Prove Monero payments privately — no view key needed.
Live Demo · Quick Start · Features · Embed Widget · Report Bug
- 📑 Table of Contents
- ⚡ Overview
- ✨ Features
- 🌐 Live Demo
- ❓ Why XMRProof?
- 🚀 Quick Start
- 🔌 Embed Widget
- 🏗️ Architecture
- 🔒 Security
- 🚀 Deployment
- 🤝 Contributing
- 🗺️ Roadmap
- 📋 License
- 👏 Credits
- 🔗 Links
- 💬 Support
XMRProof is a stateless, privacy-first web tool for verifying Monero payment proofs using transaction private keys. Built for merchants, traders, and anyone who needs to verify Monero payments without sharing view keys.
- 🔒 100% Client-Side - All verification happens in your browser
- 🚀 Zero Cost - Deployed on Cloudflare Pages free tier
- 🎨 Modern UI - Text animations with scramble and hover effects
- 📄 PDF Export - Generate professional payment proof documents
- 🔌 Embeddable - Integrate into your website with iframe
- 🌐 Dual Network - Supports both mainnet and stagenet
- 🧪 Fully Tested - 29 unit tests, internal audit, 80% coverage target
- ✅ Payment Verification - Verify Monero payments using transaction private keys
- ✅ Dual Network Support - Full support for mainnet and stagenet
- ✅ Client-Side Processing - All cryptographic operations in browser
- ✅ Real-Time Results - Instant verification with amount, confirmations, and unlock status
- ✅ PDF Export - Generate professional payment proof documents with branding
- ✅ QR Code - Scannable QR code for easy proof sharing
- ✅ Text Animations - Scramble effect on load + TextPressure hover effect
- ✅ Responsive Design - Mobile-first design that works on all devices
- ✅ Loading States - 1-second loader with smooth transitions
- ✅ History Backup - Export/import encrypted transaction history
- ✅ Custom Node Warning - Privacy alerts when using custom RPC nodes
- ✅ 100% Stateless - Zero server-side storage, infinite scalability
- ✅ Privacy-First - No data collection, no tracking, no logs
- ✅ Security Hardened - Rate limiting, SSRF protection, CSP headers
- ✅ Embeddable Widget - Easy integration via iframe for external sites
- ✅ Free Forever - Deployed on Cloudflare Pages (zero cost)
- ✅ Fully Tested - Comprehensive test suite with internal audit
Production: xmrproof.pages.dev
Try it now:
- Select network (Mainnet or Stagenet)
- Enter transaction hash (64-char hex)
- Enter transaction private key (64-char hex)
- Enter receiving address
- Click "Verify Payment"
- Export PDF proof if verification succeeds
Monero's privacy features make payment verification challenging:
- CLI Complexity - Existing tools require command-line expertise and technical knowledge
- View Key Risk - Traditional verification requires sharing view keys, exposing entire transaction history
- Trust Issues - Buyers and sellers need trustless proof without compromising privacy
- Accessibility - Non-technical users struggle with wallet commands and RPC calls
XMRProof provides trustless payment verification using transaction private keys:
- ✅ No View Key Required - Verify single transactions without exposing wallet history
- ✅ Browser-Based - Simple web interface, no installation or CLI needed
- ✅ Cryptographic Proof - Mathematical verification using Monero's ring signatures
- ✅ Privacy-Preserving - All verification happens client-side in your browser
- ✅ Shareable Proofs - Generate PDF documents and QR codes for easy sharing
- Instant Verification - Confirm customer payments in seconds without waiting for wallet sync
- No Infrastructure - Embed widget directly into checkout pages
- Dispute Resolution - Customers provide tx_key as proof of payment
- Accounting - Export PDF receipts for bookkeeping and tax records
- Payment Confirmation - Verify client payments before starting work
- Invoice Matching - Link specific transactions to invoices
- Professional Receipts - Generate branded PDF proofs for clients
- Multi-Currency - Support both mainnet (production) and stagenet (testing)
- Trustless Verification - Neither party needs to trust the other's wallet
- Escrow Services - Third parties verify payments without accessing wallets
- Dispute Mediation - Cryptographic proof resolves payment disputes
- Privacy Protection - Verify single transactions without revealing full history
- Transaction Audits - Verify specific payments for compliance
- Financial Records - Export PDF proofs for accounting systems
- Tax Documentation - Generate verifiable payment records
- Multi-Network - Test on stagenet before mainnet deployment
- Embeddable Widget - Add verification to any website via iframe
- API-Ready - Stateless architecture enables easy integration
- Open Source - Audit and customize for specific needs
- Zero Backend - No server infrastructure required
- Node.js 20+
- npm or yarn
git clone https://github.com/teycir/xmrproof.git
cd xmrproof
npm installnpm run devnpm run buildStatic export in out/ directory.
