Orbits — your family's private space
Every family on Orbit lives inside an Orbit: a private container that holds the parents, their children, and the connections between them. Usernames only need to be unique inside an Orbit, so your child can pick a name they like without fighting the entire internet for it.
A parent always belongs to exactly one Orbit. Children inherit their parent's Orbit at creation time. Co-parents join the same Orbit by invitation, so the whole family sees the same dashboard and shares the same approval power.
Orbits keep each family self-contained. Your child's username, your filter rules, your invite codes — none of it leaks into other families. Every view in the app is scoped to your Orbit by default.
Parent sign-up
Parents register with email, password, username, and an optional display name. Before the account is created, we send a six-digit one-time code to the email address to make sure you own it. Enter the code, and the account is live.
- Email-verified. No code, no account. Emails are globally unique.
- Passwords hashed with Argon2id. We never store your password in the clear.
- Tokens rotate. Short-lived access tokens plus a refresh token, signed with Ed25519.
- One device at a time, or many. Each device registers itself and gets its own encryption session.
Orbit onboarding — create or join
After sign-up and email verification, the very next screen asks the parent one question: are you starting a new family Orbit, or joining one?
Create
Pick a name for your Orbit (it doesn't have to be unique — we use a random ID under the hood). Submit, and you're in. You can now add children and invite co-parents from the dashboard.
Join
A co-parent already in the Orbit generates a one-time invite code and shares it. Paste the code on the Join tab, submit, and you're placed in the same Orbit. The code is single-use and expires in 24 hours.
Until a parent finishes this step, they can't add children, chat, or use any other feature. The app stays on the onboarding screen — no dead ends, no orphan accounts.
Invite deep links
Invite codes work two ways:
- Type it in. Eight characters, easy to read out over the phone.
- Tap a link. The code is also encoded as a deep link of the form
orbit://join?code=XXXXXXXX. Tap it on a phone that has Orbit installed and the Join screen opens with the code already filled in.
Deep links work on both iOS and Android. On iOS we register the orbit URL scheme; on Android, a matching intent filter. The code is displayed as a QR in the dashboard, so co-parents can scan with any camera app and the phone opens Orbit straight to the join screen.
Child accounts
Children don't sign up themselves. A parent creates the profile from the dashboard (username, display name, optional avatar) and Orbit generates a one-time login code the child can type in on their own device. The code is shown as plain text and as a QR code — whichever suits the child's age best.
- No email address required for the child.
- The login code expires in 24 hours and becomes invalid after first use.
- If the code expires before the child logs in, the parent can re-generate one from the child-detail screen.
- Once logged in, the child device registers itself and gets its own encryption keys.
Parent-approved child logins
By default, once a child is logged in on a device, they stay logged in. But for extra control, parents can turn on require login approval per child. When it's on:
- Every new device that tries to sign the child in is quarantined.
- The parent sees a "Login requests" card on the dashboard with the device label, the time, and the approximate location (from the request IP).
- The parent taps Approve or Reject. The child's phone shows a "waiting for approval" screen in the meantime.
- Approved devices are trusted — they skip the prompt next time.
This is resolved most-restrictive-wins across co-parents: if either parent requires approval, it's required. Rejecting a device immediately ends any session it had.
Your Orbit dashboard
The dashboard is the parent's home screen. It shows:
- Orbit header with the Orbit name and member count.
- Invite button that generates a fresh one-time code (shown as both text and a QR).
- Children cards — one per child, tap to open the child-detail screen.
- Login-request cards when approved-login is on and a child is waiting.
- Add menu — add a child, or link another parent.
Per-child controls
Each parent-child link carries its own set of toggles. When a child has two parents, we resolve every setting most-restrictive-wins — if either parent turns something off, it's off for the child. This way, co-parents never cancel each other out.
Open any child card to reveal:
- Security — require login approval on/off, list of trusted devices, regenerate login code.
- Chat features — audio / image / video / emoji toggles (see below).
- Timeout — pause the app for a duration or until a specific date.
- Content filter — word lists and mode (see below).
Content filter
Each parent-child link has a content filter with three modes:
- Off — messages pass through unchanged.
- Block — messages matching a word list are refused on the device, before encryption. The child sees "message blocked" and never sends it.
- Approval — flagged messages are held for parent review. The parent gets a push notification and approves or rejects from the child-detail screen. Requests expire in 24 hours.
The filter runs on the sending device itself, so we never see the plaintext. It covers outgoing messages (what your child tries to send) and can optionally flag incoming messages (what other children send them) for you to review.
Because the filter runs on-device before encryption, it can block content without breaking end-to-end encryption. The server only ever sees the encrypted envelope.
Chat-feature toggles
Text is always allowed. Everything else is opt-in, per child, per parent:
- Audio messages. Toggle voice notes on or off.
- Image messages. Photo sharing.
- Video messages. Short video clips.
- Emoji & reactions. Both emoji-only messages and tap-to-react reactions.
Disallowed message types are blocked two ways:
- On send. The child's app refuses to send a blocked type, with a friendly message explaining why.
- On receive. If a blocked type slips in from a different family, the child sees a blurred placeholder — they can tell a message arrived, but they can't view the content.
Changes apply immediately to open sessions — the child doesn't need to relaunch.
Timeout & app lockout
Sometimes the answer is "not right now." A parent can put any child on a timeout for:
- A quick preset — 30 minutes, 2 hours, 8 hours, or 1 day.
- A custom end time — pick a date and time.
When a timeout is active:
- The child's open WebSocket is closed immediately and HTTP requests return
423 Locked. - The child's app swaps to a full-screen lock view with a countdown and a sign-out button.
- Incoming messages still queue on the server — they'll be delivered when the timeout ends.
The parent can clear the timeout at any time from the child-detail screen; the child's app unlocks the moment the WebSocket reconnects.
Chat experience
Once a conversation is open, Orbit behaves like a modern messaging app — with everything running over end-to-end encrypted sessions.
- Typing indicators show when someone on the other end is writing.
- Read receipts tell you when your message has been seen.
- Reactions — tap and hold to drop an emoji reaction.
- Per-device sessions. If someone has an iPhone and an iPad, each device has its own session. A lost phone doesn't compromise the others.
- Offline delivery. Encrypted messages queue on the server until the recipient's phone comes back online.
- Sign-out wipes local crypto state. A re-login starts fresh — no cached plaintext, no old keys.
Cross-family chat
Children want to chat with children in other families, and Orbit supports that — through a deliberate, parent-gated flow:
- Parent contacts. Parents add each other first. Either parent sends an invite; the other parent accepts.
- Chat requests. Once two parents are connected, parent A picks their own child and sends a request to parent B. Parent B reviews the request and assigns one of their children to the other end.
- Conversation created. Only after both parents sign off does Orbit open a conversation between the two children.
Nothing about this flow is one-sided. Every cross-family chat has two parents' approval behind it. Either parent can end the connection at any time and the conversation closes.
End-to-end encryption
Every conversation on Orbit is end-to-end encrypted. The sender's phone encrypts one ciphertext per device in the family trust circle — the other child(ren) in the chat and every parent on both sides. The server relays the ciphertext and never sees plaintext.
That means parents see their child's messages on their own device (decrypted locally), not via the server. When a parent adds a new phone, their other devices re-encrypt history for the new device over WebSocket — no re-login from scratch, no lost conversations.
For the full technical detail — X25519 ECIES envelope, Curve25519, per-device fanout, planned upgrade path to Double Ratchet — see the Security page.