Onboarding Without a Dossier: How me.ochk.io Turns the Signup Form Inside Out

The signup form is a tax you pay in identity

Every account you hold was created by handing over an email address, usually a phone number, and increasingly a government document or a face. The stated reason is account recovery and communication. The operative reason is sybil resistance. A service that lets anyone register for free at unlimited scale drowns in spam, fake reviews, fraudulent signups, and vote manipulation, so it raises the cost of an account by demanding something an attacker cannot cheaply replicate ten thousand times. A phone number costs money and ties to a SIM. An email survives a verification round trip. A KYC document ties to a legal person. The mechanism works, and it has a price, and the price is paid almost entirely by the honest user, who surrenders a permanent, linkable, resellable record of who they are in exchange for the right to participate. The platform collects that record, monetizes it, leaks it in the next breach, and counts the spam it deterred as the benefit. The user counts the surveillance as the cost. The arrangement has been so stable for so long that it reads as the natural shape of the internet rather than as one particular and bad settlement of a solvable problem.

me.ochk.io is an attempt to settle it differently. It is the consumer front door to the OrangeCheck protocol family, and its claim is narrow and testable: you can onboard to a website by proving you control a Bitcoin address, hand over no personal data at all, and have the site pay you satoshis for the legitimate activity you generate rather than the other way around. The auth ceremony is the load-bearing piece, and the most interesting thing about it is everything it declines to record.

The ceremony that collects nothing

There are two ways in, and both terminate in the same place. The first is a Bitcoin wallet signature. A user clicks sign-in, the auth host at ochk.io returns a challenge message with a nonce and an expiry, the user signs it with their wallet using BIP-322, and the host verifies the signature against the address. UniSat, Xverse, Leather, Alby, OKX, and Phantom are the supported signers. No transaction is broadcast, no fee is paid, no coin moves. The signature is a proof of control over a key, nothing more, and it is the entire enrollment. The second path is an email one-time code, present as a bridge for people who do not yet hold a wallet. A six-digit code arrives, the user types it, and the host records the email encrypted at rest with AES-256-GCM, indexed only by a hash so that a database leak does not surrender the plaintext.

What happens on the first successful proof is the part worth dwelling on. The system mints an account whose canonical identifier is an opaque string of the form did:oc followed by thirty-two hex characters. The Bitcoin address or the email is not the account identity; it is stored as one linked credential among possible others, and the account is the opaque identifier that points to it. No name is requested. No phone is requested. No address, no document, no date of birth, no location beyond whatever the public Bitcoin ledger already reveals about an address you chose to disclose. The fields a normal signup form treats as mandatory simply do not exist in the schema. The absence is not a privacy setting the user toggles on. It is the default, and there is no toggle to turn it off, because the data was never collected to begin with.

A signature can stand in for a dossier, and the session proves it

The objection that arrives first is that a signature cannot do the work of a verified email, because a key is not a person. That objection is correct and beside the point. The signature is not claiming to identify a person. It is claiming control of a key, and control of a key is exactly the thing an authentication system actually needs and the thing an email was always a clumsy proxy for. The pattern is not new in spirit. Sign in with Ethereum standardized message signing as login on one chain; passkeys and WebAuthn replaced the password with possession of a device-bound key; Nostr clients prove control of a keypair to a relay. me.ochk.io sits in that family and uses the one signing scheme whose underlying asset carries an external, costly, time-stamped history that a fresh keypair does not have.

The session is where the design shows its discipline. On a successful proof the host issues a session token signed with an Ed25519 key, set as an HttpOnly, Secure cookie scoped to the whole .ochk.io domain, so that every sibling site receives the same session without a second login. The choice of Ed25519 is deliberate and asymmetric in the useful sense: only the auth host holds the private key, so a compromised consumer site cannot forge tokens, and each site verifies the token locally against a published public key with no network call and no shared database of users. The token carries the opaque identifier, a unique token id for revocation, a user-chosen display handle that is never required to be real, and timestamps recording when the user last proved freshness through a hardware assertion or an inline re-authentication. There is no central session server that every site must trust and that every site's traffic must flow through. The identity is a small signed statement that any participant can check with arithmetic. That is the same property Bitcoin gives money, applied to a login.

