Skip to main content

Overview

KaireonAI supports two authentication methods:
  • Google OAuth — one-click sign-in with your Google account
  • Email & Password — register with email, verify, then sign in
Both methods create a personal workspace where you have full admin access. Each user gets their own isolated tenant — your data is completely separate from other users.

Playground Registration

The hosted playground at playground.kaireonai.com offers self-service registration.

Sign Up with Google

  1. Visit playground.kaireonai.com/register
  2. Click Sign up with Google
  3. Select your Google account
  4. You’re signed in — no email verification needed
Google OAuth users are automatically verified and receive a welcome email.

Sign Up with Email

  1. Visit playground.kaireonai.com/register
  2. Fill in your name, email, and password
  3. Click Create Account
  4. Check your inbox for a verification email from support@kaireonai.com
  5. Click the Verify Email link
  6. Sign in at playground.kaireonai.com/login
Password requirements: minimum 8 characters, at least 1 uppercase letter, at least 1 number.

After Registration

New users land on the platform as an admin of their personal workspace. An onboarding banner guides you to load sample data — go to Settings → Sample Data and load a dataset pack (e.g., Starbucks Offers) to explore the full platform. You have full access to create offers, schemas, decision flows, pipelines, and everything else.

Playground Limits

Decision Quota

Each playground workspace has a 5,000 lifetime decision limit. Decisions are counted when:
  • The Recommend API generates impressions
  • Batch pipeline runs produce decisions
  • Journey triggers fire automated decisions
Read operations and outcome recording (Respond API) do not count toward the limit. When the limit is reached, you’ll see a banner with options to continue.

Workspace Reset

If you’ve used up your decisions or want to start fresh, go to Settings → Reset Workspace. This deletes all data in your workspace (offers, flows, schemas, interaction history, etc.) and resets your decision counter to 0. Your account and workspace remain intact.

No Entity Limits

There are no limits on creating entities (offers, schemas, decision flows, pipelines, etc.) in the playground. The only constraint is the 5,000 decision cap.
The playground is a shared environment. Do not use production data or real customer information. For production use, self-host the platform or email support@kaireonai.com for a managed SaaS plan.

Data Isolation

Every user’s data is completely isolated in their own tenant:
  • Separate data storage — offers, schemas, pipelines, interaction history, and all other data is scoped to your tenant
  • No cross-tenant access — API routes enforce tenant boundaries on every request
  • Independent models — scoring models and experiments are trained only on your tenant’s data
  • Isolated decision flows — your flows, rules, and configurations are private to your workspace

Self-Hosted Authentication

When self-hosting KaireonAI, authentication is configured via environment variables:
VariableDescriptionRequired
NEXTAUTH_SECRETRandom secret for signing JWT sessionsYes
NEXTAUTH_URLPublic URL of your deployment (e.g., https://your-domain.com)Yes
GOOGLE_CLIENT_IDGoogle OAuth client IDFor Google sign-in
GOOGLE_CLIENT_SECRETGoogle OAuth client secretFor Google sign-in
SES_FROM_EMAILSender email for transactional emailsFor email registration
AWS_REGIONAWS region for SESFor email registration
Self-hosted instances have no decision limits — the 5,000 cap only applies to the hosted playground.

Google OAuth Setup

To enable Google sign-in on your self-hosted instance:
1

Create OAuth credentials

Go to Google Cloud Console, create an OAuth 2.0 Client ID for a Web application.
2

Configure redirect URIs

Add your deployment URL as an authorized redirect URI:
https://your-domain.com/api/auth/callback/google
For local development, also add:
http://localhost:3000/api/auth/callback/google
3

Set environment variables

GOOGLE_CLIENT_ID=your-client-id.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-your-secret

Email Verification Setup

Email verification requires an email sending service. The platform uses AWS SES by default:
1

Verify your domain in SES

Add DKIM records and verify your sending domain in the AWS SES console.
2

Set environment variables

SES_FROM_EMAIL=support@your-domain.com
AWS_REGION=us-east-1
If running on AWS (App Runner, ECS, EC2), the platform uses the IAM instance role for SES — no credentials needed. For other environments, configure AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

Seed Admin User

For self-hosted deployments, create the initial admin user with the seed script: 
npx tsx prisma/seed.ts
This creates a default tenant and an admin user (admin@kaireonai.com / admin123). Change the password immediately after first login.

User Roles

RolePermissions
AdminFull access — manage users, settings, all modules
EditorCreate and modify offers, rules, flows, pipelines
ViewerRead-only access to all modules
New playground registrations receive the admin role on their personal workspace. Self-hosted admins can manage roles via the database.

Security

  • JWT sessions — 30-minute expiry, auto-refreshed
  • Account lockout — 5 failed login attempts locks the account for 15 minutes
  • Email verification — required for email/password registration
  • Rate limiting — registration endpoint: 5 attempts per IP per hour
  • CSRF protection — all state-changing API requests require X-Requested-With header
  • Tenant isolation — all data access is scoped to the authenticated user’s tenant