docs / overview

API reference

Every endpoint on the hosted verifier at ochk.io. The public endpoints are CORS-enabled and usable from any language or runtime without an API key. The /api/auth/* family is site-internal (same-origin, cookie-based) and backs /signin + /dashboard.

Base URL

https://ochk.io

Conventions

  • Protocol — HTTPS, JSON bodies, UTF-8.
  • Timestamps — RFC-3339 UTC with Z suffix.
  • Auth — none on the free tier. Paid tier uses bearer tokens (not yet public).
  • CORSAccess-Control-Allow-Origin: * on every endpoint.

Endpoint map

Public (CORS-enabled, no cookie)

EndpointMethodPurpose
/api/checkGETSybil-gate decision. Load-bearing.
/api/verifyPOSTVerify a raw (addr, msg, sig) tuple.
/api/challengeGET / POSTSigned-challenge auth primitive.
/api/discoverGETList attestations for a subject.
/api/statsGETAggregate network stats.
/api/og/checkGETDynamic OG image for social previews.

Site-internal (same-origin, cookie-based)

Back /signin and /dashboard. See /api/auth/* for the full reference.

EndpointMethodPurpose
/api/auth/signinPOSTExchange a signed challenge for a session cookie.
/api/auth/meGETRead the signed-in account + cached attestations.
/api/auth/logoutPOSTRevoke the session and clear the cookie.
/api/auth/accountPATCHUpdate profile fields.

Rate limits (free tier)

EndpointLimit
/api/check60 req/min/IP
/api/discover60 req/min/IP
/api/stats30 req/min/IP
/api/challenge30 req/min/IP
/api/verify10 req/min/IP
/api/auth/signin20 req/min/IP

Beyond these, requests return 429 with { "error": "rate_limited" }. Higher limits, webhook delivery, and SLAs are part of the paid tier.

Cache headers

  • /api/check, /api/discover, /api/stats, /api/og/checkCache-Control: public, max-age=60 (or 300 for OG).
  • /api/verify, /api/challenge, /api/healthCache-Control: no-store.

Status codes

CodeMeaning
200Success. Response body carries the decision or data.
400bad_request — missing or malformed parameters.
401Signed-challenge verify only: signature / nonce / audience mismatch.
404not_found — no attestation matches the subject.
405method_not_allowed.
429rate_limited.
500server_error.

Error shape

{
  "error": "<code>",
  "issues": [ /* optional, populated on validation failure */ ]
}

Self-host

Every endpoint lives in src/pages/api/* in the open-source oc-web repo. You can run your own verifier — it reads from public Bitcoin explorers and Nostr relays of your choice.

Start with /api/check. It's the whole product.