No third parties Funds go direct to your wallet No BTCPay complexity Approved via Telegram One confirmation ≈ 10 minutes Zero custody risk Reorg protection built in Webhook on every payment API keys hashed. Never stored in plaintext Verify your addresses independently Works with any website No third parties Funds go direct to your wallet No BTCPay complexity Approved via Telegram One confirmation ≈ 10 minutes Zero custody risk Reorg protection built in Webhook on every payment API keys hashed. Never stored in plaintext Verify your addresses independently Works with any website
System operational
Bitcoin payment infrastructure

Accept Bitcoin.
Own every sat.

BoreLine Pay generates invoices from your cold wallet ZPUB, monitors payments on-chain, and delivers access automatically. No third party ever touches your funds.

Get your API key → See how it works
0 Third parties
1 API call to start
~10min To confirmation
POST /api/invoice
// Your checkout sends one request
 
curl -X POST https://pay.boreline.app/api/invoice
  -H "X-API-Key: sk_live_••••••••••"
  -d '{"email":"alice@example.com",
      "tier":"pro","months":1}'
 
// BoreLine Pay responds instantly
 
{
  "invoice_url": "https://pay.boreline.app/pay/INV-...",
  "btc_address": "bc1qxy2kgdygjrsqtzq...",
  "btc_amount": 0.00045210,
  "status": "pending"
}
 
// Payment confirmed → webhook fires
✓ POST https://yoursite.com/webhooks/payment
✓ Customer access granted
How it works

Four steps.
Fully automatic.

From wallet verification to confirmed payment. No email, no passwords, no third-party custody.

01

Request access

Submit your Telegram username, ZPUB, and a signed message proving wallet ownership. We verify the signature and approve your account with one tap.

02

Connect your wallet and integrate

Sign in with your Telegram and wallet signature. Paste your ZPUB, define your products, copy your API key. One API call from your checkout creates a hosted invoice page.

03

We watch the chain

BoreLine Pay polls mempool.space every 60 seconds. When payment appears with sufficient confirmations, it triggers automatically.

04

Webhook delivers access

We POST a signed payload to your webhook URL. Your server grants access and marks the order paid. Whatever your logic requires.

Why BoreLine Pay

Built for businesses
that take Bitcoin seriously.

Zero custody

Invoices derive fresh addresses directly from your ZPUB. Funds land in your hardware wallet the moment they're sent. We never hold, route, or touch your Bitcoin.

Instant API

One POST request creates an invoice. Response includes the Bitcoin address, exact amount, and a hosted payment page. No SDK, no complex setup. Plain HTTP.

Signed webhooks

Every confirmed payment fires a webhook to your server with an HMAC signature. Verify it in two lines of code. No polling loops, no missed events.

Your tiers, your prices

Define any number of products in your dashboard. Monthly plans, one-time purchases, annual subscriptions. Name them whatever makes sense for your business.

Merchant dashboard

Real-time invoice tracking, payment history, revenue stats, and ready-to-paste integration code. All in a clean dashboard you log into from any browser.

Works with anything

Plain HTTP API means it integrates with any stack. React, WordPress, Shopify, custom Python, whatever you run. If it can make a POST request, it works.

Built to be audited

API keys are hashed in the database. Never stored in plaintext. Every ZPUB change is logged and triggers an alert. Address derivation is atomic. Race conditions are impossible by design. The full audit log is yours to inspect.

Reorg protection

Confirmed payments are re-verified for 6 blocks after confirmation. If a blockchain reorganisation removes the confirming block, access is automatically revoked, you are alerted, and the invoice returns to pending. No other simple payment tool handles this.

No custodial accounts

With Coinbase Commerce, both you and your buyer need a Coinbase account that holds your funds and your identity, secured by a password they can freeze. BoreLine Pay never holds your funds. Your identity here is simply your own wallet key and a Telegram handle, proved cryptographically, with no password and no email. Your buyers never sign up for anything, they just scan a QR code and pay from any Bitcoin wallet. You stay in control of your keys and your money at every step.

