English
German
Spanish
French
Turkish
Back to Guides
How Does a Crypto Payment Gateway Work? The Technical Guide
A crypto payment gateway looks simple on the outside (generate QR code, wait for payment) but is surprisingly rich underneath. It replaces the card network, the processor, and the merchant account with a blockchain, which means a different set of engineering problems: rate locks, chain reorgs, confirmation policies, key management, and fiat off-ramp.
This guide walks through the full technical lifecycle, including the invoice API, rate locking, mempool detection, confirmation policies, webhooks, custody models, and how on-chain funds turn into dollars in a bank account. Written for engineers, product leads, and technical founders.
Boost Your Business by Accepting Crypto Payments
High-Level Architecture
A production crypto payment gateway is not one service, it is a small constellation of services, each with a clear responsibility. The typical layout:
API layer
REST or GraphQL. Creates invoices, returns checkout URLs, exposes webhooks. Rate-limited, authenticated with HMAC or OAuth.
Pricing service
Fetches live rates from multiple sources (exchanges, oracles), medianizes, and locks a rate per invoice for 10 to 30 minutes.
Address generation
Derives a unique deposit address per invoice using HD wallet paths (BIP-32/44) or contract accounts for EVM chains. Each invoice gets its own address.
Blockchain indexer
Connects to full nodes or services like Alchemy, Infura, QuickNode. Watches the mempool and new blocks for inbound transactions to tracked addresses.
Confirmation engine
Applies per-asset, per-amount confirmation policies. Moves invoices through detected -> confirming -> completed.
Wallet and custody
Hot wallets for liquidity, cold wallets for reserves, MPC or HSM for key material. Sweeps inbound funds to consolidated wallets.
Webhook service
Signs, delivers, and retries merchant callbacks with exponential backoff. Stores delivery logs for debugging.
Off-ramp / conversion
Converts inbound crypto to stablecoins or fiat through exchange partners or OTC desks. Settles to merchant bank on T+0 or T+1.
Every one of these services is independently scalable, independently monitored, and usually independently deployed. The blockchain indexer and the confirmation engine are the two that sweat most under load.
The Invoice Lifecycle
Every crypto payment is an invoice. Here is the lifecycle from the merchant's POV:
- Create. Merchant calls
POST /invoiceswith amount, fiat currency, order ID, and a callback URL. Response includes the invoice ID, a list of supported assets, and a hosted checkout URL. - Display. Merchant redirects the buyer to the hosted checkout or embeds it in an iframe. Buyer picks an asset. Gateway returns a deposit address and the exact crypto amount at the locked rate.
- Detect. Buyer's wallet broadcasts the payment. Indexer picks it up from the mempool. Invoice state becomes
detected. Optional webhook fires. - Confirm. Gateway waits for the configured number of block confirmations (higher for large amounts, lower for stablecoins on fast chains). Invoice state becomes
confirmingthencompleted. - Settle. Funds are available in the merchant's gateway wallet. If auto-conversion is enabled, the gateway swaps to a stablecoin or initiates an off-ramp to fiat.
settledwebhook fires. - Expire or underpay. If the buyer pays late or short, the invoice transitions to
expired,underpaid, oroverpaidand an exception-handling path kicks in.
Good gateways expose every state transition as a distinct webhook so the merchant's order system can react correctly. Bad ones collapse everything into "paid/unpaid" and lose information.
Rate Locks and Pricing
Crypto prices move. Between the moment a buyer sees "0.0023 BTC" on the checkout and the moment their transaction mines, the price can shift 1 to 3%. Someone has to absorb that risk.
| Model | How it works | Risk falls on |
|---|---|---|
| Locked rate | Gateway fixes the crypto amount for 10 to 30 minutes. If the market moves, the gateway absorbs the gap. | Gateway |
| Floating rate | Invoice shows a fiat target; gateway credits whatever the buyer's transaction is worth at confirmation time. | Merchant |
| Variable tolerance | Locked rate with a ±1 to 2% underpayment tolerance. Payments slightly outside the band reject automatically. | Split |
Locked rates are the industry default because merchants want predictable revenue. Gateways hedge this exposure by holding inventory in stablecoins, running automated rebalancing, or purchasing forward hedges at scale. A 10 to 30 minute lock covers the statistical distribution of time-to-confirmation on all major chains.
