Async Payjoin is heralded as the leading solution for robust privacy within the Bitcoin ecosystem, drawing inspiration from the success of HTTPS in enabling secure web payments. The Payjoin Foundation, a nonprofit entity, has been diligently developing this privacy toolkit with the aim of achieving widespread adoption among Bitcoin wallets, thereby delivering privacy at scale.

Designed for mass adoption, Async Payjoin is modeled after popular Bitcoin and Lightning development kits, and built using the same cryptographic primitives found in Bitcoin core, ensuring seamless integration into the main Bitcoin implementation. Much like Let’s Encrypt revolutionized the adoption of HTTPS on the web through open-source, free software tools, Async Payjoin seeks to address Bitcoin’s significant privacy challenges via an open privacy standard. Unlike proprietary, privacy-focused wallets such as Samourai Wallet and Wasabi, Async Payjoin is a versatile software library that any Bitcoin payments application can integrate, thus contributing to an open privacy standard akin to HTTPS.

Also referred to as Payjoin V2 by the Foundation, this iteration improves upon V1, an earlier implementation that mandated both transacting users to be online. Async Payjoin is fully backwards compatible, allowing users with non-supporting wallets to seamlessly send funds to Payjoin addresses and QR codes. A growing list of Bitcoin wallets currently supports the Payjoin Foundation’s V1 and V2 standards, including BTCPay server (V1), Blue Wallet (V1), Bull Bitcoin Mobile (V2), Wasabi Wallet (V1), Cake Wallet (V2), Bitmask (V1), JoinMarket (V1), and Sparrow Wallet (V1). Bitcoin privacy advocates are encouraged to prompt their preferred wallet providers to integrate this open-source standard, with technical references available at BIP 77 and a plug-and-play dev kit on GitHub.

The nonprofit Payjoin Foundation, established in August 2025 to foster open-source privacy development, receives financial backing from OpenSats and Cake Wallet. Additional support for many of the project's open-source developers has come from Spiral, Human Rights Foundation, Maelstrom, and Brink. The Foundation's GitHub repository for the Rust implementation of Async Payjoin alone lists 37 contributors.

The development of the Async Payjoin protocol, known as Payjoin V2 via BIP 77, is spearheaded by Dan Gould, who serves as executive director of the Payjoin Foundation and lead maintainer of the Payjoin DevKit. Gould has a rich history of pioneering Bitcoin privacy tools, tracing back to the TumbleBit era, and notably forked Wasabi Wallet for mobile use. He co-authored BIP 77 alongside Yuval Kogman, an advisory board member and Spiral Bitcoin Wizard with over two decades of programming expertise. Kogman's extensive contributions to Bitcoin privacy include developing WabiSabi DoS protections and identifying vulnerabilities in various CoinJoin implementations. Armin Sabouri has also joined the team as R&D lead, bringing experience from previous roles as CTO at Botanix and engineer at Casa. Sabouri co-won the 2021 MIT Bitcoin Hackathon for successfully implementing BIP 78 CoinJoin on Mac OS via Tor, and is a co-author of BIP 347 (OP_CAT).

Dan Gould emphasized the critical role of funding for the Foundation's work, stating, “none of this work is possible without the funders.” He elaborated on the decision to establish a nonprofit rather than a for-profit entity, remarking that “Bitcoin privacy — for-profits have basically been killed.” Gould argues that a nonprofit structure offers greater sustainability for tackling the privacy problem by aligning incentives. He believes for-profits tend to be incentivized to sell products that don't always guarantee privacy, drawing a parallel with the internet's experience where PGP was developed by a company, but HTTPS and Tor succeeded as decentralized nonprofit endeavors. The Payjoin Foundation has applied for 501(c)(3) status, which is currently pending approval. Prospective donors can contact Gould at [email protected].

Payjoin enhances Bitcoin privacy by disrupting a prevalent pattern in standard transactions, where a sender typically uses one input that splits into two outputs: the payment and the change back to the sender. This process often links multiple Unspent Transaction Outputs (UTXOs), which are akin to separate coin pockets. When a transaction requires more funds than available in a single UTXO, it pulls from another, inadvertently linking previously unconnected pockets of coins on the blockchain. This practice compromises user privacy by allowing blockchain analysts to infer that linked UTXO packets belong to the same entity.

