oc · docs
docs / quickstart

OC Vault · Quickstart

Five steps from cold to a working vault. No OC account to create — your Bitcoin identity is the account. Nothing here is destructive, and the free tier needs no payment.

01 · sign in with Bitcoin

Open vault.ochk.io and click sign in. Vault uses the OrangeCheck family auth host at ochk.io:

  • Bitcoin wallet — a single BIP-322 challenge. UniSat, Xverse, Leather, OKX, Phantom, Sparrow, or a manual paste-and-sign fallback.
  • Email-OTP — for users without a wallet, a federation-custodied identity is provisioned silently.

There is no password to choose and none to forget. The session is a short-lived signed cookie scoped to .ochk.io; vault.ochk.io verifies it locally and stores nothing about you server-side beyond payment status.

02 · the vault key is generated for you

On first load your browser generates a vault key — 32 random bytes held in IndexedDB. This is the AES-256-GCM key that seals every entry. It never leaves the device and OC never sees it.

You don't manage this key directly. Its fingerprint (sha256[:8]) is shown on the settings page so you can confirm two devices are not yet sharing one — that is what cloud sync is for.

03 · add your first entry

Click new entry (or press n). Pick a type — password, TOTP, API key, env (a .env-shaped bundle of KEY=value vars), card, identity, note, key-value, or file — give it a name, fill the fields, create.

A few things worth knowing on day one:

  • Generate a password — the editor has an inline generator with a live strength meter. Switch it to passphrase mode for a diceware-style secret. Press g anywhere for the standalone generator.
  • Tag it — type a tag and press Enter. Tags are the flexible alternative to folders; filter by them on the dashboard.
  • Star it — favorites pin to the top of the list.
  • Custom fields — add arbitrary extra fields; mark any of them secret.

Press ? on the dashboard for the full keyboard-shortcut list.

04 · audit your passwords

Open vault health (press h). The audit runs entirely in your browser and flags:

  • reused — the same password protecting more than one entry
  • weak — low estimated entropy
  • insecure URL — a login that points at plain http://

Click run breach scan to additionally check each password against the Have I Been Pwned corpus. The check is privacy-preserving: the password is hashed locally and only the first five hex characters of that hash are sent. See Security.

05 · (optional) turn on cloud sync

The free tier is local-only and complete. To sync encrypted entries across devices, pay in sats over Lightning — prepaid time, no auto-renew, no card, no lifetime SKU:

  • Monthly — 7,000 sats / 30 days
  • Annual — 70,000 sats / 365 days (two months cheaper than monthly)
  • Family Circle — 200,000 sats / 365 days · adds a shared team vault up to 10 seats on top of your personal sync. See Teams.

Click pay with lightning on the dashboard. A BTCPay invoice opens; the moment it settles, the dashboard flips sync on automatically. What syncs is double-encrypted ciphertext — OC's storage layer sees only a random envelope id and a timestamp. See Protocol.

Always: export a backup

From settings → portable export, download every entry as a single JSON file. That file is the same ciphertext that lives in your browser. Anyone who later recovers your vault key can decrypt it with @orangecheck/lock-crypto from npm — no vault.ochk.io required. Do this before you wipe a device.

Migrating in

Already using another manager? settings → import from CSV parses exports from 1Password, Bitwarden, LastPass, and Chrome (plus a generic fallback). Parsing happens entirely in your browser — the CSV file never reaches a server. otpauth:// URIs are split out into separate TOTP entries automatically.

Use it everywhere

The same vault is available from three surfaces:

  • The browser — install the OC Vault extension for autofill, login capture, and one-click access to your vault from the toolbar.
  • The shellnpm install -g @orangecheck/vault-cli gives you the oc-vault command: read, run, inject, export, item list/get. Resolves ocv://personal/<item>/<field> references from .env files, templates, and CI jobs.
  • Your code / CI — the @orangecheck/vault-core SDK and the GitHub Action build on the same primitives. Headless access uses an access token that authorizes transport only; the passphrase still does the decrypting, in-process.