live · mainnetoc · docs
specs · api · guides
docs / orangecheck connect

OrangeCheck Connect

Add OrangeCheck to your existing login. Keep Auth0, Clerk, NextAuth, Google, email/password — whatever you already run. It works exactly as it does today. Drop in one server-side call so that when your user signs in, an OrangeCheck identity (did:oc) is created for them at the same time.

There is no new SDK. A Connect integration is one HTTPS POST.

New to OrangeCheck integration? See the Integration overview first — Connect is one of two pathways. If you'd rather OrangeCheck be your sign-in (no login of your own), that's @orangecheck/auth-client.

How it works

  1. Register a Connect app at me.ochk.io/me/developer/connect — you get an API key.
  2. Your user signs in however they already do. Nothing changes.
  3. Right after, your backend calls POST https://ochk.io/api/connect/provision with your API key and your own id for that user.
  4. OrangeCheck returns a did:oc. Store it on your user record.

The whole integration

// Anywhere after your own login succeeds — Auth0, Clerk, Google, your own SSO,
// it does not matter. Run this from your backend.
const res = await fetch('https://ochk.io/api/connect/provision', {
    method: 'POST',
    headers: {
        'Content-Type': 'application/json',
        Authorization: `Bearer ${process.env.OCHK_CONNECT_KEY}`,
    },
    body: JSON.stringify({ user_id: yourUser.id }),
});
const { did_oc, is_new } = await res.json();
// store did_oc on your user record — that is the whole integration.

OCHK_CONNECT_KEY is the API key from the console. user_id is your own stable id for the user. That is everything — no token to forward, no provider to name, no keypair, no redirect.

The call is idempotent: run it on every login if you like — the same user always resolves to the same did:oc (is_new tells you whether this call created it).

What you get back

{ "ok": true, "did_oc": "did:oc:…", "is_new": true }

The provisioned account is federation-custodied — OrangeCheck never holds a Bitcoin key it cannot account for, and the user can later graduate to self-custody. You now know "my user ↔ this OrangeCheck identity" and can show it, or call other OrangeCheck APIs on their behalf.

Notes

  • Server-to-server only. Call /api/connect/provision from your backend — never the browser. The API key must stay secret.
  • The key is shown once. Save it when you register the app. Lost it? Hit regenerate key in the console — the old key stops working immediately.
  • Optional email. You may also pass the user's email ({ user_id, email }). It is recorded as a hint so the same person can be unified to one identity across integrators later. The base call does not need it, and it is never treated as a verified identity.
  • An integrator can only ever create and manage its own users' OrangeCheck accounts — a Connect key can never reach into anyone else's identity.

Register your first app at me.ochk.io/me/developer/connect.