30 December 2025
Bitcoin Magazine
Async Payjoin, the HTTPS of Bitcoin Privacy
Async Payjoin is the best hope for strong privacy in Bitcoin. Modeled after HTTPS, which enabled secure payments for the web, the Payjoin foundation has been quietly building up this privacy toolkit, which must be adopted by a large number of Bitcoin wallets, to deliver privacy at scale.
Modeled after the Bitcoin and Lightning dev kits — which have become quite popular among wallet developers — and built with the same cryptographic primitives already in Bitcoin core, such that it can be easily integrated into the main Bitcoin implementation, Async Payjoin is designed from the bottom up for mass adoption.
Following in the footsteps of Let’s Encrypt, which in the 2010s led the mass adoption of HTTPS on the web via open source, free software tooling, Async Payjoin looks to solve Bitcoin’s biggest privacy pain points through an open privacy standard. Unlike specific privacy-focused wallets like Samourai Wallet and Wasabi, Async Payjoin is a software library that any bitcoin payments app can integrate, joining an open standard of privacy, similar to HTTPS on the web.
Async Payjoin is also referred to as Payjoin V2 by the Foundation, as it differs from V1, an older implementation that requires both users to be online while they transact for the Payjoin to work. A growing list of Bitcoin wallets support the Payjoin Foundation’s V1 and V2 standards today, including:
- BTCPay server – V1
- Blue Wallet – V1
- Bull Bitcoin Mobile – V2
- Wasabi Wallet – V1
- Cake Wallet – V2
- Bitmask – V1
- JoinMarket – V1
- Sparrow Wallet – V1
Async Payjoin is backwards compatible, such that users with wallets that do not support the standard yet can still send to Payjoin addresses and QR codes without friction to the users. Fans of Bitcoin privacy should ask their favorite wallet providers to integrate this open source standard, which developers can find a technical reference for at Bip 77, alongside their plug-and-play dev kit on GitHub.
The PayJoin Foundation Team
The nonprofit PayJoin Foundation, launched in August 2025 to sustain open-source privacy development, receives funding from OpenSats and Cake Wallet, while Spiral, Human Rights Foundation, Maelstrom, and Brink have supported many of the open-source developers who contributed to the project. Their GitHub shows 37 contributors just on the Rust implementation of Async Payjoin.
Development of the Async Payjoin protocol, also known as Payjoin V2 via Bip 77, is spearheaded by Dan Gould, executive director of the Payjoin Foundation and lead maintainer of the Payjoin DevKit. Dan has pioneered Bitcoin privacy tools since the TumbleBit era, forked Wasabi Wallet for mobile use, and co-authored BIP 77 with Yuval Kogman, advisory board member and Spiral Bitcoin Wizard with over two decades of programming experience. Kogman has done extensive work in the Bitcoin privacy field, such as developing WabiSabi DoS protections and whistleblowing vulnerabilities in various CoinJoin implementations.
Armin Sabouri has also joined the team as R&D lead with prior roles as CTO at Botanix and engineer at Casa, co-winner of the 2021 MIT Bitcoin Hackathon by getting Bip 78 CoinJoin working on Mac OS via Tor, and is a co-author of BIP 347 (OP_CAT).
Gould told Bitcoin Magazine that they are always fundraising and that “none of this work is possible without the funders.” He also went into detail about why they decided to start a Payjoin foundation rather than a for-profit entity, saying that “Bitcoin privacy — for-profits have basically been killed.”
According to Gould, a nonprofit is more sustainable to solve the problem because it aligns the incentives; “I think the for-profits have an incentive to sell something that doesn’t necessarily guarantee privacy because if they make a sale, they earn profit. And we’ve seen on the internet that it was attempted. Phil Zimmerman started a company that developed PGP. But HTTPS was a decentralized nonprofit effort, as was Tor”. Gould says the Payjoin Foundation has applied for 501 (c) (3) status, which is pending approval. Donors can contact him at [email protected].
How does Payjoin work?
Payjoin provides privacy to Bitcoin by breaking a common pattern of normal transactions, where the sender has one input that gets split up into two to make a payment. Of the resulting outputs, one is likely to be the payment and the other the change back to the sender.
Users often have multiple UTXOs (unspent transaction outputs), which are like pockets of coins. If a transaction tries to send more than is in one UTXO, it will pull from another, linking two of these pockets of coins, which up until that point might have had no connection to each other on the chain. This reduces the privacy of users in the eyes of blockchain analysts, who can assume the two UTXO packets belong to the same entity.