Integration

From zero to accepting Bitcoin in under an hour.

No complex infrastructure. No devops. Just paste your API key, add the snippet, and test with cURL.

  • Sign in with your Telegram and Bitcoin wallet signature
  • One API call creates a complete invoice
  • Hosted payment pages, no frontend work needed
  • Replay-protected signed webhooks
  • Blockchain reorg detection built in
  • Verify your addresses from the dashboard
Get your API key →
JAVASCRIPT 
// Add to your checkout button handler

async function payWithBitcoin(email, tier, telegram = '') {
  const res = await fetch('https://pay.boreline.app/api/invoice', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      'X-API-Key': YOUR_API_KEY
    },
    body: JSON.stringify({ email, tier, months: 1, telegram })
  });

  const { invoice_url, amount_sats } = await res.json();
  window.location.href = invoice_url;
}


// Verify webhook signature (Node.js)
// Reject replays older than 5 minutes

app.post('/webhooks/payment', (req, res) => {
  const sig  = req.headers['x-boreline-sig'];
  const ts   = parseInt(req.headers['x-boreline-time']);

  if (Math.abs(Date.now() / 1000 - ts) > 300)
    return res.status(400).send('Replay');

  const keyHash  = sha256(YOUR_API_KEY);
  const expected = hmac(keyHash, req.rawBody);

  if (sig !== expected) return res.status(401).end();

  if (req.body.event === 'payment.confirmed')
    grantAccess(req.body.email, req.body.tier);

  if (req.body.event === 'payment.reversed')  // reorg
    revokeAccess(req.body.email, req.body.invoice_id);

  res.status(200).end();
});
Pricing

Flat monthly pricing.
No transaction fees.

No percentage cuts, no surprise charges. Pay once a month in Bitcoin and keep everything you earn.

LIVE BTC RATE
... $ ... £ ... CHF ...
fetching...
Starter
29
... sats
per month
For freelancers and solo operators accepting Bitcoin for the first time.
  • Up to 3 product tiers
  • Hosted invoice pages
  • Webhook delivery
  • Invoice dashboard
  • Set your product prices in any currency
  • Email support, 1-3 day response
Get started
Most popular
Pro
49
... sats
per month
For online businesses with active customer bases and subscription products.
  • Unlimited product tiers
  • Hosted invoice pages
  • Webhook delivery
  • Invoice dashboard
  • Set your product prices in any currency
  • Private Telegram support channel
Get Pro access
Business
99
... sats
per month
For teams and high-volume operations that need full control and branding.
  • Unlimited product tiers
  • Hosted invoice pages
  • Webhook delivery
  • Invoice dashboard
  • Set your product prices in any currency
  • Private Telegram support channel
Contact us
PAID IN BITCOIN NO CREDIT CARDS CANCEL ANYTIME ZERO TRANSACTION FEES
Questions

Frequently asked.

Do you ever hold my Bitcoin?

Never. BoreLine Pay derives receiving addresses directly from your ZPUB, a view-only public key. Payments go straight from the sender to your hardware wallet. We have no ability to move your funds under any circumstances.

What's a ZPUB and how do I get it?

A ZPUB (or XPUB) is a view-only public key from your hardware wallet. It lets us generate unique receive addresses without any ability to spend. In Trezor Suite: Accounts → Show public key. In Ledger Live: Accounts → Edit → Advanced. In Sparrow: Master Public Keys section.

Should I use my main wallet for this?

No. Set up a fresh hardware wallet just for your business, kept completely separate from any wallet holding your savings, treasury, or investments. Your business wallet's addresses are shared publicly on every invoice and it sees high transaction volume. Keeping it separate protects the privacy and security of the funds you want to keep safe. A new hardware wallet costs little and is the single best practice you can follow here.

What happens if a payment is underpaid?

Invoices require the exact BTC amount or more to confirm. If a customer sends less, the invoice stays pending until it expires. Each address is unique per invoice so there's no confusion between payments.

How long does payment confirmation take?

