Security & trust

Control stays with you.

Bot for Kalshi is non-custodial software. Your money remains at Kalshi, you define the rules and limits, and live orders require your explicit activation.

Funds stay at Kalshi

We do not hold customer funds or operate a pooled trading account. The product connects to the Kalshi account you control.

Credentials are encrypted

Kalshi private keys are encrypted at rest with per-user envelope encryption. You can remove a stored key in Settings or revoke it directly at Kalshi.

Permission is explicit

A draft or paper test cannot place a live order. Live operation begins only after you connect credentials and activate the bot.

Risk controls remain visible

Position caps, loss limits and order conditions are part of the strategy you inspect. Activity receipts show what ran and why.

Account and application safeguards

Bounded sessions

Session cookies are HTTP-only and SameSite, with idle and absolute expiration. Production cookies are sent only over HTTPS.

Browser protections

Responses use a content security policy, clickjacking protection, strict transport security in production, and restrictive browser permissions.

Request protection

State-changing browser requests are checked against their origin, and sensitive API paths are authenticated and rate limited.

Account deletion

You can remove your account data and stored credentials from account settings. Our Privacy Policy explains collection and retention.

Report a security concern

Email support@botforkalshi.com with “Security report” in the subject. Include the affected URL, a concise description, reproduction steps and impact. Please avoid accessing another person’s data, disrupting service or publishing details before we have had a reasonable chance to investigate. We do not currently operate a paid bug-bounty program.

For account access, billing or bot help, use Support. Current service health is available on the Status page.

What this page is—and is not

This is a plain-language description of controls currently implemented in the product, not a claim that any internet service can eliminate every risk. Material customer-facing changes are recorded in the public changelog.