Pseudonymity is the default, and disclosure is a deliberate act

The architecture that makes this private rather than merely passwordless is the separation between the account a user holds and the face a site sees. Each integrating site receives not the master opaque identifier but a scoped subject derived from it together with that site's own key, so the value site A sees and the value site B sees are different and cannot be matched against each other by the sites alone. A user is one account to themselves and a different unlinkable pseudonym to every site they touch. That is the resting state, and from it the user can choose to reveal more through a scope-grant model that is closer to a permissions dialog than to a signup form.

A site asks for scopes. It can ask for the Bitcoin address, the email, a display handle, an attestation tier, or aggregate signals like a lifetime count of activity across other sites. The user grants or denies each, the grant is recorded per site with its own revocation handle, and the values flow only for what was granted. The scopes that would release a master credential, the address or the email, are gated behind a fresh proof: a hardware assertion or an inline re-authentication inside a five-minute window, so that a stolen long-lived session cookie cannot quietly unmask the user without the user touching a key again. Disclosure becomes an event with a cause and an audit record rather than a precondition of entry. The user starts anonymous-by-pseudonym and decides, site by site and scope by scope, how much of that to spend. The contrast with the standard form, which demands everything at the door and lets the user negotiate nothing, is the entire point.

The economics run backward, and that is the breakthrough

The deeper inversion is financial. In the ordinary arrangement the user pays the onboarding cost in identity and the platform captures the value. me.ochk.io routes a payment in the opposite direction. Activity on an integrating site is recorded as a billable event in one of three classes: a state transition such as creating an account, an action such as authorizing a scoped operation, or a session. The integrating site funds these from a prepaid escrow balance, the platform keeps a fixed fee of twenty percent, the user receives a configurable share clamped to a ceiling of eighty percent, and the site receives a rebate from the remainder. A single account-creation event priced at thirteen hundred satoshis splits into two hundred sixty for the platform, the larger part to the user, and the rest back to the site, and the arithmetic is constrained to always balance. The site pays to acquire a real, costly-to-fake user, and the user is paid to be one.

This is a different mechanism for sybil resistance than the one the signup form implements, and the difference is what makes it interesting for privacy. The form deters fakes by making honest users expensive in personal data. The event model deters fakes by making the site, not the user, bear the cost, and by letting each site set its own price for what a legitimate action is worth. A spammer who creates a thousand accounts that never do anything billable costs the site nothing, because nothing was billed. A spammer who wants their thousand accounts to count must generate real, priced activity for each, which is the cost the site wanted them to bear in the first place, now denominated in satoshis instead of in the user's surrendered identity. Sybil resistance becomes a market that the site tunes rather than a gate the user squeezes through, and the user's personal data is no longer the toll. The cost moved off the user's identity and onto an external, fungible, refundable asset, and that is a structural change, not a cosmetic one.

Reputation can be portable without anyone tracking you

The cleverest piece sits between the pseudonymity and the payments. A user accumulates activity across many sites, and that history is a reputation worth carrying, but carrying it normally requires a central party that watches you everywhere and sells the composite. me.ochk.io exposes reputation as an aggregate that reveals a number without revealing its sources. A site can request a scope that returns, for example, the user's total satoshis earned across all other integrators, or a count of distinct sites at which they have been active, as a single integer. The requesting site learns that this pseudonym has a substantial cross-site history without learning which sites, what amounts, or when. The user transfers the credibility they built elsewhere without transferring the map of where they built it.

That combination, a pseudonym that is unlinkable across sites by default and a reputation that is portable across sites by consent, is the thing the surveillance-advertising internet has insisted is impossible, because that internet's business model requires the linkage to be involuntary and total. Here the linkage is a value the user holds and chooses to expose as a summary statistic. Whether it holds up depends on details that are easy to get wrong, and several of them are not yet fully closed, but the shape is the contribution. Reputation and tracking have always been sold as a bundle. This unbundles them.

The custody exception is real, and it should be named plainly

An objective account has to stop and mark the place where the system's own stated rule bends. OrangeCheck's family-wide invariant is that it never holds user funds. me.ochk.io has one exception, and it is the email path. A user who arrives without a wallet has no Bitcoin key to be paid into, so the satoshis they earn are held as Chaumian ecash in a Fedimint federation. The mnemonic is generated in the browser and written down by the user, and the project's servers see neither the mnemonic nor the keys, but the federation guardians, recruited by an operator rather than by the project, hold the threshold multisig that backs the ecash. That is custody. It is bounded, it is by a quorum rather than a single party, and it runs on a public protocol rather than a black box, but a sufficient collusion of guardians could in principle move funds, and an email user is trusting that quorum until they leave it.

