Some Reasonable Questions to Ask

This list of questions is presented in a more Socratic style, which can be read sequentially.

Q: What do I need to open a merchant account?
A: An email address and a private wallet ID. A PGP key to go with your email is optional. If you don't yet have a wallet set up, this tutorial explains how to create one.

Q: What do I do after I've opened my OnionPay merchant account?
A: Log into it and configure your settings as desired. You should also verify that you are able to log into your public wallet, which is created along with your account.

Q: Okay, and then what? How do I integrate OnionPay into my website as a payment option?
A: This is explained in detail, with examples, in our SCI documentation. You can obtain this using the Downloads button above.

Q: Why does your site use a self-signed certificate which produces warnings?
A: This is because we cannot risk government-sponsored MITM attacks using false certificates provided by captive CAs. Public sector criminals present an even bigger risk than do private sector ones. More info is available here.

Q: How is a merchant's website notified about incoming customer payments?
A: In the usual way, via a HTTP POST to a URL supplied by the merchant's SCI. Ideally, this URL will be secure (https).

Q: How does the merchant verify that the payment notification is genuine?
A: By verifying the hash value included with the notification. This hash is computed from the payment details plus the account's merchant secret, so that the merchant can be assured that the message is genuine and has not been tampered with. The payment details should also be compared against those expected for the customer's order. See our documentation (Downloads page) for details.

Q: If I add a PGP key to my account, what will you use it for?
A: If you ever create a customer support ticket with us, we'll use your key to encrypt our replies. We'll also attach our pubkey so that you can encrypt any further correspondence. (You can find our key on the Contacts page.)

Q: What about collecting sales tax, VAT, shipping and handling, etc.?
A: That is the responsibility of the merchant. We present a customer only with a total order amount as specified by the merchant. This total must include any applicable taxes, shipping, handling, or other charges which the merchant wishes to include.

Q: What's with the no KYC stuff? Are you deliberately targeting criminals and scammers?
A: No. We're targeting frictionless commerce by providing cash-like digital payment services. This means only that patrons of OnionPay merchants won't have to worry about public sector criminals spying on their transactions. It implies absolutely nothing about scammers or sellers of illegal goods.

Q: But do you mean that customers paying merchants signed up with OnionPay need to do their own due diligence on the merchants, and that you don't vet merchants in any way?
A: Correct. Evaluating the quality of goods and services sold online, or the honesty and trustworthiness of online merchants, is not the job of a payment service. It's the customer's job, aided by reputation and review services. Exercise the same care that you would before paying someone by cash or money order. Caveat emptor.

Q: Do you track the IP addresses of merchants and/or customers who visit your site?
A: No. All traffic to our site is port-forwarded from a gateway over a VPN to our real server, which is located in another country. We do not see anyone's true IP address. Nor is our server located at the IP indicated by a DNS lookup.

Q: Your About page talks about OnionPay franchises. How many are there, and where are other franchises located?
A: At present, this is the only one. We anticipate establishing others as growing market traffic warrants. This is key to avoiding single points of failure in the counter-economy. When new franchises are established, they will be listed somewhere on this site, and possibly on the Voucher Publisher's site as well.

Q: What the heck is dot-to?
Dot-to (.to) is another top-level domain (TLD) which uses a separate registrar system and is outside the control of ICANN, a US govt agency which has the power to seize ordinary domains in .com, .net, etc. which offend TPTB. (Example:, which was seized by Homeland Security for about 5 years.) The .to TLD is for Tongo, an island nation in the South Pacific.