Connect a Bitcoin wallet

Orange Way doesn't talk to wallets directly. It uses Orange Rails, the open-source connector platform, to fetch your transactions in a privacy-preserving way. This explains how that works and what each connection method gives up.

What gets connected

You can connect:

• Bitcoin xpub (watch-only) — pasted from Sparrow, Specter, Ledger, BlueWallet, BitBox, Coldcard, anything that exports an xpub/ypub/zpub. Recommended because it's the most private option.
• Exchanges — Coinbase, Kraken, Binance, Bybit, OKX, KuCoin, Gemini, Bitstamp, Bitfinex, Crypto.com, NDAX, Bitbuy, and ~85 others through the CCXT bridge. Read-only API keys.
• Lightning wallets — Blink, Strike, BTCPay Server (for merchants).

What you cannot connect today (on the public roadmap):

• Traditional banks (coming via Quiltt or Plaid as a Tier 2 source — discloses to a third party, see Privacy).
• Mining pools (Ocean, Braiins, ViaBTC).
• Lightning node software (LND, CLN, LDK, Phoenix) — direct.

How a connection works, step by step

1. Click Add a connection in your Orange Way dashboard.
2. The Orange Rails Connect widget opens in a popup. It runs at connect.orangerails.com — a separate domain so the credentials never touch Orange Way's main domain in memory.
3. Pick your source (xpub, Coinbase, Blink, etc.).
4. Enter the required credential:
   • For an xpub: paste the extended public key. We support xpub, ypub, zpub prefixes (BIP 44 / 49 / 84). Multisig descriptors are on the roadmap.
   • For an exchange: paste the API key + secret + (sometimes) a passphrase, generated in the exchange's dashboard with read-only scopes.
   • For Blink/Strike: paste the API token (read-only invoice scope).
5. The widget encrypts your credential in the browser using a key derived from your Orange Way vault password. Even the Orange Rails server never sees the plaintext credential. The encrypted bytes get stored.
6. The widget closes. Your new connection appears in the Orange Way dashboard.
7. First sync runs automatically. New transactions roll in within ~30 seconds for most sources; an xpub with a long history can take ~90 seconds the first time.

Privacy tiers (T0 → T3)

Orange Rails publishes a privacy tier per source so you know upfront what each connection costs you in disclosure. Orange Way surfaces the tier badge before you connect.

If you want maximum privacy, stick to T0 (xpub) and T1 (the wallets you already trust). T2 only exists for bank connections because there's no other way today.

What if I change my mind

Connections are deletable. In Settings → Connections, click the trash icon next to any source. Two things happen:

1. Orange Rails stops syncing it (immediately).
2. The encrypted credential is deleted from Orange Rails' database (immediately).

The historical transactions you already pulled in stay in your household budget — they're yours. If you want to also delete the history, click Delete transactions on the connection before you remove it.

Troubleshooting

• xpub didn't find my transactions — make sure you exported the xpub from the right derivation path. BIP 84 wallets (the common modern default) need a zpub, not an xpub. Sparrow's "Settings → Wallet" view shows you the right one.
• Exchange API key is invalid — most exchanges require the IP that calls the API to be allow-listed. Orange Rails' egress IP is documented at api.orangerails.com/info (you set it in the exchange's API key settings).
• Sync is slow — first sync of an xpub does a full block scan via BIP 158 filters. Normal. Later syncs only check new blocks.

See also

• Privacy and what we cannot see — the architectural deep dive
• Getting started — sign up + first wallet in 10 minutes
• The full Orange Rails source catalog: https://orangerails.com/providers (100+ connections)