§ charter
eight commitments OrangeCheck makes to its customers, the protocol, and the Bitcoin community. no token, no custody, no protocol fork, audit verifies without us.
read the charter →§ trust
The load-bearing absences. And what enforces them.
Trust on me.ochk.io is what the product doesn't do, more than what it does. No token, no custody, no cross-site graph, no kyc by default. Each of those is a binding commitment with public enforcement. This page is the consolidated index.
§ security
what we hold, what we don't, the anchor pipeline (envelope → OTS → Nostr → offline verifier), the federation custody model, the published abuse limits.
read the threat model →§ privacy
side-by-side comparison vs Sign in with Google / Apple on nine falsifiable properties. the data-flow graph for every byte that crosses an edge.
read the privacy posture →§ custody
three custody options — federation (default), fedimint client, self-custody. the same OC identity binds across all three. you graduate when you're ready, not when we want you to.
read the custody story →§ status
operational health for every subsystem: web, auth host, federation, OTS, Nostr relays, Lightning, Stripe. honest about what runs on which infrastructure.
check current state →§ changelog
product-level changes. spec changes live at docs.ochk.io. incident post-mortems land here.
read what shipped →§ published abuse limits
the anti-gaming layer, in writing.
Every rate cap and review threshold is public. Legitimate users see they're well below the floor; bad actors see the model isn't worth gaming. These mirror the table on /security — both pages are canonical, neither is a summary.
class A · per identity · per day
5
bounds new-account-bonus farming. legitimate users join a few sites a week, not five a day.
class A · per identity · per month
30
monthly cap on durable state-transitions per OC identity.
single-site contribution to monthly earnings
≤ 60%
prevents a malicious site from inflating one user's stack to disguise a wash flow as organic.
review threshold · class A · per month
≥ $50
human review queue threshold. class B and C are self-bounded and never trigger.
the trust posture, in one sentence
Every me.ochk.io receipt verifies on Bitcoin headers without us being online, against a public Ed25519 JWK and a published OpenTimestamps proof. If we disappear tomorrow — through acquisition, hostile takeover, regulatory action, or sheer attrition — your funds graduate to self-custody, your history continues to verify, and the protocol layer carries on. That's the whole design. The charter is the public version of it.