where the docs live.
OC Vault docs are split intentionally: this site hosts the product landing, the unified docs site hosts the SDK and integration reference, and the protocol repository hosts the normative spec. Three surfaces, one family.
docs.ochk.io/vault ↗
Reference: quickstart, integration guide, API surface for @orangecheck/lock-core / lock-device / lock-crypto, recipes (TOTP migration, API-key rotation, team-shared vaults), and the security model. This is where developers go.
oc-lock-protocol ↗
Normative protocol spec. SPEC.md, PROTOCOL.md, WHY.md, SECURITY.md, plus test vectors. OC Vault is the consumer-facing productization of Flow 4 (self-vault). The protocol governs the .lock envelope format and the BIP-322 binding.
lock.ochk.io ↗
Reference web client for the broader OC Lock protocol (Flows 1–3: device-to-device, group-to-device, time-locked). If you want to send a secret to someone else, that's the Lock client. OC Vault is specifically the self-vault productization.
quick orientation
- who is oc vault for?
- Bitcoin-native devs and professionals who already manage a Bitcoin wallet and don't want to add a separate SaaS account just to store passwords, TOTP codes, API keys, and recovery codes. Broader audience welcome — but the product is built around "wallet as master password," not as a place for your seed (seeds belong on metal, offline).
- what's the trust model?
- OC holds ciphertext only. The cryptographic contract — "only the wallet can decrypt" — is the product contract. No master password, no recovery backdoor, no KDF policy promises.
- is this the same as a hardware wallet?
- Complementary. Your hardware wallet protects your sats; OC Vault uses that same wallet's BIP-322 signature to gate access to your encrypted secrets. One wallet, both jobs.
- can I self-host?
- Yes. The protocol is open and the SDK is MIT-licensed. Run your own relay, or skip the cloud entirely and live on local + manual export. vault.ochk.io is a paid convenience, not a requirement.