me·ochk·io
sign in
live · mainnetme · ochk · io
federation-custodied · self-custody-ready
§ custody

Three options. The same identity across all three.

OrangeCheck the company never holds your funds. Until you graduate to self-custody, federation guardians do — collectively, by threshold, with operational diversity built in. The bridge from convenience to sovereignty is a UI flow, not a migration project.

[01]

federation custody

the default. easy, recoverable, threshold-guarded.

signing_method:
fedimint_threshold

guardians collectively hold the key. me.ochk.io is one guardian among several. you sign by asking the federation to threshold-sign on your behalf. recovery is straightforward — re-prove your email/phone and the federation re-binds the wallet to a new device.

§ pros
  • + no seed phrase to lose
  • + recovery via email/phone
  • + sat-earning works immediately
  • + threshold geographic + operational diversity
§ cons
  • guardians can collectively censor your spend (require threshold collusion)
  • requires you to trust at least one guardian to act honestly
[02]

fedimint client

graduate to a fedimint federation of your choice.

signing_method:
fedimint_threshold (different federation)

sweep your sats from the me.ochk.io federation to a fedimint federation you trust more (your community's, your country's, your own). same sat-earning, same oc identity — only the guardian set changes. supports any fedimint-compatible client (fedi, fedimint-cli, etc).

§ pros
  • + choose guardians you trust
  • + lightning natively
  • + oc identity continues unchanged
  • + no kyc on most federations
§ cons
  • still custodial (just by a different threshold group)
  • federation-level censorship still possible
[03]

self-custody

sweep to a wallet you fully control.

signing_method:
bip-322

sweep your sats to any BIP-322-capable Bitcoin wallet (UniSat, Xverse, Leather, Alby, Sparrow, your hardware wallet). the same oc identity binds; signing flips from federation_threshold to bip-322. you hold the keys; nobody else can sign for you, including us. cashback streams as Lightning to your wallet.

§ pros
  • + true sovereignty — only you can sign
  • + no third-party censorship
  • + works fully offline once you have the keys
  • + the protocol's native end-state
§ cons
  • you own backup and recovery
  • lose the keys, lose the funds — there is no recovery
  • lightning self-custody requires a wallet that handles channels
§ federation guardians

who holds the keys (until you graduate).

The current federation guardian set. Geographic and operational diversity is the safety story. We publish guardian additions, jurisdiction changes, and threshold parameter changes here as they happen.

operatorjurisdictionrolepublic key
orangecheckus-defounding guardian · operator-of-recordpending publication
tbd · guardian #2reservedpre-launch ratification
tbd · guardian #3reservedpre-launch ratification

Per § 11 of the build brief, v2 targets at least 5 independent guardian operators across 3 jurisdictions before any external comms about scale. v1 ships with a smaller, ratified set; this page is the canonical published guardian list and updates with each addition.

why federation custody is the right onboarding bridge

Self-custody is correct, eventually. Asking a brand-new user to handle a seed phrase on day one is the wrong onboarding. Most consumers will lose the seed, retreat to centralized exchanges, and the Bitcoin onboarding story stalls there.

Federation custody is the bridge. A threshold of operators collectively holds the keys; no single party (us included) can spend or freeze. Recovery is by re-proving your email or phone, not by remembering twelve words. When the user is ready, /me/graduate sweeps the balance to a wallet they own. Same oc identity, different signing method — the protocol design accommodates both since day one.

For the technical signing-method discriminator, see /security. For the integrator-side view of what changes when a user graduates, see /integrate.

The protocol-level shape of federation custody — descriptor schema, graduation envelope, M-of-N guardian threshold, OTS-anchored rotation — lives in the v1.2-draft-1 oc-attest extension at oc-attest-protocol/FEDERATION-CUSTODY.md. That document is the contract; the page you're reading is the product expression of it.