One on-chain confirmation takes roughly 10 minutes. Once confirmed, BoreLine Pay continues monitoring the payment for 6 more blocks to detect blockchain reorganisations. If a reorg removes the confirming block, access is automatically revoked and you are alerted. No other simple payment tool handles this.

What if my webhook fails?

If your server is temporarily down, the payment is still recorded and the webhook retries automatically on the next monitor cycle. Every confirmed payment in your dashboard shows delivery status. No payment is ever silently lost.

Can I verify the addresses are really mine?

Yes. Your dashboard has a Verify page that shows the derivation path, a SHA-256 fingerprint of your registered ZPUB, and the first derived addresses. Compare them against your Trezor, Ledger, or Sparrow wallet. If they match, you do not have to trust us. You can see it yourself.

Do you take a percentage of my sales?

Never. BoreLine Pay charges a flat monthly subscription fee. We take nothing from your transactions. Whether you process one invoice or ten thousand in a month, your fee is the same. Every satoshi your customer pays goes directly to your wallet.

Can I use this with WordPress, Shopify or Ghost?

Yes. If your platform can make an HTTP request or run custom code, it works. Your Integrate page includes copy-paste snippets for JavaScript, Python, and PHP that work with any platform.

How do I pay my monthly fee?

You pay in Bitcoin, of course. Your subscription renews monthly at a flat rate with zero transaction fees on top. There are no percentage cuts, no hidden charges, and no surprises. You always know exactly what you owe, and every satoshi your customers pay goes straight to your wallet.

Get started today

Start accepting Bitcoin
in under an hour.

Connect your wallet. Define your products. Paste one snippet.
Your first invoice is live before the hour is out.

Get your API key → Talk to the founder
Merchant Security Guide

Stay sovereign.
Stay safe.

Accepting Bitcoin means you are your own bank. That is the whole point, and it comes with responsibility. This guide covers everything you need to keep your funds, your privacy, and your business secure. Read it once, set things up properly, and you can operate with confidence.

01
Keep your business wallet separate

The single most important rule. Your business wallet and your savings should never be the same wallet.

🔐 Use a fresh hardware wallet for receiving payments
Buy a new hardware wallet dedicated only to your business. Never use the same wallet that holds your savings, treasury, or long-term investments. A new device costs little and is the foundation of everything else in this guide.
📤 Sweep funds to cold storage regularly
Do not let large balances accumulate in your receiving wallet. When your business wallet builds up a meaningful amount, move the bulk of it to a separate cold storage wallet that has never been exposed publicly. Keep only what you need for operations in the business wallet. A wallet whose addresses are published on invoices should never hold your life savings.
🎯 Treat the business wallet as semi-public
Every invoice exposes a receiving address derived from your ZPUB. Anyone you transact with can observe those addresses. Assume your business wallet activity is visible and plan accordingly. The less it holds, the less anyone can learn about your finances.
02
Protect your seed phrase

Your seed phrase is the master key to your funds. Anyone who has it can take everything. Anyone who loses it loses everything.

🛑 Never type your seed phrase into anything connected to the internet
Not into a website, not into a chat, not into a notes app, not into a photo. Your seed phrase should only ever exist on paper or steel, generated and stored offline. BoreLine Pay will never ask for it. No legitimate service ever will.
⚙️ Back it up on metal, not paper
Paper burns, fades, and gets water damaged. Stamp or engrave your seed phrase onto a steel backup plate and store it somewhere secure. Consider a second copy in a separate physical location in case of fire or theft.
🤐 Tell no one
Do not share your seed phrase with business partners, family, support staff, or anyone claiming to help. If someone needs access to business funds, set up a proper multi-signature arrangement instead of sharing a seed.
03
Guard your privacy

Bitcoin is transparent by design. Every transaction is public forever. A few habits keep your financial life private.