Payjoin effectively dismantles this standard input heuristic by facilitating coordination between the sender and receiver. This results in transactions that present two inputs and two outputs, with one of the inputs contributed by the receiver. The receiver obtains the exact expected amount, as both parties simply coordinate on amounts and collaboratively construct the transaction. Consequently, what would typically be a single-input, two-output transaction transforms into a two-input, two-output transaction, thereby confusing on-chain analysts. The more such transactions occur, the less reliable the single-input heuristic becomes, ultimately leading to enhanced privacy for all users by breaking a core assumption of on-chain analysis.

This entire process is non-custodial, ensuring both parties retain full control over the amounts signed and sent. It is also atomic, meaning if both parties do not agree, the transaction is invalid. Gould warned about the extensive information leaked by normal Bitcoin transactions today, noting how organizations like Chain Analysis can, under certain circumstances, access exchange user data to identify UTXO owners. This allows them to ascertain past and future transaction counterparties, as well as an individual’s total holdings and income. Such enhancements to Bitcoin privacy are crucial for the asset's success, as they reinforce fungibility—a vital characteristic of sound money, meaning all coins are equal and interchangeable regardless of their history.

While cryptocurrencies like Zcash or Monero prioritize maximizing on-chain privacy by encrypting transfer amounts, this comes at a significant cost: the validation of the total coin supply becomes far more complex. This complexity introduces the risk of undetectable inflation bugs, which could undermine scarcity, another critical quality of sound money. Payjoin, conversely, offers a higher degree of on-chain privacy for Bitcoin without encrypting transfer amounts, thereby preserving Bitcoin’s scarcity while bolstering its fungibility. The primary trade-off is that Payjoin cannot be a protocol-level change; it necessitates widespread wallet adoption and subsequent user engagement. It's also worth noting that traditional fiat systems aim to protect users from third-party analysis through their closed, private nature. While government agencies and bank executives may have significant insight into user balances, organized crime generally does not. Numerous laws globally also safeguard financial privacy, which Async Payjoin aims to elevate Bitcoin to.

Historically, a challenge with traditional Payjoin was the requirement for both parties to be online to coordinate transaction creation. Payjoin V2 addresses this by introducing a blinded directory server for asynchronous Payjoin coordination, leveraging the established Internet standard, Oblivious HTTP (OHTTP). Gould explained that “the cool thing is the protocol has the directory server blinded. The directory server is only reachable by oblivious HTTP, which is basically a forced proxy. So the IP addresses (of users) are never leaked to the directory server.” He added, “the payload (pre-signed transaction) is actually end-to-end encrypted between the sender and the receiver anyway. So the directory just gets an 8-kilobyte uniform encrypted blob. They don’t see anything.”

Gould likened OHTTP to a streamlined version of Tor, stating, “The reason we used it is because it’s a web standard. So it’s gone through the rigorous review process. OHTTP is literally supported in the iOS operating system. It’s used in browsers.” He further clarified, “OHTTP it’s kind of like the minimal viable product of Tor where Tor layers encryption and does multiple hops and this is just the most minimal version where you just have one hop. You just have one layer of encryption.” Similar multi-hop network encryption is employed in the Lightning network to protect user privacy. The Payjoin V2 servers operate without financial reward for their runners, mirroring the volunteer model of Tor exit nodes, which have sustained these crucial privacy networks for decades.

Regarding compliance, regulators and exchange operators often express concerns about Bitcoin privacy technologies, perceiving them as conflicting with regulatory requirements. Gould refutes this, calling it a misconception. He stated, “the reality is that a compliance regime is totally independent from the nature of the chain. If an exchange wants to collect your baby’s name, know the place you live, your phone number, and what source of funds, having privacy by default doesn’t stop them from doing that. Doesn’t stop them from asking for it in order to do business with the user.” He concluded, “It just doesn’t give them complete insight into your whole wallet, past, present, and future. So it puts the power to consent to reveal the information about your money in your own hands.”