# Unit tests
npm test
# With coverage
npm run test:coverage
# Security tests
npm run test:security
# Stagenet testing with real transactions
# See TEST_GUIDE.md for complete instructionsSee TEST_GUIDE.md for stagenet testing, tests/TESTING.md for unit tests, and MANUAL_TESTING.md for manual testing.
Integrate XMRProof verification into your website:
<iframe
src="https://xmrproof.pages.dev/embed"
width="100%"
height="600"
frameborder="0"
style="border: none; border-radius: 8px;"
></iframe><div style="position: relative; padding-bottom: 100%; height: 0; overflow: hidden; max-width: 500px; margin: 0 auto;">
<iframe
src="https://xmrproof.pages.dev/embed"
style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border: none;"
></iframe>
</div>Visit xmrproof.pages.dev and click "📋 Copy iframe" or "📋 Copy Widget" buttons.
See EMBED.md for more integration options.
- Frontend: Next.js 15 (static export)
- Deployment: Cloudflare Pages
- Verification: monero-javascript (WASM)
- Storage: None (100% stateless)
- RPC Proxy: Cloudflare Pages Functions
┌─────────────┐
│ Browser │ ← All verification happens here
│ (WASM) │ • Cryptographic operations
└──────┬──────┘ • Key derivation
│ • Signature verification
▼
┌─────────────┐
│ Pages Fn │ ← Stateless RPC proxy (read-only)
│ (Edge) │ • No storage or logging
└──────┬──────┘ • Rate limiting (in-memory)
│ • SSRF protection
▼
┌─────────────┐
│ Public Node │ ← Read-only blockchain queries
│ (Monero) │ • Transaction data
└─────────────┘ • Block confirmations
Why Stateless Architecture?
- Zero Cost - No database fees, no storage costs, runs on Cloudflare Pages free tier
- Infinite Scale - CDN-cached static site handles unlimited traffic
- Complete Privacy - No server-side storage means no data to leak or subpoena
- No Maintenance - No database to backup, migrate, or secure
- Resilience - No single point of failure, works even if backend fails
- Simplicity - No state synchronization, no cache invalidation
Technical Benefits:
- Edge Computing - Verification runs on Cloudflare's global network
- WASM Performance - Native-speed cryptography in browser
- Offline Capable - Can work offline after initial load (PWA-ready)
- Audit-Friendly - No hidden server logic, everything visible in browser
Zero-Knowledge Architecture:
- ✅ No server-side storage - All verification happens client-side in your browser
- ✅ No logging - Zero data collection, no request logs, no analytics
- ✅ No tracking - No cookies, no fingerprinting, no user profiling
- ✅ No data transmission - Transaction keys never leave your browser
- ✅ Open source - Fully auditable code, no hidden backdoors
What We DON'T Know:
- Your transaction hashes
- Your transaction private keys
- Your wallet addresses
- Your payment amounts
- Your IP address (not logged)
- Your browsing history
History Backup Encryption (Optional Feature):
If you choose to export transaction history, it's encrypted locally before download:
-
Fingerprint-based (Default)
- Automatic encryption using device characteristics
- Canvas fingerprinting + hardware metrics + screen resolution
- May break on browser/OS updates or different devices
- Best for: Single-device usage
-
Password-based (Recommended)
- User-controlled encryption with custom password