🔍 Understand that addresses link together
When you spend from multiple addresses in one transaction, you reveal that they belong to the same wallet. This is called common-input ownership. Be mindful when consolidating funds, since it links your receiving addresses together on the public ledger.
🧊 Move to private storage in deliberate steps
When sweeping business income to cold storage, send it to a fresh wallet that has no public association with your business. Avoid mixing business funds with personal funds in a way that links your identity to your savings.
🏷️ Do not publicly tie your name to your business wallet
Avoid posting your business ZPUB or addresses anywhere that links them to your real identity. The more separation between your public business activity and your personal holdings, the safer you are.
04
Secure your operations

Your API key, your server, and your devices are part of your attack surface. Lock them down.

🔑 Protect your API key like a password
Your API key lets a website create invoices on your account. Store it as a server-side environment variable, never in client-side JavaScript, never committed to a public code repository, never pasted into a support chat. If it leaks, replace it immediately from your dashboard.
🛡️ What happens if your API key leaks
Good news, your funds are never at risk from a leaked key. The API key can only create invoices and read your basic profile. It cannot touch your wallet, change your ZPUB, redirect payments, or access any funds. Every payment address is derived from your registered ZPUB, which an API key cannot change. So even in the worst case, all customer payments still flow to your own wallet, never to an attacker. The only nuisance a leaked key allows is someone creating spam invoices on your account. The moment you suspect a leak, open your dashboard and generate a new key. The old one stops working instantly.
🔌 How to add your API key without exposing it
Your API key belongs on your server, never in the browser. The rule is simple. Any code a visitor can view by opening their browser developer tools must never contain your key. Here is how that looks on common setups. On a custom site, store the key as a server-side environment variable and call BoreLine Pay from your backend, never from front-end JavaScript. On Shopify, do not paste the key into theme files or script tags, since those are public. Instead use a small server-side app, a serverless function, or an approved app that holds the key on its own backend, and have your storefront call that. On WordPress or WooCommerce, store the key in wp-config.php or your plugin settings, which live on the server, not in a page template. The principle never changes. The customer's browser asks your server to create an invoice, and your server, holding the key privately, talks to BoreLine Pay. The key never travels to the customer.
Always verify webhook signatures
Every payment webhook is signed and timestamped. Verify the signature and reject anything older than five minutes before granting access to a customer. This stops attackers from forging fake payment confirmations. Your Integrate page has the exact code.
💻 Keep your devices clean
The device you use to access your dashboard and sign messages should be free of malware. Keep your operating system updated, avoid pirated software, and consider a dedicated device or browser profile for business operations.
05
Recognise scams

Most losses in Bitcoin come from social engineering, not broken cryptography. Know the patterns.

⚠️ Anyone asking for your seed phrase is a scammer
There are zero exceptions. Not support, not an admin, not a security alert, not a wallet upgrade. The instant anyone asks for your seed phrase or private key, you know it is an attack. Walk away.
🎭 Verify who you are talking to
Scammers impersonate support staff on Telegram and elsewhere. We will never message you first asking you to take urgent action with your wallet. If someone contacts you claiming to be BoreLine Pay support and creates pressure or urgency, stop and verify through official channels.
🔗 Check every link and address twice
Fake websites and clipboard-hijacking malware can swap addresses. Always confirm you are on the correct domain before signing in. When verifying your receiving addresses, compare them directly against your hardware wallet screen, which is the one display an attacker cannot fake.
06
Your account login

BoreLine Pay uses your Bitcoin wallet as your login. This is stronger than any password, but understand how it works.

✍️ Your wallet signature is your login
There is no password to steal. To sign in, you prove you hold your hardware wallet by signing a one-time challenge. Even if someone knows your Telegram username, they cannot access your account without your physical wallet. Keep your hardware wallet safe and your account is safe.
🔄 Wallet changes are protected by a 48 hour hold
If anyone ever requests a change to your registered wallet, you are notified on Telegram and the change is held for 48 hours before taking effect. You can cancel it instantly during that window. This gives you time to react if your account is ever targeted.
📱 Secure your Telegram account
Your Telegram is your identity for support and notifications. Enable two-step verification on Telegram itself, use a strong PIN, and never let anyone access your Telegram session. If your Telegram is compromised, contact support and review your account immediately.
07
What happens if something leaks

Security is about layers. Here is exactly what an attacker can and cannot do in each scenario, so you understand how protected you really are.

