PSBT signing
CKBunker is designed around PSBTs: upload the transaction, visualize what it spends, collect required approvals, and sign only if the COLDCARD policy accepts it. CKBunker does not need to know your seed and does not replace wallet software.
Basic flow
- Create a PSBT in wallet software such as Bitcoin Core, Electrum, or another PSBT-capable wallet.
- Upload the PSBT into the Bunker web interface.
- Review the transaction details, warnings, and policy state.
- Provide required user authorization and local confirmation codes.
- Ask the COLDCARD to sign through CKBunker.
- Download or broadcast the signed transaction.

What CKBunker does not do
- It does not hold private keys; those remain on the COLDCARD.
- It does not replace wallet software for coin selection or transaction construction.
- It should not be trusted to enforce spending policy; the COLDCARD policy enforces it.
Local confirmation
For high-risk rules, require a local operator to enter a six-digit code at the COLDCARD location. The code is tied to the PSBT, which reduces races where one remote user asks for a code and another swaps in a different transaction.

User authorization
Depending on the policy, remote users may need to enter TOTP codes or passwords before the COLDCARD will consider the PSBT. If privacy-over-UX is enabled, the UI may require more explicit entry because less policy state is revealed by the device.
Meet me in the Bunker
Multiple remote users can coordinate inside the Bunker. Each sees the same PSBT state, adds their approval, and the device signs only if the configured threshold and rule conditions are satisfied.
Message signing
CKBunker can also expose text-message signing when the policy allows it. Restrict this to intended derivation paths and keep message-signing use separate from spending policy design.
