Documentation
Everything you need to know about PayMeBack β how it works, what's supported, and where it's deployed.
What is PayMeBack?
PayMeBack lets you share your payment details securely through encrypted, one-time burn links. Your payment methods (bank details, crypto addresses, PayPal, etc.) are encrypted client-side and stored on-chain. When someone opens your link, the details are revealed once β then the link self-destructs permanently.
Key properties:
- End-to-end encrypted β AES-256-GCM via Web Crypto API, key derived from your wallet signature
- On-chain storage β encrypted payloads live on the blockchain, not a server
- One-time viewing β links are consumed on-chain and can never be reused
- No accounts β just connect a wallet (MetaMask, Coinbase, etc.)
- Revocable β revoke unused links anytime from your dashboard
- Upgradeable β access token logic can be upgraded without losing your profile data
How It Works
1. Create a Profile
Connect your wallet and add payment methods (bank details, crypto addresses, VALR Pay ID, etc.). Your profile is encrypted with a key derived from your wallet's signature β only you can decrypt it.
2. Generate a Link
Select which payment methods to share and generate a one-time link. Each link gets a unique access key, and the selected methods are encrypted specifically for that link.
3. Share the Link
Send the link to whoever needs to pay you. Optionally lock it to a specific wallet β enter their address or ENS name (e.g. vitalik.eth) and only that wallet can consume it.
4. One-Click Pay
The recipient picks which payment method to use. For supported methods (crypto, PayPal, Venmo, VALR, Cash App), they get a one-click payment button.
Supported Payment Methods
Architecture
PayMeBack v3 uses a split contract architecture for upgradeability and data permanence:
ProfileRegistry (Immutable)
Stores your encrypted payment profile. This contract is non-upgradeable β your profile data persists forever, regardless of any upgrades to the access token logic.
AccessManager (Upgradeable β UUPS Proxy)
Handles access token creation, consumption, and revocation. Can be upgraded by the multisig owner (Gnosis Safe) without affecting stored profiles.
Deterministic Deployment (CREATE2)
All contracts are deployed via a factory using CREATE2 through Nick Johnson's deterministic deployer. This ensures the same contract addresses on every supported chain.
Contract Deployments
PayMeBack is deployed across multiple chains. All encrypted data lives on-chain β no backend servers.
Base
β MainnetBase Sepolia
β TestnetSecurity Model
Encryption
All payment data is encrypted client-side using AES-256-GCM (Web Crypto API). The encryption key for your profile is derived from your wallet's signature β it never leaves your browser. Each share link has its own encryption key embedded in the URL fragment (after the #), which is never sent to any server.
On-Chain Storage
Encrypted payloads are stored directly in the smart contract. There are no backend servers, databases, or APIs β just the blockchain and your browser.
One-Time Consumption
When a link is consumed, the smart contract marks it as used on-chain. This is enforced by contract code β not a server-side check. The access key in the URL is required to decrypt the payload, and the contract ensures it can only be used once.
Upgrade Safety
Profile data lives in an immutable contract that cannot be upgraded or modified. Only the access token logic (grant/consume/revoke) can be upgraded, and only by a Gnosis Safe multisig. Your payment profile is never at risk from an upgrade.
What's Public on Chain?
Only encrypted blobs, token hashes, and the payment type label (e.g. "Bank Transfer") are stored on-chain. Actual payment details are encrypted and unreadable without the access key from the URL.
FAQ
Do I need crypto to use this?
You need a wallet (MetaMask, Coinbase Wallet, etc.) and a tiny amount of ETH on Base for gas fees. The gas cost is minimal β fractions of a cent on L2.
Can I share bank details, not just crypto?
Yes β PayMeBack supports bank transfers (EFT), PayPal, Venmo, Cash App, Zelle, VALR Pay, cryptocurrency, and custom payment methods.
What happens if I lose my wallet?
Your encrypted profile is on-chain. If you recover your wallet (same private key), you can decrypt and access your profile again.
Can the link be intercepted?
The decryption key is in the URL fragment (#), which is never sent to servers. For maximum security, lock the link to a specific wallet address.
Can I revoke a link before it's used?
Yes β from your dashboard, you can revoke any active link. Once revoked, it can't be consumed.
What if the contract gets upgraded?
Your profile data lives in a separate, immutable contract. Only the access token logic can be upgraded. Your payment methods are never affected by upgrades.