👁️ If your ZPUB leaks on its own
A ZPUB is view-only. Someone who has it can see your receiving addresses, your transaction history, and your balance for that wallet. They cannot spend your funds, cannot sign in, and cannot change anything. A leaked ZPUB is a privacy concern, not a theft risk. This is exactly why we recommend a separate business wallet and regular sweeping. The less it holds, the less anyone learns.
📵 If your Telegram is compromised on its own
Your Telegram account alone gives an attacker nothing of value here. They still cannot sign into your dashboard, because signing in requires a signature from your physical hardware wallet. They cannot start a wallet change either, because that can only be initiated from inside an authenticated dashboard session. The most they see is your notifications.
🛡️ If your ZPUB AND your Telegram are both compromised
Even in this worst case, your funds stay safe. An attacker holding both still cannot sign into your dashboard, because that requires your hardware wallet signature. And since a wallet change can only be started from inside the dashboard, the attacker never even reaches the Telegram confirmation step. The wallet signature is the first gate, and without your physical device, the door never opens. The one thing you must always keep safe is your hardware wallet and its seed phrase.
🔄 How a wallet change actually works
Changing your registered wallet is a deliberate, multi-step process designed so no single point of failure can move your funds. First, you sign into the dashboard with your current wallet by signing a unique challenge message with your existing ZPUB, proving you still hold it. Then, using your new hardware wallet, you register the new ZPUB by signing a fresh unique message from that new wallet, proving you own it too. You approve the change on Telegram. A 48 hour security embargo then begins. Throughout the entire embargo your current wallet stays fully active, so you keep receiving payments without any interruption. When the 48 hours complete, the new ZPUB takes the place of the old one, and from that moment your payments arrive in your new wallet. Nothing is ever paused, and you can cancel at any point during the hold.
Your security checklist
Fresh hardware wallet dedicated only to the business
Seed phrase backed up on metal, stored offline, shared with no one
Large balances swept to separate cold storage regularly
API key stored server-side, never exposed publicly
Webhook signatures verified before granting access
Receiving addresses verified against the hardware wallet screen
Telegram secured with two-step verification
Confident that no one will ever get your seed phrase

Set up properly once, and you can run your Bitcoin business with total peace of mind.

Get Access →
Direct Founder Support

Talk to the person
who built this.

No third party support desk. No outsourcing. No ticket queue handled by someone reading from a script. When you reach out, you speak directly with the founder, any time, day or night.

Orion Veyr
Founder, available 24/7
@Orion_Veyr
Message me on Telegram any time. For anything urgent, this is the fastest way to reach me directly.
Message on Telegram
🌙
Around the clock
For a general emergency, reach out at any hour and I will answer as fast as I can. If you suspect a security breach, stop using the payment system, write up exactly what you found, and let me check before you continue. I am one human after all, and a careful pause is always better than a costly mistake.
👤
One person, full context
You always speak with the founder, someone who knows the entire system inside out and can actually solve your problem.
🔒
Never asked for secrets
I will never ask for your seed phrase or private keys. Anyone who does is an impostor, even if they use my name.
🤝
Direct and honest
No scripts, no runaround. Straight answers from the person responsible for the product.

Always confirm you are messaging @Orion_Veyr exactly. I will never contact you first asking you to move funds or take urgent action with your wallet.

