§ charter
eight commitments OrangeCheck makes to its customers, the protocol, and the Bitcoin community. no token, no custody, no protocol fork, audit verifies without us.
read the charter ↗ →§ trust · integrator due-diligence
The page your compliance reviewer is going to ask for.
The trust posture on me.ochk.io is what the product doesn't do, more than what it does. No token, no custody you didn't choose, no cross-site graph, no kyc — orangecheck never collects PII, ever. Each of those is a binding commitment with a published mechanic that enforces it. Most enterprise security questionnaires can be answered from links on this page; if yours can't, the form on /contact routes to the security inbox.
§ security
what we hold, what we don't, the anchor pipeline (envelope → OTS → Nostr → offline verifier), the federation custody model, the published abuse limits.
read the threat model →§ privacy
side-by-side comparison vs Sign in with Google / Apple on nine falsifiable properties. the data-flow graph for every byte that crosses an edge.
read the privacy posture →§ custody
three custody options — federation (default), fedimint client, self-custody. the same OC identity binds across all three. you graduate when you're ready, not when we want you to.
read the custody story →§ status
operational health for every subsystem: web, auth host, federation, OTS, Nostr relays, Lightning, Stripe. honest about what runs on which infrastructure.
check current state →§ scale
per-layer capacity ceilings + current federation count → throughput math + the per-project rate limit. The story is "federated, not infinite" — verifiable in real time against /api/public/scale-summary.
read the honest ceilings →§ graduation
graduation IS the product thesis. The published north-star metric — federation custody → BIP-322 self-custody count, rolling 30d/90d. CORS-open at /api/public/graduation-rate; surfaced live on /economics.
see the network metric →§ transparency
right to portability by construction. /me/transparency renders every byte we hold under your identity — events, rebinds, scope grants, attest tier, projects — and a single-button JSON export. Verifiable offline forever via /verify/[id].
see your export →§ compliance
every federation walked through the charter §1 properties. pass/fail per property, blocking issues vs warnings, computed live from the same validator the admin UI runs. CORS-open at /api/public/charter-compliance.
audit the network →§ operators
public directory of every operator pubkey running guardian seats across the network. cross-federation track record + per-fed compliance state. the page a federation creator scans before picking co-operators. CORS-open at /api/public/operators.
scan the directory →§ reputation
integrator-published trust attestations. content-addressed signed envelopes any integrator can publish about an oc identity (good / caution / block). subjects see them at /me/identity; other integrators consult only the aggregate counts via a selective-disclosure scope (no issuer detail leaks). every attestation resolves at /verify/[id] like any other envelope.
verify any envelope →§ transparency
every public number on one page. scale + economics + graduation + compliance pulled from each /api/public/* endpoint into a single live dashboard. Distinct from this index page — /trust is the link map; /transparency is the live numbers.
see the live numbers →§ changelog
product-level changes. spec changes live at docs.ochk.io. incident post-mortems land here.
read what shipped →§ published abuse limits
the anti-gaming layer, in writing.
Every rate cap and review threshold is public. Legitimate users see they're well below the floor; bad actors see the model isn't worth gaming. These mirror the table on /security — both pages are canonical, neither is a summary.
class A · per identity · per day
5
bounds new-account-bonus farming. legitimate users join a few sites a week, not five a day.
class A · per identity · per month
30
monthly cap on durable state-transitions per OC identity.
single-site contribution to monthly earnings
≤ 60%
prevents a malicious site from inflating one user's stack to disguise a wash flow as organic.
review threshold · class A · per month
≥ $50
human review queue threshold. class B and C are self-bounded and never trigger.
drop window · max length
92d
a site may batch its payouts into scheduled drops, but no schedule can hold your earned share longer than this — and an open window's boundary can only ever move earlier, never later.
the trust posture, in one sentence
Every envelope your project ever signs verifies on Bitcoin headers without OC being online, against your published Ed25519 JWK and an OpenTimestamps proof. If OC disappears tomorrow — through acquisition, hostile takeover, regulatory action, or sheer attrition — your project_key is yours, your receipts continue to verify, your users' funds graduate to self-custody, and the protocol layer carries on. That's the whole design. The charter is the public version of it; /how is the mechanic-by-mechanic walkthrough.