Payjoin dissolves the standard input heuristic by facilitating coordination between the sender and the receiver, resulting in transactions that appear to have two inputs and two outputs, where one of the inputs is from the receiver. The receiver gets the same amount he is expecting; both parties simply coordinate on the amounts and co-create the transaction. As a result, what would have been a single-input, two-output transaction now has two inputs and two outputs, confusing on-chain analysts. The more transactions of this type exist, the less reliable the single-input heuristic becomes, resulting in more privacy for all users, as the core assumption of on-chain analysis breaks down.
This process is entirely non custodial, with full control over amounts signed and sent by both parties, it is atomic, if both parties don’t agree, the transaction is not valid.
Gould cautioned about how much information is leaked with normal bitcoin transactions today, referring to organizations like Chain Analysis, which can, in some circumstances, get access to exchange user data to try and identify owners of a given UTXO, “if you snoop on that, you can see who you’ve transferred money to in the past. You can see who someone transfers money to in the future. You can see how much money someone has. You can see how much money someone makes.”
Enhancements to Bitcoin privacy of this sort are crucial to the success of Bitcoin as they enforce the fungibility of the asset, an important quality of sound money. Fungibility means that all coins are considered equal and interchangeable; one is not different from the other based on its history.
Cryptocurrencies that focus on maximizing on-chain privacy, like Zcash or Monero, offer higher default degrees of on-chain privacy by encrypting the amounts transferred among parties. This, however, comes at a high cost; validation of the total supply of coins in these alternative cryptocurrencies is much more complicated. As a result, bugs in the related cryptography could lead to inflation bugs that are undetectable, a risk which undermines scarcity, another critical quality of sound money.
Payjoin in turn provides Bitcoin a higher degree of on-chain privacy without encrypting the amounts transferred between parties, respecting the scarcity of Bitcoin while enhancing fungibility. The main trade-off is that it can not be a protocol-level change; it needs wallet adoption and thus user engagement.
It’s also important to note that fiat-level privacy already protects users from third-party analysis by being a closed private system, or tries to anyway. Government agencies and executives working at banks have much greater visibility into user balances, but organized crime does not. There are also many laws in countries throughout the world defending user financial privacy, which Async Payjoin is looking to elevate Bitcoin to.
Network privacy and the client-server V2 model, the Async part of the protocol.
One of the challenges historically with traditional Payjoin is that it required both parties to be online to coordinate the creation of the transaction. To solve this, Payjoin V2 introduces a blinded directory server to provide asynchronous Payjoin coordination among parties, using the well-known Internet standard, Oblivious HTTP.
Gould told Bitcoin Magazine that “the cool thing is the protocol has the directory server blinded. The directory server is only reachable by oblivious HTTP, which is basically a forced proxy. So the IP addresses (of users) are never leaked to the directory server.” Adding that, “the payload (pre-signed transaction) is actually end-to-end encrypted between the sender and the receiver anyway. So the directory just gets an 8-kilobyte uniform encrypted blob. They don’t see anything.”
In fact, Gould compared the use of OHTTP to Tor, explaining that “The reason we used it is because it’s a web standard. So it’s gone through the rigorous review process. OHTTP is literally supported in the iOS operating system. It’s used in browsers.” adding that “OHTTP it’s kind of like the minimal viable product of Tor where Tor layers encryption and does multiple hops and this is just the most minimal version where you just have one hop. You just have one layer of encryption.” Similar multi-hop network encryption is used in the Lightning network to protect user privacy.
The Payjoin V2 servers provide no financial reward to those who run them, similar to Tor exit nodes, which have sustained these privacy networks on a volunteer basis for decades.
What about compliance?
Regulators and, as a result, exchange operators often have concerns about Bitcoin privacy technologies, as they are perceived to be in conflict with topics of compliance. Gould considers this a misconception, saying that “the reality is that a compliance regime is totally independent from the nature of the chain. If an exchange wants to collect your baby’s name, know the place you live, your phone number, and what source of funds, having privacy by default doesn’t stop them from doing that. Doesn’t stop them from asking for it in order to do business with the user.” Adding that “It just doesn’t give them complete insight into your whole wallet, past, present, and future. So it puts the power to consent to reveal the information about your money in your own hands.”
This post Async Payjoin, the HTTPS of Bitcoin Privacy first appeared on Bitcoin Magazine and is written by Juan Galt.