Some Reasonable Questions to Ask
This list of questions is presented in a more Socratic style, which
can be read sequentially.
Q: What do I need to open a merchant account?
A: An email address and a private wallet ID. A PGP key to go
with your email is optional. If you don't yet have a wallet set up,
explains how to create one.
Q: What do I do after I've opened my OnionPay merchant account?
A: Log into it and configure your settings as desired. You should also
verify that you are able to log into your public wallet, which
is created along with your account.
Q: Okay, and then what? How do I integrate OnionPay into my website as a
A: This is explained in detail, with examples, in our SCI documentation.
You can obtain this using the Downloads button above.
Q: Why does your site use a self-signed certificate which produces warnings?
A: This is because we cannot risk government-sponsored MITM attacks using
false certificates provided by captive CAs. Public sector criminals present
an even bigger risk than do private sector ones. More info is
Q: How is a merchant's website notified about incoming customer payments?
A: In the usual way, via a HTTP POST to a URL supplied by the merchant's SCI.
Ideally, this URL will be secure (https).
Q: How does the merchant verify that the payment notification is genuine?
A: By verifying the hash value included with the notification. This hash
is computed from the payment details plus the account's merchant secret, so
that the merchant can be assured that the message is genuine and has not been
tampered with. The payment details should also be compared against those
expected for the customer's order. See our documentation (Downloads
page) for details.
Q: If I add a PGP key to my account, what will you use it for?
A: If you ever create a customer support ticket with us, we'll use your key to
encrypt our replies. We'll also attach our pubkey so that you can encrypt
any further correspondence. (You can find our key on the Contacts page.)
Q: What about collecting sales tax, VAT, shipping and handling, etc.?
A: That is the responsibility of the merchant. We present a customer only
with a total order amount as specified by the merchant. This total must
include any applicable taxes, shipping, handling, or other charges which
the merchant wishes to include.
Q: What's with the no KYC stuff? Are you deliberately targeting criminals
A: No. We're targeting frictionless commerce by providing cash-like digital
payment services. This means only that patrons of OnionPay merchants won't
have to worry about public sector criminals spying on their transactions.
It implies absolutely nothing about scammers or sellers of illegal goods.
Q: But do you mean that customers paying merchants signed up with OnionPay
need to do their own due diligence on the merchants, and that you don't vet
merchants in any way?
A: Correct. Evaluating the quality of goods and services sold online, or the
honesty and trustworthiness of online merchants, is not the job of a payment
service. It's the customer's job, aided by reputation and review services.
Exercise the same care that you would
before paying someone by cash or money order. Caveat emptor.
Q: Do you track the IP addresses of merchants and/or customers who visit your
A: No. All traffic to our site is port-forwarded from a gateway over a VPN
to our real server, which is located in another country. We do not see
anyone's true IP address. Nor is our server located at the IP indicated by
a DNS lookup.
Q: Your About page talks about OnionPay franchises. How many are
there, and where are other franchises located?
A: At present, this is the only one. We anticipate establishing others as
growing market traffic warrants. This is key to avoiding single points
of failure in the counter-economy. When new franchises are established,
they will be listed somewhere on this site, and possibly on the
Voucher Publisher's site as well.
Q: What the heck is dot-to?
Dot-to (.to) is another top-level domain (TLD) which uses a separate registrar
system and is outside the control of
ICANN, a US govt agency which has the power to seize ordinary domains in .com,
.net, etc. which offend TPTB. (Example:
, which was seized by Homeland Security for about 5 years.)
The .to TLD is for Tongo, an island nation in the South Pacific.