What we hold. What we don't. How the anchor works.
The boring parts of running a Bitcoin-anchored consumer identity surface. Threat model, anchor posture, federation custody architecture, and the published rate limits that make the anti-gaming layer self-policing.
- > public Bitcoin addresses associated with OC identities
- > content-addressed envelopes (signed, verifiable, anchorable)
- > session creation timestamps and policies declared by integrating sites
- > aggregate sats-flow billing records for site invoicing
- > OpenTimestamps proofs (publicly verifiable)
- > Nostr relay-published kind-30078–30099 events
- > operational logs (rotated, retention bounded)
Everything we hold is either public by design (envelopes, OTS proofs, Nostr events) or operational metadata required to invoice integrating sites. None of it depends on us being online to remain valid.
- × private keys (yours or anyone else's)
- × custodial fiat or sat balances on behalf of users
- × a cross-site graph of which integrating sites you signed into
- × your payment history outside the events you authorized through OC
- × KYC PII (held by third-party verifiers, never by OC)
- × any "OC token" — there isn't one
- × a single-custodian wallet — federation guardians do that, collectively
The first two are the load-bearing absence. The third is the privacy distinction from Sign in with Google. The rest follow the charter.
every event traces back to a Bitcoin block.
Every billable event is a content-addressed JSON envelope with explicit class (A/B/C), subtype, integrating site, fee breakdown, and Ed25519 signature. Canonicalized via RFC 8785. Identity field is a Bitcoin address; site signature is its project key.
Aggregated event roots are stamped via OpenTimestamps to at least three independent calendars (alice, bob, finney). Once a Bitcoin block confirms the OTS calendar root, every event under it is anchored.
Public envelopes are published to a relay set (damus, nostr.band, nos.lol, snort.social) under the OrangeCheck-family kinds. Anyone can re-derive your event history from those relays + OTS proofs without any OC server being online.
A user can hand-derive the envelope hash, verify the Ed25519 signature, walk the OTS proof to a Bitcoin block hash, and confirm the block exists in their own node, without OC infrastructure. We sell operations, not gatekeeping.
guardians hold the keys, never us.
Until you graduate to self-custody, your sats sit in a Fedimint-style federation wallet collectively guarded by a threshold-signing group. OC operates as one guardian among several, never as the single custodian. Geographic and operational diversity across the guardian set is the safety story — see /custody for the current guardian list and the graduation flow.
the rate caps are public so legitimate users can see they're below them.
The anti-gaming layer is public. Limits are intentionally generous for legitimate users and visibly tight enough that scripted sybil farming is unprofitable. They evolve with usage data; this page is the canonical source of truth.
| limit | value | why |
|---|---|---|
| class A · per identity · per day | 5 | bounds new-account-bonus farming. legitimate users join a few sites a week, not five a day. |
| class A · per identity · per month | 30 | monthly cap on durable state-transitions per OC identity. |
| single-site contribution to a user's monthly earnings | ≤ 60% | prevents a malicious site from inflating one user's stack to make a wash-trade flow look organic. |
| review threshold · class A · per month | ≥ $50 | flags an identity whose monthly class-A earnings exceed this threshold for human review. class B and C are self-bounded and never trigger. |
| flag · unfamiliar site · class A | on | anomaly flag (not block) on first class-A event from an OC identity at a site it has never previously interacted with. |
responsible disclosure
Security issues — wire-format bugs, signature-verification gaps, envelope confusion attacks, custody-related concerns — go to security@ochk.io. Triage in 48 hours. We coordinate disclosure with the affected protocol repos in github.com/orangecheck.