Mempool Detection and Confirmation Policies
Two independent milestones drive the state machine:
Mempool detection. The moment a transaction is broadcast, full nodes see it in their mempools. A gateway's indexer watches either directly (running its own nodes) or indirectly (subscribing to a provider's websocket). For low-value payments on fast, final chains (Tron, Solana, L2s), mempool detection is often enough to release a digital good.
Block confirmations. The transaction is mined into a block. Each subsequent block is another confirmation. A block can in theory be orphaned by a chain reorganization (reorg), which is why gateways wait for several confirmations on slower, probabilistic chains.
| Chain | Block time | Typical confirmations | Finality |
|---|---|---|---|
| Bitcoin | ~10 min | 3 (small) to 6 (> $10k) | Probabilistic |
| Ethereum mainnet | ~12 sec | 12 to 30 | 2-epoch finality (~12 min) |
| Tron | ~3 sec | 1 to 2 | Near-instant |
| Solana | ~0.4 sec | 1 (confirmed) | Confirmed commitment |
| Polygon PoS | ~2 sec | 128 to 256 | Checkpointed to Ethereum |
| Arbitrum / Base | ~0.25 sec | 1 (L2) + optional L1 finality | Near-instant on L2 |
| Lightning Network | Instant | 0 (off-chain) | Instant |
Confirmation policy is a risk-management decision, not a technical one. A coffee shop does not need to wait six Bitcoin confirmations to release a $5 latte. A Lamborghini dealership absolutely does.
Edge Cases: Underpayment, Overpayment, Reorgs, Wrong Network
Real crypto checkouts spend most of their engineering budget on edge cases. The main ones:
- Underpayment. Buyer sends less than the invoiced amount (often because they forgot to include the network fee). Good gateways let the merchant configure a tolerance, auto-refund, or keep the invoice open for a top-up.
- Overpayment. Buyer sends too much. Default is to credit the extra to the order or auto-refund the difference. Merchant policy, not a technical constraint.
- Late payment. Buyer pays after the rate lock expired. Gateway either rejects, refunds, or credits at the new market rate. Each option has a different UX and accounting implication.
- Wrong network. Buyer sends USDC on Ethereum mainnet to an address expecting USDC on Polygon. Non-trivial to recover (requires private-key access to the original address on the new chain). Most gateways warn prominently and block obvious mistakes in the widget.
- Reorgs. A previously confirmed block is orphaned. A transaction that was
completedbecomes unconfirmed again. The confirmation engine reverts and re-tracks. Rare on modern chains but non-zero. - Stuck transaction. Buyer paid a gas price too low and the transaction sits in the mempool for hours. The gateway typically allows RBF (replace-by-fee) on Bitcoin or provides tooling to speed it up on EVM chains.
- Dust attacks and spam. Unrelated addresses send tiny amounts to the invoice address to complicate accounting. Indexer ignores sub-threshold transfers.
Ask any gateway vendor how they handle all seven of these. How they answer tells you how mature the platform is.
Webhooks, Idempotency, and Integration
The webhook is where the gateway meets the merchant's order system. Getting it right is the difference between a calm ops team and a miserable one.
- Events, not states. Good gateways fire separate events for
invoice.created,payment.detected,payment.completed,payment.settled,invoice.expired, andinvoice.underpaid. Each event has its own idempotency key. - Signed payloads. Every webhook should be signed with HMAC-SHA256 using a shared secret. The merchant verifies the signature before processing. Anything less is phishable.
- At-least-once delivery. The gateway retries with exponential backoff (1s, 5s, 30s, 2min, 15min, 1h...). The merchant must be idempotent: seeing the same event twice should produce the same result.
- Fast acknowledge, background process. The merchant should return HTTP 200 in under 500ms and push the heavy lifting to a queue. Webhook handlers that do business logic inline time out under load.
- Replay tooling. Good gateways let the merchant fetch and replay a webhook by event ID, for the inevitable moment an event was lost to a misconfigured firewall.
These patterns are identical to webhook best practices in fiat. The crypto specifics are about the events themselves (confirmations, reorgs, underpayments), not about the delivery model.
Custody Models and Key Management
Once crypto hits the gateway's address, someone has to hold the keys. This is the single biggest architectural decision.
Custodial
Gateway holds keys; merchant holds a balance in a dashboard. Easy for merchants, counterparty risk. Regulated as money transmission.
