NinjaPay
Devnet open · Mainnet by application

Borderless and confidential commerce on Solana

Accept payments. Keep amounts private.

Stripe-grade checkout, subscriptions, and payouts — settled on Solana, shielded by Umbra. One commerce surface for merchants, agents, and treasuries.

Devnet open · mainnet rolling out by application

Tax handled
4 jurisdictions
Settlement
Shielded by default
Settlement (24h)
< 1s p50

Built on · integrating with

What we ship

Eight products. One commerce surface. All private by default.

The full merchant lifecycle teams already know — plus the agent and treasury surfaces that come with a single Solana-native settlement engine.

  • Gateway

    Hosted checkout & links

    PaymentIntents, payment links, products, prices, coupons, customers — the Stripe-portable lifecycle, with private settlement on top.

    Read the quickstart

  • x402

    Private agent commerce

    The first private x402 facilitator. Agents pay HTTP-priced endpoints with wallet, amount, and merchant shielded by default.

    Read the x402 quickstart

  • Subscriptions

    Recurring with proration

    Trials, dunning, mid-cycle plan changes, proration math validated against captured reference outputs.

    See subscriptions

  • Invoices

    Finalize, send, reconcile

    Finalize, mark paid, void, mark uncollectible. Line-item snapshots tied to charges for clean reconciliation.

    See integration docs

  • Connect

    Platforms & sub-merchants

    Platform fees, transfers, sub-merchant onboarding. The same shape marketplaces and infra platforms already speak.

    Read Connect

  • Refunds & disputes

    On-chain, end-to-end

    Partial + full refunds settled on-chain. Disputes carry evidence, adjudication lifecycle, and refund linkage.

    Read the refund flow

  • Tax

    Multi-jurisdiction by default

    ZATCA (Saudi), FTA (UAE), US, EU rate cards and registrations — calculated, collected, reported from one checkout.

    See tax surfaces

  • Payroll

    Stablecoin team payouts

    Multi-recipient batches, Squads-compatible approvals, jurisdiction-aware withholding, 1099/W-2-ready filings.

    Read payroll quickstart

Migration

Move your checkout in an afternoon.

Your existing checkout keeps the same endpoints, the same webhook shape, and the same refund flow — the money just settles in stablecoins instead of card rails. No replatforming, no customer-facing rewrite. PaymentIntents, Subscriptions, Invoices, Refunds, Disputes, Webhooks — every resource shape your backend already speaks.

Existing integration

checkout.ts
typescript
import Stripe from 'stripe';
 
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);
 
const intent = await stripe.paymentIntents.create({
  amount: 500, // cents
  currency: 'usd',
  metadata: { order_id: 'ord_42' },
});

On NinjaPayDrop-in

checkout.ts
typescript
import { NinjaPayClient } from '@ninjapay/sdk';
 
const client = new NinjaPayClient({ jwt: process.env.NINJAPAY_API_KEY! });
 
const intent = await client.paymentIntents.create({
  amount: '5.000000', // Decimal(20,6)
  currency: 'USDC',
  metadata: { order_id: 'ord_42' },
});

What's identical

The resources, the webhook envelope, the idempotency keys, the refund + dispute lifecycles. Your reconciliation code, your handler routes, your customer model — all keep working.

What's different

Amounts are stablecoin units, not cents. Currency is the mint (USDC, USDT, PYUSD). The settlement leg is a Solana transaction, not a card authorisation.

What's new

Privacy is the default. Audit grants release viewing keys when you need them. Agent payments via x402. Cross-border parity in fees. Stablecoin payroll out of the box.

How it works

How a payment flows.

Privacy happens in the middle, not at the database. The customer journey looks identical to a card-rails checkout. What changes is what the public ledger sees — which is to say, what it doesn't.

  1. 1. Scan

    Your customer hits checkout

    A customer, an AI agent, or an x402 caller opens your hosted checkout link. Same UX a Stripe link would give them — wallet sign-in instead of card entry.

  2. 2. Pay

    They authorise a private payment

    The payment is signed with their wallet and routed through Umbra's shielded layer. Their wallet, your business name, and the amount don't appear on the public block explorer.

  3. 3. Settle

    Solana confirms the settlement

    A single transaction handles fee split, refund routing, and currency conversion if you accept a different mint than you settle in. Confirmed in under a second.

  4. 4. Reconcile

    You see the order in your dashboard

    Your webhook fires before the block explorer would even reach finality. The dashboard shows the payment, ties it to the order, and updates your KPIs.

  5. 5. Audit

    You release a viewing key on request

    When a regulator or auditor asks, you grant them a viewing key for a specific window. They see only what they need. Nothing else leaks.

Curious how it works under the hood? Read ADR-0024 for the payer-driven Umbra deposit design.

Who it's for

One platform. Three buyers.

For merchants

Sell anywhere. Show nothing.

SaaS, marketplaces, and infra companies billing in stablecoins. The Stripe-portable API your stack already speaks, settled privately on Solana.

  • Hosted checkout, payment links, dashboard
  • Signed webhooks for the full lifecycle
  • Tax handled in 4 jurisdictions out of the box
Read the merchant guide

For agent platforms

Charge per request. Settle privately.

AI agent runtimes, MCP servers, agent marketplaces. The first private x402 facilitator — agents pay HTTP-priced endpoints without revealing wallets, amounts, or merchants on the public ledger.

  • Drop-in client + server-side endpoint gating
  • Adapters for MCP, the Vercel AI SDK, and LangChain
  • Receipts (attestations) you can reconcile programmatically
Read the x402 quickstart

For DAOs + companies

Pay your team. Keep payroll private.

