Skip to content

OrOrbit is in pre-launch. Downloads, accounts, and sponsorship open at launch.

Security you can actually trust.

Most platforms ask you to trust them with your identity. OrOrbit doesn't. Your identity is a file on your device — not an account on our server.

What an Orbit operator sees

  • Your IP address during voice and video calls
  • Your handle and key fingerprint
  • Anything you post, send, or upload on their server
  • The times you're connected

What stays yours

  • Your identity file and private keys
  • Other Orbits you're in
  • Anything you do outside their server
  • Your real name, email, or phone — we never ask

Join Orbits whose operators you'd trust with the first list.

Communication is personal. The messages you send your friends, the late-night voice calls, the photos you share — these are intimate parts of your life. We believe the platform carrying those conversations has a responsibility to protect them.

Most platforms treat security as a marketing checkbox. OrOrbit treats it as the foundation everything else is built on. Your identity, your messages, and your privacy are protected by design — not by policy.

This page explains exactly how. No vague promises, no hand-waving. Where something isn't covered yet, we say so.

The OrOrbit Security Model

A fundamentally different approach to identity and trust.

In traditional platforms, a company controls your account. They verify your email, store your password, and decide whether you're allowed to log in. If they get hacked, your account is compromised. If they ban you, your identity is gone.

OrOrbit flips this completely. Your identity is a small encrypted file that lives on YOUR device. When you connect to a server, your app uses that file to prove who you are — without ever sharing the sensitive parts. No company holds the keys. No central server can lock you out.

Trust hierarchy

You

You hold the identity file. Ultimate authority.

Your Devices

Act on your behalf. Device approval coming.

Server

Verifies identity. Never holds your keys.

What We Can't Do

These aren't policies — they're technical impossibilities.

Can't read your messages

Your messages live on YOUR server or your friend's server — never on ours. We don't run a central message store. We literally don't have access.

Can't impersonate you

Only someone with your identity file and your password can prove they're you. We never see either. There is no "reset password" flow on our end because we don't hold your credentials.

Can't lock you out

Your identity file works without our permission. Even if our website went offline tomorrow, your file would still let you log into any OrOrbit server.

Can't track you

No analytics, no telemetry, no tracking pixels. The app works fully offline after installation. Connections go directly between you and your server — we're not in the middle. The only outbound connection is the optional Pulsar registration, which you explicitly enable.

What Your Server Admin Can't Do

Even the person running the server has limits. Here's the honest breakdown.

Can't read your identity file

Your identity file is encrypted with your password before it ever touches the server. The server only stores the encrypted blob — it can't open it or extract your keys.

Can't use your identity elsewhere

A device approval system is being built to ensure your identity can only be used on devices you've explicitly authorized. Once live, even if a server admin tried, they'd be blocked by the approval check.

A note on message privacy

On any chat platform, whoever operates the server infrastructure can access the messages stored on it. On traditional platforms, that's a company and its employees. On OrOrbit, that's whoever you choose — yourself, a friend, or a community you trust.

We recommend hosting your own server for the most privacy, or joining servers run by people you personally know and trust.

The Encryption Stack

Strong defaults, proven algorithms, no shortcuts.

Well-established, peer-reviewed technologies at every layer. Nothing custom, nothing experimental — just battle-tested building blocks assembled correctly.

Identity file protection

Your signing key is encrypted using a key derived from your password through a memory-hard function — the same kind used by password managers. Even if someone gets the file, brute-forcing the password is extremely slow by design.

Challenge-response auth

Instead of sending a password, the server sends a random challenge. Your app signs it with your private key. The server verifies with your public key. Your private key never leaves your device.

Modern cryptography

Elliptic curve signing for identity, memory-hard password hashing, industry-standard session tokens, and TLS for all network traffic. No proprietary algorithms.

Recovery & backup

A 24-word recovery phrase lets you reconstruct your identity from scratch. The server can store an encrypted backup — encrypted before upload, so the server never sees the contents.

How Authentication Works

What happens when you log into an OrOrbit server, step by step.

1

You create your identity

OrOrbit generates a unique signing key pair. The private key stays on your device, encrypted with your password. The public key is what servers use to recognize you.

2

The server sends a challenge

When you connect, the server creates a unique, one-time challenge — a random puzzle that can only be solved with your private key.

3

Your app signs the response

Your app decrypts your private key using your password, signs the challenge, and sends the signed response back. The private key itself is never transmitted.

4

The server verifies

The server checks the signed response against your public key. If it matches, you're authenticated. A session is created and you're in.

Session created

You're logged in. Your password never left your device. Your private key never left your device. The server only saw your public key and your signed response.

Threat Model

What we protect against, what we don't, and what's coming next.

Protected

  • Identity theft — Your private key is encrypted and never transmitted. Device approval blocks unauthorized use.
  • Server compromise — Even if a server is breached, attackers can't extract your identity. The encrypted file is useless without your password.
  • Password brute-forcing — The memory-hard password protection makes automated guessing extremely slow and expensive.
  • Replay attacks — Each authentication challenge is unique and time-limited. Old responses can't be reused.
  • Man-in-the-middle — All connections use TLS encryption. The challenge-response flow adds an additional layer of verification.

Good to know

  • Server-stored messages — Messages on a server are readable by the server admin. This is how every chat platform works — traditional platforms all share this model. The difference is you choose who you trust to run a server.
  • Custom server code — Since servers are self-hosted, an admin could modify their code. This is true of any self-hosted software. Only join servers run by people you trust.

Protect Your Identity File

The single most important security rule for every OrOrbit user.

Never share your .ororbit-identity file

Your identity file contains your private signing key. Anyone who has this file and your password can fully impersonate you. No server admin, support agent, or friend will ever need this file. The only way to join a server is via invite links, QR codes, or Pulsar codes.

Learn why this matters

Your identity. Your rules.

Download OrOrbit and take ownership of your digital life. No email, no sign-up, no trust required.

Download OrOrbit How It Works