The exit is a graduation flow: the user supplies an on-chain or Lightning destination, proves control with a signature under a fresh-proof gate, and the federation sweeps the balance out to keys the user alone holds, after which the custody assumption is gone. The honest caveat is that this graduation path is, at the time of writing, not yet shipped; it is a placeholder where the most important privacy-and-custody transition is supposed to live. A reader deciding whether to trust the system today should weigh the federation custody as present and the escape from it as promised, and should treat the project's willingness to state the exception in its own documents as evidence of seriousness rather than as a resolution of the risk.

Where a skeptic should push, because the gaps are real

The strongest objections are not about the auth flow, which is conventional and sound, but about what a Bitcoin address discloses and what pseudonymity does not buy. A Bitcoin address is pseudonymous, not anonymous. The moment a user grants the address scope to two sites, both see the same string and can link the accounts the architecture worked to keep separate, and either can run the public chain history of that address through ordinary analysis to infer balances, timing, and counterparties. The defense is per-role addresses and disciplined non-reuse, which works only to the extent users actually practice it, and users famously do not. The scoped-subject unlinkability is a genuine protection against lazy correlation and no protection at all against a user who voluntarily hands the same revealing scope to colluding parties.

Disclosure is also one-way in time. Revoking a scope stops future events from carrying a value, but a site that already received the email in a prior event keeps it forever, because revocation cannot reach into a webhook that already fired. The session cookie, though shielded from script, is still a bearer token whose theft via a cross-site scripting hole lets an attacker act within the granted scopes, with only the master-credential release standing behind a fresh proof. The auth host's signing key is a single point whose compromise would let an attacker mint tokens for anyone, and the at-rest encryption key for stored emails is a second such point. The cryptography under all of it, the secp256k1 of Bitcoin and the curve used for the encrypted vaults, is secure only against classical computers. None of these is fatal, and most are shared by every comparable system, but a fair reading does not get to skip them. The privacy is real, partial, and contingent on both the user's hygiene and the operator's key discipline.

What is actually new here

It helps to place the design against the other answers to the same question, because the contrast is what isolates the claim. OAuth, the sign-in-with-Google pattern that now mediates a large share of all logins, solves the cost problem by delegating it to a vendor who already knows your email, your phone, your location history, and your behavior, and who becomes a permanent intermediary in every session it brokers. It removes the password and replaces it with a watcher. World ID solves the same problem at the other extreme, by proving unique personhood through a biometric scan, which buys strong sybil resistance at the price of asking people to enroll their irises in a database in order to prove they are human. me.ochk.io refuses both trades. It adds no vendor to the path, because each site verifies the session locally against a published key rather than calling an identity provider, and it asserts no personhood, because it makes no claim to know that a pseudonym is a unique human and substitutes economic cost for biometric proof. It occupies a position the other two foreclose: sybil resistance without a watcher and without a biometric, priced in an asset rather than in identity.

Set the criticism beside the design and the residue is specific. The novelty is not the wallet login, which exists elsewhere, nor the passwordless session, which is ordinary, nor even the absence of KYC, which several systems claim. The novelty is the reassignment of the onboarding cost. For thirty years the way to make an account expensive enough to deter abuse has been to make it expensive in the user's identity, and the entire surveillance economy grew in the space that decision opened. me.ochk.io prices the same scarcity in an external asset the user self-custodies, makes the site rather than the user pay it, and pays the user for the legitimacy they supply, while keeping them a different unlinkable pseudonym to every party and letting them carry a reputation forward as a number rather than a dossier. Each of those moves has precedent in isolation. The composition does not, and the composition is the claim.

Whether it becomes the way people sign in to things is not a question the code can answer, because it depends on sites choosing to adopt a model that costs them satoshis to acquire users they currently acquire for free by harvesting data. That is a real adoption barrier and the place the whole thing most plausibly fails. But the demonstration stands on its own regardless of adoption. It shows that the signup form's central assumption, that deterring fakes requires extracting identity, was never a law of nature. It was a billing decision, made once, in the absence of a neutral asset to bill against. There is now such an asset, and someone has wired it up to prove that the user was never the thing that had to be expensive. The platform was.