Stablecoin-native companies, DAOs, and treasury operators. Multi-recipient batches settle in a single on-chain transaction. The operator sees the aggregate; each employee sees their own claim.

  • Batched stablecoin payouts with private recipients
  • Multisig-gated approvals for batches above your threshold
  • 1099 / W-2 export at year-end, jurisdiction-aware withholding
Read the payroll quickstart

Commerce-grade reliability

The receipts a procurement team actually reads.

Jurisdiction coverage, licence scope, API portability, settlement currency — every claim below links to where you can verify it.

  • 4 jurisdictions

    tax handled

    ZATCA (Saudi), UAE FTA, US sales tax, and EU VAT calculated, collected, and reported from the same checkout — live in the merchant dashboard today.

    See tax surfaces

  • One currency

    stablecoin-native pricing

    A single settlement currency across every region you sell into — no FX spread, no correspondent banks, no held funds. The merchant in São Paulo pays the same fee as the merchant in Riyadh.

    See pricing

  • Same API

    your team already wrote

    Drop-in compatible endpoints for charges, refunds, webhooks, customers, subscriptions, and Connect — keep your existing integration, change the rails underneath.

    Read the migration guide

  • Confidential

    by default

    The buyer's amount and your business name don't appear on a public block explorer. Public mode is one flag away for audit-friendly flows.

    Read the privacy posture

  • Apache 2.0

    end to end

    API, dashboard, on-chain router program, SDKs — all source-available under a permissive licence. You can fork us; you won’t need to.

    Read the licence

  • 35 ADRs

    on the record

    Every load-bearing design choice published as a dated ADR with the trade-offs written down. Diligence teams read these before the call.

    Read the decision log
What's under the hood

TypeScript-strict + Zod-validated boundaries. 7-tier test pyramid with Stryker mutation testing on critical paths (billing, router, auth, payroll). OpenTelemetry traces threaded API → worker → Umbra → chain. KMS-backed authority custody with Squads multisig for elevated operations. Read ADR-0033 for the test architecture.

Pricing

Transparent fees. No surprises.

Take-rate on settled transactions only — no monthly minimums, no PCI surcharges. Stablecoin-native fees mean cross-border parity: the merchant in São Paulo pays the same as the merchant in Riyadh.

Free

$0devnet

Build, test, integrate. No production traffic.

  • Full SDK access
  • Devnet RPC + Umbra indexer
  • Drop-in webhook shape
  • Test-mode dashboard
Get an API key

Standard

Recommended

0.5%per settled tx

Production payments with the full merchant surface.

Stripe: 2.9 % + $0.30 · NinjaPay: 0.5 %, paid in stablecoin

  • Mainnet settlement
  • Subscriptions, invoices, refunds, disputes
  • Connect + tax + webhooks
  • 99 % webhook delivery SLO
Get an API key

Enterprise

Customvolume + SLA

High-volume merchants, x402 platforms, payroll operators.

Down to ~0.1 % at volume — typically half of Stripe Connect

  • Negotiated take-rate
  • Dedicated relayer + RPC
  • SOC 2 evidence package
  • Named on-call + 24/7 SLAs
Talk to sales

FAQ

Common questions.

How is this different from paying directly in USDC?
Standard USDC transfers leave the amount, sender, and recipient on-chain forever. NinjaPay routes the value leg through Umbra shielded UTXOs — amounts and recipients are private by default. Compliance grants let merchants share viewing keys with auditors when they need to.
Can I migrate from Stripe?
Yes — that's an explicit design target. PaymentIntents, Subscriptions, Invoices, Refunds, Disputes, Webhooks all speak Stripe-compatible wire shapes. The migration is mostly a base-URL change plus signing over a wallet instead of an API key.
What does x402 mean and why do I care?
x402 is the open standard that lets HTTP servers price endpoints natively. AI agents (Claude, GPT, Vercel AI, LangChain) discover the price, pay, and retry the request — no manual API key handoff, no chargebacks. NinjaPay runs the first private facilitator: the agent's wallet, amount, and merchant are shielded.
Where does payroll fit?
DAOs and companies that pay contributors in stablecoins want payroll without doxxing every employee's salary on-chain. NinjaPay batches shielded payouts; the operator sees the aggregate, the employee sees their own claim. Tax withholding and 1099/W-2 export are first-class.
When is mainnet?
Devnet is open today. Mainnet access is by application — internal first, then design partners, then broader rollout. Five mainnet-blocking SLOs are tracked on the public status page; access expands once they hold for seven consecutive days under representative traffic.
Is the program audited?
Internal audit chain plus Stryker mutation testing covers the billing, router, auth, and payroll paths; CI publishes coverage on every PR. An external program-level audit is on the path to broader mainnet access — until then, mainnet stays application-gated.
How does NinjaPay handle compliance?
Privacy-by-default is paired with merchant-controlled compliance grants. A merchant signs a grant on-chain that releases viewing keys to a regulator or auditor for a specific time window. The audit log is hash-chained and tamper-evident; the grant itself doesn't move funds.
What if Umbra goes down?
The Umbra indexer + relayer are tracked health checks; we run circuit-breakers around every external call, and the scanner cursor / webhook DLQ have explicit alerts. Umbra is non-fronted — settlements are on Solana — but indexer outages do degrade live UTXO observation, which we surface on the public status page.

Two ways in

Borderless, confidential commerce — wired up before lunch.

Finance teams talk to us about rollout, pricing, and jurisdictions. Engineers pull a sandbox key and ship a test charge in fifteen minutes.

Talk to our teamGet a sandbox key

Curious how it works under the hood? Read the architecture decisions or the API reference.