughout the Kairo Guard documentation.

7 min read

Glossary

Quick reference for terms you'll encounter when using Kairo Guard.

A

Allowlist

A list of approved addresses that can receive funds from your wallet. When allowlist mode is enabled, transactions to addresses not on the list are automatically blocked. Contrast with Denylist.

Audit Trail

See Custody Trail.

B

Biometric Authentication

Using physical characteristics (fingerprint, face recognition) to verify your identity. Kairo uses biometrics via passkeys to protect your local key share.

Binding

See PolicyBinding.

C

Chain ID

A unique identifier for a specific blockchain network. For example:

  • Ethereum mainnet: 1
  • Base: 8453
  • Bitcoin mainnet: "mainnet"
  • Solana mainnet: "mainnet-beta"

Your policy can restrict which chain IDs are allowed.

Custody Event

A single record in your custody trail. Each event captures details about a signing action: what was signed, when, what policy authorized it, and cryptographic proof linking it to previous events.

Custody Trail

A chain of immutable records on Sui blockchain documenting every signing action your wallet has taken. Each record is hash-linked to the previous one, creating a tamper-proof history. Also called an audit trail.

D

Denylist

A list of blocked addresses that cannot receive funds from your wallet. When using denylist mode, all addresses are allowed except those on the list. Contrast with Allowlist.

dWallet

Short for "distributed wallet." In Kairo, your dWallet is a wallet where the private key is split between your device and Kairo's network, requiring both to sign any transaction.

E

EIP-1193

A standard interface for Ethereum wallet connections. Kairo implements this standard, allowing it to work with any dApp that supports standard Ethereum wallets.

Event Hash

A cryptographic hash that uniquely identifies a custody event. Computed from all the event's fields using keccak256. Used to verify event integrity and link events together.

F

Function Selector

The first 4 bytes of a smart contract function call that identify which function is being called. For example, 0x095ea7b3 is the selector for ERC20 approve(). Policies can allow or block specific selectors.

H

Hash Chain

A series of records where each record contains the hash of the previous record. Used in Kairo's custody trail to create tamper-proof history. If any record is modified, the hash chain breaks.

I

Idempotency

The property that performing an operation multiple times has the same effect as performing it once. In Kairo, the vault ensures idempotency—the same transaction intent can't be signed twice.

Ika Network

The MPC (Multi-Party Computation) network that holds the network share of your dWallet's key. Operated as a distributed threshold system across multiple nodes.

Intent Hash

A cryptographic hash of an unsigned transaction. Uniquely identifies the specific action being authorized. Used to prevent replay attacks and ensure the correct transaction is signed.

IntentRecord

A record stored in the PolicyVault showing that a specific intent was authorized. Even after the receipt is consumed, the IntentRecord proves the authorization occurred.

K

Key Share

One piece of a split private key. In Kairo's 2PC-MPC system, there are two shares: your local share (on your device) and the network share (on Ika). Both are needed to sign.

keccak256

The cryptographic hash function used throughout Kairo for computing intent hashes, event hashes, and policy roots. Same hash function used by Ethereum.

M

MPC

Multi-Party Computation. A cryptographic technique allowing multiple parties to jointly compute something (like a signature) without any party learning the others' private inputs. Kairo uses MPC so neither you nor Kairo alone can sign transactions.

N

Namespace

A category of blockchain type. Kairo uses three namespaces:

  • Namespace 1: EVM (Ethereum and compatible chains)
  • Namespace 2: Bitcoin
  • Namespace 3: Solana

Network Share

The portion of your dWallet's key held by Kairo's Ika network. Can't sign without your local share.

O

Object ID

A unique identifier for objects on Sui blockchain. Your policy, binding, and custody records each have object IDs that you can use to look them up.

P

Passkey

A modern authentication credential that uses your device's secure hardware and biometrics. Replaces passwords. In Kairo, your passkey encrypts your local key share.

Policy

A set of rules that determine what transactions your wallet can sign. Stored on Sui blockchain. Includes destination rules, spending limits, function selectors, and chain restrictions.

PolicyBinding

A link between your dWallet and a specific version of your policy. Ensures that policy changes require explicit approval (reaffirmation) before taking effect.

PolicyReceipt

Proof that a transaction was evaluated against your policy and approved. Created when you initiate a transaction. Consumed (deleted) after the transaction is signed. One-time use prevents replay attacks.

PolicyVault

A smart contract on Sui that enforces policy compliance before any signing can occur. The final gatekeeper that validates receipts and authorizes the MPC network to sign.

Policy Root

A cryptographic hash of your policy's contents. Allows verification that a policy hasn't been tampered with. Computed using keccak256 over BCS-encoded policy fields.

Policy Version

Each update to your policy creates a new version. Old versions are preserved for audit purposes. You must reaffirm your binding to use a new version.

PSBT

Partially Signed Bitcoin Transaction. A format for Bitcoin transactions that aren't fully signed yet. Kairo uses PSBT for Bitcoin signing workflows.

R

Reaffirmation

The act of explicitly approving a new policy version. Required after updating your policy. Prevents attackers from silently changing your policy rules.

Receipt

See PolicyReceipt.

Recovery

The process of regaining signing capability after losing access to your device. Kairo supports multiple recovery methods including passkey cloud sync and encrypted backups.

S

Secure Enclave

A special hardware component in modern devices that provides isolated, tamper-resistant storage for cryptographic keys. Passkeys typically use the secure enclave.

Selector

See Function Selector.

Split Key

A private key divided into multiple pieces (shares) such that all pieces are needed to use the key. Kairo splits your key between your device and the network.

Sui

The blockchain where Kairo's policy engine, vault, and custody trail live. A fast, secure layer-1 blockchain using the Move programming language.

T

Threshold Cryptography

Cryptographic protocols where a threshold number of parties must cooperate to perform an operation. In Kairo's case, 2-of-2 (both you and the network) must participate to sign.

2PC-MPC

Two-Party Computation Multi-Party Computation. The cryptographic technique Kairo uses to split key operations between you and the network. Neither party can sign alone.

U

User Share

The portion of your dWallet's key stored on your device. Encrypted with your passkey. Can't sign without the network share.

V

Vault

See PolicyVault.

Version

See Policy Version.

W

WebAuthn

The web standard that enables passkey authentication. Provides phishing-resistant authentication using hardware security.

Whitelist

See Allowlist.

Common Denial Reasons

When Kairo blocks a transaction, you'll see a denial reason. Here are the common codes:

| Code | Reason | Meaning | |------|--------|---------| | 1 | EXPIRED | Policy has expired | | 2 | DENYLIST | Destination is on your denylist | | 3 | NOT_IN_ALLOWLIST | Destination not in your allowlist | | 10 | CHAIN_NOT_ALLOWED | Transaction on disallowed chain | | 12 | SELECTOR_DENYLIST | Contract function is blocked | | 13 | SELECTOR_NOT_ALLOWED | Contract function not in allowlist | | 15 | ERC20_AMOUNT_EXCEEDS_MAX | Amount exceeds your limit | | 20 | NAMESPACE_NOT_ALLOWED | Blockchain type not allowed | | 21 | BTC_SCRIPT_TYPE_NOT_ALLOWED | Bitcoin address type not allowed | | 22 | BTC_FEE_RATE_EXCEEDED | Bitcoin fee too high |

Need More Help?

© 2026 Kairo Guard. All rights reserved.