Merchant Portal
Sign in with your Telegram and wallet signature, or request access.
The username you used when requesting access.
Please wait...
Need help? Contact us on Telegram.
Overview
Setup
0 of 4
Dashboard
Welcome.
Here is everything happening with your Bitcoin payments.
01
Register ZPUB
Register your ZPUB to generate addresses
02
2
Define Products
Set up your tiers and pricing
03
3
Get API Key
Copy your key to authenticate requests
04
4
Integrate
Paste the snippet into your website
Revenue
€0
0 sats
Paid
0
All time
Pending
0
Awaiting payment
Address index
0
Next address
Recent Invoices
No invoices yet
Complete your setup and your first invoice will appear here.
Payments
Invoices
All invoices generated by your API key.
InvoiceCustomerProductSatsFiatStatusDate
No invoices yet
Setup · Step 1
Register Your ZPUB
Register the ZPUB from your business hardware wallet so we can generate a unique Bitcoin address for every invoice.
NEVER SHARE YOUR SEED PHRASE WITH ANYONE. Not with us, not with support, not with anyone. We will never ask for it.
🔐
Use a fresh wallet for your business
Set up a brand new hardware wallet for receiving payments, kept completely separate from any wallet holding your savings, treasury, or investments. Your business wallet sees high transaction volume and its addresses are shared publicly on invoices. It should never be the same wallet that stores funds you want to keep private and secure.
Your ZPUB

A ZPUB is a view-only public key from your hardware wallet. It lets us generate receive addresses without any ability to spend your funds.

Your ZPUB starts with zpub or xpub. It is not your seed phrase and it is not a private key.
Found in Trezor Suite, Ledger Live, or Sparrow under account settings.
Address derived successfully
Compare this against your wallet receive addresses. If it matches, your ZPUB is correct.
How to find your ZPUB
Trezor Suite
Accounts → Select account → Show public key
Ledger Live
Accounts → Select account → Edit → Advanced → Extended public key
Sparrow Wallet
Master Public Keys section → Copy zpub
Coldcard
Advanced → Export Wallet → Choose format
Setup · Step 2
Define Your Products
Set up the tiers you sell. Tier keys are used in your API calls.
Product Tiers
Tier Key
Display Name
Price/mo
Tier keys must be lowercase with no spaces.
Currency
Setup · Step 3
Your API Key
Use this key to authenticate every request your website makes to BoreLine Pay.
Treat your API key like a password. Never commit it to public repositories or expose it in client-side JavaScript. Store it as a server environment variable.
Live API Key
sk_live_••••••••••••••••••••••••••••••••••••••••
Replace Key

If your key is ever leaked, generate a new one here. The old key stops working immediately.

Make sure you are ready to update your website settings right away. Your checkout will stop working until you do.

Setup · Step 4
Integrate
Add Bitcoin payments to your website with one API call.
Step 1 · Create an invoice from your server
JavaScript · Node.js 
const res = await fetch('https://api.boreline.app/api/invoice', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'X-API-Key': process.env.BORELINE_PAY_KEY
  },
  body: JSON.stringify({
    email:  customer.email,
    tier:   'starter',
    months: 1
  })
});
const { invoice_url } = await res.json();
window.location.href = invoice_url;
Step 2 · Verify webhook signature
JavaScript · Node.js 
app.post('/webhooks/payment', (req, res) => {
  const sig = req.headers['x-boreline-sig'];
  const ts  = parseInt(req.headers['x-boreline-time']);
  if (Math.abs(Date.now() / 1000 - ts) > 300)
    return res.status(400).send('Replay');
  const keyHash  = sha256(YOUR_API_KEY);
  const expected = hmac(keyHash, req.rawBody);
  if (sig !== expected) return res.status(401).end();
  if (req.body.event === 'payment.confirmed')
    grantAccess(req.body.email, req.body.tier);
  if (req.body.event === 'payment.reversed')
    revokeAccess(req.body.email);
  res.status(200).end();
});
Account
Settings
Account
Webhook
Called on payment.confirmed and payment.reversed events.
Security
Verify Your Wallet
Confirm that the addresses we generate match your hardware wallet. You do not have to trust us.
ZPUB Fingerprint
SHA-256 hash of your registered ZPUB. If this changes without your action, contact support immediately.
ZPUB HASH
Not configured
Derivation Path
Pathm/84h/0h/0h/0/{index}
TypeBIP84 Native SegWit
Next index0
Derived Addresses

Compare these against your wallet receive address list. They must match exactly.

🔑
No wallet connected
Register your ZPUB first to see derived addresses here.