- PBKDF2 with 100,000 iterations + random salt
- Stable across devices and updates
- Best for: Multi-device usage or long-term storage
- Configure in Settings component
Encryption Algorithm: AES-256-GCM (industry standard)
Rate Limiting
- Limit: 30 requests per minute per IP address
- Implementation: In-memory tracking (stateless, resets on worker restart)
- Purpose: Prevents DoS attacks and API abuse
- User Impact: Normal users never hit limits
SSRF Protection
- Blocks: localhost, 127.0.0.1, private IPs (10.x, 192.168.x, 172.16-31.x)
- Blocks: Link-local addresses (169.254.x.x), .local domains
- Purpose: Prevents attackers from scanning internal networks
- User Impact: Custom nodes must use public IPs with HTTPS
HTTPS Enforcement
- Requirement: All custom RPC nodes must use HTTPS
- Purpose: Prevents man-in-the-middle attacks
- Validation: Protocol checked before connection
Input Validation
- Transaction Hash: Must be 64-character hexadecimal
- Transaction Key: Must be 64-character hexadecimal
- Address: Validated against Monero address format
- Purpose: Prevents injection attacks and malformed requests
CSV Injection Prevention
- Sanitization: Neutralizes formula characters (=, +, -, @) in exports
- Purpose: Prevents code execution when opening CSV files
- Implementation: Automatic in all export functions
Timeout Protection
- Limit: 30-second timeout on all RPC operations
- Purpose: Prevents hanging requests and resource exhaustion
- User Impact: Fast failure instead of infinite waiting
Error Boundaries
- Coverage: All React components wrapped in error boundaries
- Purpose: Graceful degradation, prevents full app crashes
- User Impact: Friendly error messages instead of blank screens
Content Security Policy (CSP)
default-src 'self'
script-src 'self' 'wasm-unsafe-eval'
style-src 'self' 'unsafe-inline'
connect-src 'self' https://rpc.xmrproof.dev
frame-ancestors 'none'
object-src 'none'
- Purpose: Prevents XSS attacks, clickjacking, and code injection
- Effect: Only trusted scripts can execute
Security Headers
- X-Frame-Options: DENY - Prevents clickjacking attacks
- X-Content-Type-Options: nosniff - Prevents MIME-type confusion
- Referrer-Policy: strict-origin-when-cross-origin - Limits referrer leakage
- Purpose: Defense-in-depth against common web attacks
CORS Protection
- Production: Origin validation for API endpoints
- Purpose: Prevents unauthorized cross-origin requests
- Implementation: Cloudflare Pages Functions middleware
No Dangerous APIs
- ❌
eval()- Banned - ❌
Function()constructor - Banned - ❌
dangerouslySetInnerHTML- Banned - ✅ Safe rendering only
Memory Leak Prevention
- Proper cleanup in useEffect hooks
- Event listener removal
- Timer cancellation
- Purpose: Prevents browser slowdown and crashes
Dependency Security
- Regular
npm auditchecks - Minimal dependency tree
- Trusted packages only (monero-javascript, Next.js)
- Automated security updates
Automated Tests:
npm run test:security # 13 security-focused testsTest Coverage:
- ✅ SSRF prevention (7 tests)
- ✅ Rate limiting (6 tests)
- ✅ CSV injection prevention (5 tests)
- ✅ Input validation
- ✅ Error handling
Manual Security Audit: See SECURITY_AUDIT.md for comprehensive security review.
