Bring in an auditor or accountant

Give a CPA, tax preparer, or family lawyer read-only access to a defined slice of your household budget. They never see your vault password. Every read is logged. You can revoke any time.

When you'd use this

• Your CPA does your taxes. You want them to see your Bitcoin transactions for the year without sharing your vault password.
• You're divorcing and the court wants financial transparency for a specified date range.
• You're applying for a mortgage. The lender wants statements but not API access to your wallets.
• You hire a bookkeeper for the household budget but don't want them touching the categories or goals.

In each case the auditor needs read-only access to a defined scope, with an audit trail. That's what this flow is for.

How it works

1. In Settings → Auditors, click Invite auditor.
2. Enter their email and pick the scope:
   • Date range — e.g. "January 1 to December 31, 2026"
   • Categories — all categories or just specific ones (e.g. only "Tax-deductible expenses")
   • Members — your transactions only, or the whole household
3. Set an expiry — by default the access auto-revokes 90 days after invite. You can set a longer or shorter window.
4. Click Send invite. They get an email with a one-time link.

When they click the link:

1. They create an Orange Way account (or sign in if they already have one).
2. The app does a special key exchange — they generate a key pair, you both confirm a six-digit code, and your household master key gets re-wrapped for them with read-only flags baked into the wrap.
3. They land in a view that looks like Orange Way's normal dashboard, except every "edit" button is disabled and every page shows the scope they were granted.

The auditor cannot:

• Add transactions
• Change categories or goals
• Invite other auditors
• See data outside the scope you set
• Take your data with them (no export endpoint for auditors today; planned for Phase 5)

What gets logged

Every page the auditor views creates an audit-log row:

• Auditor email + IP
• Page or article viewed
• Timestamp
• Scope tag (which range/categories they read)

You see the auditor's activity in Settings → Auditors → Audit log. The log is append-only and cannot be deleted by the auditor (or by us).

Revoke access

In Settings → Auditors, click Revoke next to any auditor. Two things happen:

1. The auditor's session token is invalidated immediately.
2. The wrapped household key is deleted for them. Even if they had a stale browser session, the next request fails.

Revoke is irreversible — to re-grant, send a new invite.

Common questions

Can the auditor share my data with someone else? Not through the app. The data only decrypts in their browser session with their vault password. There's no export endpoint for auditor accounts. If they screenshot, copy, or write down what they saw, that's outside the app — same as any other read-only relationship.

Can I give my CPA permanent access? Yes, set the expiry to a very long date (or no expiry). But we recommend setting an expiry by default — most accounting relationships have natural cycles (annual, quarterly).

Can I give the auditor write access? No. Auditor role is read-only by design. If you want a bookkeeper who can categorize and edit transactions, use the Member role instead (it's a full household member).

What about my partner — do they see the auditor's audit log? Yes. Auditors are household-scoped, so every household member (owner + members) sees the same audit log and can revoke the auditor.

See also

• Privacy and what we cannot see — why read-only is actually read-only
• Set up your household budget — the member roles
• The Phase 4.4 architecture deep dive: wiki.abascal.ca/Apps/🍊 Orange Way/Phase 4 Household Design