TODA Twin Micropayment Proxy


Micropayments have traditionally been challenging to achieve, as the cost of executing and settling each transaction often exceeded the value of the transactions themselves. With its tiered integrity line architecture, clients can configure their TODA Twin to execute very small-valued payments without the burden of an excessive globally-settled ledger system.

TODA Twin Approach

The TODA Twin system features a dedicated micropayment subsystem purpose-dedicated for API-to-API (or machine-to-machine) payments. The TODA Twins serve both client and server HTTP proxies to attach and receive necessary payment.


Instead of directly making requests to a service provider's server, the end client instead makes the same request, but delivers it to their twin's outgoing payment proxy. They specify the payment type hash, payee address hash, and payment amount in this URL, as well as the desired destination URL. The API provider similarly does not route incoming API requests directly to their server, but routes them to the incoming payment proxy of their TODA twin. The service provider's twin is configured to only accept payments which meet the requisite type and amount. If these criteria are met, the TODA Twin forwards the request to the configured service provider URL.

API Specification

Outgoing Payment Proxy

The end client's TODA Twin proxy sits between the end client and the incoming payment proxy configured by the service provider. This proxy functions as a convenience to the end client, by attaching TODA payment automatically, in-line with the request. It accepts any HTTP method, and all request particulars are included in the forwarded request.


Requests made to the outgoing payment proxy are of the form: {METHOD} https://{twinUrl}/pay/{destinationAddress}/{paymentTypeHash}/{amount}/{destinationUrl}

The destination URL should represent the URI component encoding of the incoming proxy of the service provider.

For example: POST

The proxy will forwarded the POST request, along with the requested payment, to the destination URL.

An example request forwarded from the outgoing payment proxy:

"request":"POST /paywall/foobar"
"accept":"application/json, text/plain, */*"
"accept-encoding":"gzip, compress, deflate, br","connection":"close"
body: <binary>

Incoming Payment Proxy

The service provider's TODA Twin proxy sits between incoming requests and their server. The proxy only permits requests to continue to the server if they contain the required payment.


Three configuration parameters are required to be specified in the TODA Twin backend configuration:

  • targetUrl e.g. https://service.provider.example/secured/resource
  • targetPayType e.g. 4111861cfaa3fcb9a120aa4b231819403e5110ced4f8eae5312f5adb57b8260411
  • targetPayQuantity e.g. 15

Incoming requests

Incoming requests which contain attached TODA payment information added by the Outgoing Proxy are to be directed at the path /paywall/. They may be of any HTTP method.

Forwarded requests

All original headers, HTTP method, and body are forwarded to the service provider's secured resource. The TODA-specific headers are filtered prior to forwarding.


End client

The end client is the user, script, or machine initiating an HTTP API call to some service provider's API.

Service provider

The service provider is the entity who is securing a resource ('secured resource') by requiring payment in TODA before permitting access

Secured resource

The secured resource is any HTTP endpoint served by the service provider which can only be accessed through their configured Incoming Payment Proxy

TODA Twin Outgoing Payment Proxy

The outgoing payment proxy is an endpoint on the TODA Twin belonging to the end client, which automatically appends TODA payment to an outgoing HTTP request.

TODA Twin Incoming Payment Proxy

The incoming payment proxy is an endpoint on the TODA Twin belonging to the service provider, which only forwards incoming requests if they meet the required payment.

Other Concerns


Requests containing excessive payment are permitted access to the secured resource. The excess payment is deposited to the payee.


Requests containing insufficient payment are not permitted access to the secured resource. The payment is not deposited to the payee.

Service provider endpoint security

The Incoming Payment Proxy will only permit paid requests to be forwarded to the secured resource. However, it is the service provider's responsibility to ensure the secured resource is configured to only accept requests which have been so forwarded (and have not bypassed the proxy through some other network route).


Payments are settled upon receipt, in-line with the API request.

Data format and Logging

TODA files are attached using HTTP extension headers, prefixed with X-TODA-Pay, and encoded in Base64 in order to meet character encoding constraints. These headers, although large, are safe to log and do not contain any secrets or personal information. Although TODA files are bearer tokens, the bearer is established by the controller of secret cryptographic keys maintained in the TODA Twin, rather than access to the raw bytes of the TODA file.

Proxy pass-through

HTTP headers (including content-type, etc.), HTTP method, HTTP body, and encoded URL are all passed through the two TODA Twin proxies, and the request result is streamed back transparently. Some additional headers may be added, and in some cases the user agent string may be modified.