Skip to content
How to Connect AI to Zerodha Without Sharing Your Password
broker connected

How to Connect AI to Zerodha Without Sharing Your Password

Venkateshwar JambulaVenkateshwar Jambula/10 min read

The Trust Question

Every time someone hears "connect your broker to an app," the first reaction is the same: "Are you asking for my password?"

It's a fair question. Indian retail investors have heard horror stories: unauthorized trades, scraped credentials, shady third-party apps draining accounts overnight. There have been real cases of fintech apps asking for full login access and misusing it. The skepticism is earned, and you should apply it rigorously before connecting anything to your broker account.

So let's be direct: PortoAI never asks for your Kite password. Here's exactly how the connection works, why it's safe, and what you should check before connecting any AI tool to your investments.

"You don't hand the mechanic your car keys. You let them listen to the engine. That's the difference between trading access and read-only access."

Why Indian Investors Are Rightfully Paranoid

The concern isn't hypothetical. Between 2020 and 2024, several Indian fintech apps were investigated for misusing broker credentials. The pattern was consistent: the app asked users to share login details "for convenience," stored those credentials, and in some cases either used them for unauthorized actions or left them exposed in data breaches.

Zerodha itself has publicly warned users against sharing Kite credentials with third-party apps. Their terms of service explicitly prohibit it. If an app asks you to type your Zerodha username and password into their interface rather than Zerodha's, close the tab and don't look back.

The good news: there is a legitimate, secure way to connect AI tools to your broker. It uses the same technology that powers bank-linked UPI apps and trading terminals. And once you understand how it works, the paranoia can be replaced with informed confidence.

Credential Scraping vs. Secure API Access

Some apps ask you to enter your Zerodha username and password directly into their platform. They then log into Kite on your behalf, pretending to be you. This is called credential scraping, and it represents a fundamental security failure.

Here's what you're actually agreeing to when you do this:

  • The app has full access to your account, including the ability to place, modify, and cancel orders
  • Your credentials are stored on their servers, not Zerodha's
  • If their servers are breached, your Zerodha account is exposed
  • Zerodha cannot distinguish between you and the app, so their fraud detection cannot protect you
  • You have no audit trail of what the app did in your account

This is not a theoretical risk. It has happened to real investors. Never hand your credentials to a third party.

PortoAI uses Zerodha's official Kite Connect API. You log in on Zerodha's own website, not a PortoAI page. Zerodha then issues a read-only access token to PortoAI. At no point does PortoAI see your password or TOTP. The token only allows reading your holdings and trade history.

Here's what the authentication flow looks like in practice:

  1. You click "Connect Zerodha" in PortoAI
  2. You are redirected to Zerodha's own website, not a PortoAI page
  3. You log in on Zerodha's site with your username, password, and TOTP (the 6-digit code from your authenticator app)
  4. Zerodha issues a read-only access token to PortoAI
  5. PortoAI uses that token to read your holdings and positions

At no point does PortoAI see your password or your TOTP. You're logging into Zerodha on Zerodha's infrastructure, and Zerodha is deciding what PortoAI can access.

The token itself is limited in scope. It grants read access to specific data categories: holdings, positions, order history, and portfolio value. That's all. No withdrawal capability, no order placement, no account modification.

What Is TOTP and Why It Matters

TOTP stands for Time-based One-Time Password. It's the 6-digit rotating code generated by apps like Google Authenticator or Zerodha's own Kite app. The code changes every 30 seconds and is tied to your specific account.

This matters because even if someone obtained your Zerodha username and password, they still couldn't log in without your TOTP code. And since that code rotates every 30 seconds, capturing it doesn't give persistent access.

When you authenticate with Kite Connect via PortoAI, you go through this full TOTP verification, the same security level as logging into Kite directly. There's no weaker back door.

What PortoAI Can and Cannot Access

Once connected, PortoAI can read:

  • Holdings: The stocks, ETFs, and bonds in your demat account
  • Positions: Your open intraday and F&O positions
  • Order history: Past executed trades (used for behavioral analysis)
  • Portfolio value: Current market value of your holdings, for calculating exposure and concentration

That's the full list. PortoAI cannot:

  • Place, modify, or cancel any order
  • Transfer funds in or out of your account
  • Access your bank account linked to Zerodha
  • Change any account settings or preferences
  • See your Zerodha password or 2FA secrets

"We read the scoreboard. We don't play the game."

