Introduction

PayWarden is an open-source, non-custodial USDT-TRC20 payment gateway built for developers and merchants who want to accept crypto payments without giving up control of their funds.

What it does

1. Generates unique payment addresses for each order using HD wallet derivation (BIP44)
2. Monitors the TRON blockchain for incoming USDT transfers
3. Confirms payments after a configurable number of block confirmations
4. Notifies your backend via HMAC-signed webhooks when payments are confirmed

What makes it different

Non-custodial architecture

Your seed phrase is encrypted with AES-256-GCM and stored locally. PayWarden derives payment addresses from your extended public key (xpub) only — no private key access is ever needed to receive funds.

Private keys are loaded into memory only during fund sweeping (moving confirmed funds to your cold wallet at COLD_WALLET_ADDRESS), and are immediately wiped afterward with Buffer.fill(0).

Zero fees

PayWarden takes 0% of your transactions. You pay only for the infrastructure you run.

Open source

Every line of code is public on GitHub under BSL 1.1 — the same license used by MariaDB, HashiCorp Vault, and Sentry. You can read, audit, and self-host it freely. The only restriction is offering it as a hosted service to third parties without a commercial license.

Architecture overview

Your Backend
    │
    │  POST /api/v1/payments
    ▼
PayWarden API (Fastify)
    │
    ├── Order Engine ──── PostgreSQL (orders + events)
    │
    ├── HD Wallet ──────── vault/seed.enc (AES-256-GCM seed)
    │                      xpub → unique address per order
    │
    ├── Chain Watcher ─── TronGrid API (polls every 3s)
    │                      detects TRC-20 Transfer events
    │
    └── Webhook Notifier ─ HMAC-SHA256 signed callbacks
                           exponential backoff, 10 retries

Tech stack

Layer	Technology
Runtime	Node.js 20 + TypeScript 5 (ESM)
HTTP	Fastify 5
Database	PostgreSQL 16 + Drizzle ORM
Queue	Redis 7 + BullMQ
Blockchain	TronWeb 6 + TronGrid API
HD Wallet	bip39 + bip32 (BIP44 path)
Container	Docker Compose

Next steps

• Quick Start — up and running in 3 minutes
• Non-custodial Architecture — how your keys stay safe
• API Reference — integrate with your backend