Kuvera MCP is a personal, open-source project that connects AI assistants to your Kuvera mutual fund portfolio. This page explains exactly how your data — particularly your Kuvera session token — is handled. The short answer: it isn't stored anywhere, and it is never logged.
Token handling
- Your Kuvera token is a JWT used ephemerally — solely to authenticate the single API request you triggered.
- The token is never written to any database, file, cache, or log.
- Token values match a JWT pattern and are explicitly redacted from application-level logs — including exception stack traces — before any write occurs.
- The token exists in server memory only for the milliseconds required to complete the API call, then is discarded.
- No token is ever transmitted to any third party. The only destination is
api.kuvera.in.
Data handling
- No Kuvera portfolio data, account data, or personal financial information is stored on our servers.
- API responses from Kuvera are forwarded directly to your AI client and not written to any persistent storage.
- We have no access to your data after the API call completes.
- There is no database, no cache layer, no file storage. The server is fully stateless per request.
Server logs
- Standard platform access logs (request path, timestamp, HTTP status code) may be retained by the hosting platform (exe.dev) for operational purposes. They do not contain tokens or financial data.
- Application-level logs contain no tokens or user data. Logs are structured JSON and include only request metadata: path, HTTP method, status code, and response duration.
- All log records are filtered through a
TokenRedactionFilterthat scrubs any JWT-shaped string before it is written — this applies to normal log messages and exception stack traces alike.
Token scope and revocation
- Your Kuvera session token can be used to read portfolio data on your behalf. Treat it like a password.
- The token is tied to your browser session on kuvera.in. It expires automatically when your session ends.
- If you believe your token has been compromised, log out of kuvera.in immediately. This invalidates the session token server-side and renders it unusable.
- You can re-fetch a fresh token at any time by repeating the browser console step.
Project nature
- This is a personal, for-fun, open-source project. No commercial terms, no monetization, no advertising, no data selling.
- Not affiliated with, endorsed by, or partnered with Kuvera / Arevuk Advisory Services Pvt. Ltd.
- The source code is publicly available for review. You can self-host this server if you prefer to run it on your own infrastructure.
Third parties
- No third-party analytics, trackers, or SDKs are included on this website or in the MCP server.
- No cookies are set by this website or server.
- The only external connection made by the server is to
api.kuvera.in, which is Kuvera's official API.
Contact & questions
If you have questions or concerns about how your data is handled, please open an issue on the GitHub repository.