SEBI's Framework for Third-Party Access

SEBI (Securities and Exchange Board of India) has been progressively building a regulatory framework for technology-based access to broker accounts. The key principle in SEBI's guidance is explicit user consent: any third-party access must be specifically authorized by the account holder, limited in scope, and revocable at any time.

Kite Connect's API model aligns with this framework. When you authenticate, you're explicitly granting PortoAI a defined, limited permission set. That authorization is visible in your Kite API settings, where you can see all connected applications and revoke any of them with a single click.

This regulatory clarity is part of why Kite Connect, and not screen-scraping or credential sharing, is the right foundation for any legitimate Indian fintech integration.

Security Architecture: What Happens to Your Data

Your portfolio data doesn't just pass through PortoAI's servers invisibly. It is:

Encrypted in transit. All data moving between Zerodha's API, PortoAI's servers, and your browser uses TLS encryption, the same standard as online banking.

Encrypted at rest. Portfolio data stored in PortoAI's database is encrypted. Even if a database file were somehow obtained, it would be unreadable without the encryption keys.

Isolated to you. Your data is used only to generate your insights. It is not shared with other PortoAI users, not sold to advertisers, and not used to build any aggregated market signals that could be monetized separately.

Subject to deletion on request. If you disconnect your broker or delete your PortoAI account, your data is purged. Not archived. Deleted.

How to Verify Before You Connect

Before connecting any AI tool, including PortoAI, to your broker account, run through this checklist. If you're still weighing your options, a comparison of the best AI tools for Indian stock market investing is a useful starting point for understanding what to look for.

  1. Does the app use official API access? Look for mention of "Kite Connect" or "official API." If the app asks for your username and password directly, stop.
  2. Is the authentication flow on the broker's website? You should be redirected to kite.zerodha.com or another official domain during login, not a third-party page.
  3. Is the access read-only? The app should explicitly state it cannot place trades or access funds.
  4. Can you revoke access easily? There should be a clear disconnect option in the app, and the broker's API settings page should show the connection so you can revoke it directly.
  5. What is their data policy? Look for explicit statements about encryption, non-sharing with third parties, and deletion rights.

PortoAI passes all five. We encourage you to apply this same checklist to every fintech tool you use.

You Stay in Control

At any point, you can disconnect your broker from PortoAI. From within the app, or directly from your Kite API settings page. Your data gets purged, the access token is invalidated, and there's no residual footprint.

The relationship is entirely on your terms. That's not a marketing statement. It's how the authentication architecture works. We literally cannot maintain access to your data after you revoke permission.

Once you've seen how PortoAI unifies Zerodha and Groww into one view, you'll understand why the secure API connection is worth setting up. The insights only become available once the data is connected, and the data is only connected on your explicit terms. After connecting, you get a full AI-powered portfolio tracker for Zerodha and Groww that surfaces overlap, concentration risk, and behavioral patterns in one place.

Security isn't a feature we bolt on. It's the foundation everything else is built on.

Connect your Zerodha account securely. No password sharing, read-only access, revoke anytime.

Try PortoAI Free

Frequently Asked Questions

Does PortoAI store my Zerodha password?

No. PortoAI never sees or stores your Zerodha password. You authenticate directly on Zerodha's own website, and PortoAI only receives a read-only access token: a temporary key that expires automatically and can be revoked by you at any time from your Kite API settings.

Can PortoAI place trades in my Zerodha account?

No. PortoAI's Kite Connect integration is strictly read-only. We can see your holdings, positions, and order history, but we have zero ability to place, modify, or cancel any order in your account. This is enforced at the API level by Zerodha, a technical constraint, not a policy claim.

What should I do if an app asks for my Zerodha username and password directly?

Do not use it. Any app that asks you to enter your Kite login credentials on their own platform is using credential scraping, which violates Zerodha's terms of service and gives that app full control over your account, including the ability to place trades and access funds.

Can I revoke PortoAI's access to my Zerodha account?

Yes, at any time. You can disconnect from within PortoAI, which invalidates the access token and stops all data access immediately. You can also revoke access directly from your Kite dashboard under Console > API, where all connected apps are listed.

Is my portfolio data encrypted in PortoAI?

Yes. All portfolio data is encrypted both in transit (TLS) and at rest. It is used solely to generate your personal insights and is never sold, shared with advertisers, or aggregated for any third party. If you delete your account, the data is purged.

Try for ₹99