Skip to content
Ora
HomeAboutStatusJoin test

Security · Updated July 2026

Built for
careful testing.

Ora’s public service uses passwordless sign-in, short-lived sessions, explicit device records, and a local-first timer model.

Account access

Sign-in uses a short-lived code sent to the submitted email address. Access and refresh sessions are tied to a device record and can be revoked by the service.

Stored credentials

Apple test apps use Keychain-backed storage. Android and Wear OS use Keystore-backed encrypted storage. The registration website retains only a non-secret summary after verification.

Sync design

The server exchanges timer operations and durable record state rather than streaming ticking countdown values. Devices derive remaining time locally and can continue running local timers during a service interruption.

Abuse controls

Email-code starts are protected by persistent quotas and optional proof-of-work, disposable-domain, and trusted-edge controls. Public edge configuration continues to be hardened during the test.

Current limitation

Ora is not yet presented as a finished high-availability service. Real background push delivery and five-device alarm behavior remain under active acceptance testing.

Ora

Natural timers for the moments in between.

Product

AboutJoin testStatus

Trust

PrivacySecurityTerms
Early test buildMac · iPhone · Apple Watch · Android · Wear OS