What XMRProof Protects Against:
- ✅ Server-side data breaches (no data stored)
- ✅ Man-in-the-middle attacks (HTTPS enforced)
- ✅ XSS attacks (CSP + input validation)
- ✅ SSRF attacks (IP blocking)
- ✅ DoS attacks (rate limiting)
- ✅ CSV injection (sanitization)
- ✅ Clickjacking (X-Frame-Options)
What Users Must Protect:
⚠️ Transaction Private Keys - Never share, treat like passwords⚠️ Custom RPC Nodes - Only use trusted nodes (privacy warning shown)⚠️ Browser Security - Keep browser updated, use HTTPS⚠️ Device Security - Malware can steal keys from clipboard/memory
Out of Scope:
- ❌ Wallet security (use hardware wallets)
- ❌ Network-level privacy (use Tor/VPN if needed)
- ❌ Blockchain analysis (Monero's privacy features handle this)
Option 1: Automatic (Git-based)
# Push to GitHub - Cloudflare Pages auto-deploys
git push origin mainOption 2: Manual (Wrangler)
# Requires Node.js 20+
npm run build
./deploy.shOption 3: Direct Wrangler
npm run build
npx wrangler pages deploy out --project-name=xmrproofNone required! Fully stateless architecture.
Optional Configuration:
Copy .env.example to .env.local for optional settings:
cp .env.example .env.localAvailable Options:
ALLOWED_CUSTOM_NODES- Whitelist custom RPC nodes (comma-separated HTTPS URLs)NEXT_PUBLIC_APP_URL- App URL for CORS validationNEXT_PUBLIC_RPC_PROXY_URL- Custom RPC proxy endpoint (defaults to/api/rpc)
See .env.example for details.
Configure via Cloudflare Pages dashboard:
- Go to Pages project settings
- Add custom domain
- Update DNS records
- SSL/TLS auto-enabled
- ✅ Static export configured (
output: 'export') - ✅ Security headers in
public/_headers - ✅ Pages Function at
/api/rpc - ✅ Rate limiting enabled
- ✅ SSRF protection active
- ✅ Error boundaries in place
- ✅ Input validation on all user inputs
- ✅ HTTPS enforcement for custom nodes
Contributions welcome! Please read our Contributing Guidelines before submitting PRs.
Key Principles:
- Security-first - All changes must maintain privacy guarantees
- Stateless - No server-side storage allowed
- Minimal - Keep dependencies lean
- Tested - Include tests for new features
See .amazonq/rules/ for:
security-first.md- Security requirementsstateless-architecture.md- Architecture constraintserror-handling.md- Error handling patternsrefactoring.md- Code quality standards
- Basic payment verification
- Mainnet + Stagenet support
- Client-side verification
- PDF proof export
- QR code generation
- Embeddable widget
- Text animations (scramble + hover effects)
- Security hardening (rate limiting, SSRF protection)
- Mobile responsive design
- Custom RPC node selection
- History backup/restore (export/import)
- Custom node privacy warnings
- Password-based encryption option
- Multi-language support (i18n)
- Wallet integration guides (collapsible)
- Dark/light theme toggle
- Transaction history (client-side only)
- Browser extension
- Mobile app (React Native)
- Batch verification
- API for developers
MIT License - see LICENSE
Built by Teycir
- Next.js 15 / Cloudflare specialist
- Privacy-focused development
- Custom Monero tools available
- 🌐 Website: xmrproof.pages.dev
- 📦 GitHub: github.com/teycir/xmrproof
- 🐛 Issues: github.com/teycir/xmrproof/issues
- 📖 Architecture: ARCHITECTURE.md
- 🔒 Security: SECURITY.md
- 📊 Security Audit: SECURITY_AUDIT.md
- 📋 Implementation: IMPLEMENTATION_PLAN.md
- 🗺️ Roadmap: ROADMAP.md
- 🔌 Embed Guide: EMBED.md
- 🧪 Testing Guide: tests/TESTING.md
- 🧪 Stagenet Test Guide: TEST_GUIDE.md
- 📝 Manual Testing: MANUAL_TESTING.md
- ✅ Verification: VERIFICATION.md
- 🔒 Sanctum Vault: sanctumvault.online - Zero-trust encrypted vault with plausible deniability
- ⏱️ TimeSeal: timeseal.online - Cryptographic timestamping service
- 👻 Ghost Chat: ghost-chat.pages.dev - Ephemeral P2P encrypted messaging
Found this useful? Star the repo ⭐
Need custom tools? Get in touch
Built with ❤️ and 🔒 by Teycir Ben Soltane