Non-custodial
Funds sweep to a merchant-controlled wallet immediately. No counterparty risk. Merchant takes on key-management ops.
Hybrid / MPC
Keys split between gateway and merchant via multi-party computation. Compromise of one side is insufficient.
Production-grade custody combines several techniques:
- HSMs (hardware security modules) for key material that cannot be exfiltrated.
- MPC or multisig for transaction authorization.
- Hot / warm / cold wallet tiers. Hot wallets hold only enough to meet short-term payout demand.
- Velocity and withdrawal limits to contain blast radius on compromise.
- Chain-analytics screening on every inbound address (Chainalysis, Elliptic, TRM) to reject sanctioned counterparties before crediting.
Off-Ramp: Turning On-Chain Payments into Bank Balances
Most merchants ultimately want dollars (or euros, or lira). The off-ramp is the service that converts inbound crypto into fiat and pushes it to a bank account.
Mechanically, the gateway aggregates inbound flows, routes them through a banking partner or exchange desk, and issues a SWIFT, SEPA, or ACH transfer to the merchant's nominated account. The operational specifics:
- Conversion venue. Licensed exchange partners (for regulated compliance), OTC desks (for large tickets with tight spreads), or on-chain AMMs (for non-fiat conversions).
- Spread. 0.5 to 1.5% on stablecoins, 1 to 3% on volatile assets, depending on size and venue.
- Settlement channels. SEPA and SEPA Instant in the EU (T+0), Faster Payments in the UK (T+0), ACH in the US (T+1-2), SWIFT for non-EUR/USD cross-border (T+1-3).
- Compliance. The off-ramp is where KYC/AML obligations bite. The merchant (the business) is onboarded once. Individual buyers are not KYC'd for the payment itself, though large transfers trigger FATF Travel Rule data sharing between the gateway and the receiving bank.
- Payout cadence. Real-time on each invoice (most transparent, more bank-fee overhead), daily sweep (most common), or on-demand via a dashboard (most flexible).
A merchant accepting crypto with automatic fiat off-ramp experiences a UX very similar to a fiat PSP: money appears in their bank. The fact that the customer paid in USDC on Tron is an implementation detail.
Boost Your Business by Accepting Crypto Payments
Get Started
Frequently Asked Questions
It creates a unique deposit address per order, watches the blockchain for the customer's payment, waits for the configured number of confirmations, and notifies the merchant via webhook - optionally converting the inbound crypto to a stablecoin or fiat along the way.
No. The gateway runs the nodes or uses infrastructure providers like Alchemy, Infura, or QuickNode. The merchant only sees the REST API and webhooks.
The gateway either auto-refunds the payment, credits it at the new market rate, or holds it for manual review - depending on the merchant's configured policy. Expired invoices are a solved edge case on any mature gateway.
For stablecoins on Tron or an Ethereum L2, 1 to 2 is enough. For Bitcoin, 3 confirmations under $10k and 6 above. For Ethereum mainnet, 12 to 30 confirmations covers two-epoch finality. High-value payments get stricter policies.
Once confirmed past the reorg window, no. A merchant can issue a refund as a new outbound transaction, but no third party can claw back funds the way a card issuer can. This is the core reason crypto gateways have no chargeback cost.
The gateway locks the exchange rate at invoice creation for 10 to 30 minutes. If the buyer pays inside that window, the merchant is credited the exact fiat amount. The gateway absorbs any market movement during the lock.
Mempool detection means the gateway has seen the unconfirmed transaction broadcast. A block confirmation means it has been mined into a block. Gateways use mempool detection for low-value / fast-chain payments and block confirmations for anything material.
Depends on the custody model. Custodial gateways hold the funds in a dashboard balance. Non-custodial gateways route funds directly to a merchant-controlled wallet on every payment. Hybrid MPC gateways split the keys between both parties.
For SEPA or SEPA Instant in the EU, same day or within minutes. For Faster Payments in the UK, minutes. For ACH in the US, 1 to 2 business days. For SWIFT cross-border, 1 to 3 days. The crypto leg is T+0; total time is gated by the banking rails.
At minimum: Bitcoin, Ethereum mainnet, Tron, Solana, and the major Ethereum L2s (Polygon, Arbitrum, Base). For stablecoins: USDT and USDC on multiple chains, plus ideally DAI and PYUSD. Coverage of 90% of global crypto volume is a reasonable target.
