§ pricing
priced in sats.
paid in lightning. no card on file.
Free forever locally. Cloud sync via vault.ochk.io is a flat prepaid period over Lightning — monthly to try, annual for two months free. No fiat, no card, no auto-renew, and no lifetime lock-in: you pay for the service only while you use it, and your data stays yours either way.
your plan
local
free forever
self-supplied storage · zero servers
- unlimited entries
- local-only storage (IndexedDB)
- self-supplied sync (your Nostr relay or HTTP blob URL)
- portable .lock envelope export
- open SDK forever (@orangecheck/lock-core)
- join any team you’re invited to — free
vault cloud monthly
lightning7,000 sats
≈ $6.65
per 30 days · per orangecheck identity
try cloud sync · pay as you go
- everything in local
- personal cloud sync via vault.ochk.io
- cross-device unlock with one sign-in
- one orangecheck identity · 30 days
- pay-as-you-go · re-pay over lightning · no card on file
recommended
vault cloud annual
lightning70,000 sats
≈ $66.50
per 365 days · per orangecheck identity
cloud sync · two months free · best value
- everything in monthly
- one orangecheck identity · 365 days
- two months free vs paying monthly
- priority email support
- one lightning payment a year · no card, no auto-renew
family circle
lightning200,000 sats
≈ $190
per 365 days · 1 team · up to 10 seats
your own shared team vault — you’re the owner
- everything in annual, plus your own team vault
- create + own one shared team · up to 10 seats (you included)
- need more? add seats at 40,000 sats / seat / year
- roles: owner · admin · member · viewer — promote teammates
- every member signs in as themselves — no shared password
- inviting members is free — they don’t need a paid plan
USD ≈ 1 BTC = $95,000 · live via mempool.space
§ every feature, every tier
| feature | local · free free forever | cloud monthly 7,000 sats | cloud annual 70,000 sats | family circle 200,000 sats |
|---|---|---|---|---|
unlimited entries | ||||
end-to-end encryption (AES-256-GCM) vault sees ciphertext only — always, every tier | ||||
local-first storage (IndexedDB) | ||||
portable .lock export + open MIT SDK | ||||
self-supplied sync (your relay / blob URL) | ||||
hosted cloud sync (vault.ochk.io) | ||||
cross-device unlock with one sign-in | ||||
prepaid period | — | 30 days | 365 days | 365 days |
priority email support | ||||
team vaults you can own being invited to a team is unlimited + free on every tier | 1 | |||
team seats included | — | — | — | up to 10 |
extra seats add-on | 40k sats / seat / yr | |||
team roles (owner · admin · member · viewer) | ||||
join a team you’re invited to always free — no paid plan required to be a member | ||||
| choose plan | current | sign in | sign in | sign in |
§ what 70k sats / year actually costs
≈ $66.50/yr
at $95,000/BTC right now. The sat price never changes; the dollar number falls as BTC rises.
~$36/yr
1Password Individual — cheaper, but they hold your ciphertext database (see LastPass 2022). We can’t: vault sees ciphertext only. You’re paying for a guarantee, not a feature list.
~$0
the value to OC of being subpoenaed for your vault. We have ciphertext only; we can hand it over and you remain safe.
why lightning only
Card processors require a custodial business relationship we explicitly refuse to have. Lightning gives instant settlement, no chargebacks, no PII, and matches the product's posture: your money is bearer, your secrets are bearer.
why no lifetime?
Cloud sync is a running service — storage, bandwidth, a Lightning node we operate ourselves. A one-time "lifetime" price against a forever cost is the promise that gets quietly broken later (cut corners, then the breach). So you prepay a flat period over Lightning — monthly or annual, no card on file. The thing that’s actually forever is the open format: local-first, MIT SDK, your exports decrypt with or without us.
questions worth asking
- what counts as one 'identity' for billing?
- One OrangeCheck identity. For a Bitcoin-wallet sign-in that’s the BIP-322 address you signed in with; for email-OTP that’s the federation-custodied identity provisioned at sign-up. Either way: one identity, one entitlement.
- what if I lose my passphrase or sign-in?
- Two different keys, two different consequences. Your passphrase derives the vault key — lose it without a recovery code and the encryption is unrecoverable, even by us. That is the design. Your sign-in (a Bitcoin wallet or an email-OTP federation identity) opens the server session that fetches the ciphertext; recover it like any other credential. Mitigations: set a Recovery Code on the settings page; keep an offline export of your
.lockenvelopes; opt into the Witnessed Recovery slot when it lands. - can OC read my entries?
- No. We hold ciphertext only. Even with full database access we cannot decrypt: the vault key never leaves your browser, and entries are sealed under AES-256-GCM with a fresh nonce per entry. Cloud-sync blobs are double-encrypted; OC sees neither names nor types.
- what if vault.ochk.io disappears?
- Your exports still decrypt. The protocol is open, the SDK is MIT-licensed, the envelope format is documented in oc-lock-protocol. Self-host the relay, or skip the cloud entirely and live on local + manual export.
- what happens when my cloud sync expires?
- Nothing is lost. The hosted mirror simply stops accepting new pushes and stops serving pulls until you re-pay — every entry still lives in your browser’s IndexedDB and in any
.lockexport you made. We surface the expiry date on the settings billing tab; there’s no card on file, so renewal is always a deliberate Lightning payment, not a silent charge. A short grace window covers a late renewal. - can I create a team on monthly or annual?
- No — creating and owning a team vault is the Family Circle tier. Monthly and annual are personal cloud sync. But being invited to a team is free for everyone (even the free local tier): you read and write a team’s shared entries as a member with no paid plan. One Family purchase lets you own one team of up to ten seats, you included.
- what if my team needs more than 10 seats?
- Add seats from the settings billing tab or the team’s manage page: extra seats are 40,000 sats each per year. The first ten come bundled with Family Circle at a discount (200,000 sats for 10 ≈ 20k each); seats beyond the bundle are à-la-carte at the higher rate — still well under typical per-user team-password pricing. Buy 5 and you have a 15-seat team for a year; renew over Lightning to keep them. Let the extra allowance lapse and you simply can’t add new members past 10 — no one is ever removed.
- does family circle renew every year?
- Family Circle is a 200k-sat purchase that keeps your shared team vault (up to 10 seats) live for 365 days. Renew it over Lightning to keep the team going; each member’s own personal vault is independent (free locally, or their own monthly/annual sync).
- is witnessed recovery available yet?
- Coming in v1.8. It will be 70k sats/year for an OC-hosted timelocked recovery shard — sealed to OC's device key with a release rule that requires a BIP-322 wallet-loss declaration plus a 14-day delay. OC sees ciphertext only and cannot release the shard outside the rule.