A PayJoin is a special type of Bitcoin transaction where the recipient of a payment also contributes at least one input to the transaction. This breaks the common common-input-ownership heuristic used by blockchain analysis firms, which assumes all inputs in a transaction belong to the same entity (the sender). By mixing sender and receiver funds in a single, cooperative transaction, PayJoin makes it significantly harder for third parties to determine the true payment flow and de-anonymize the participants. It is a non-custodial privacy technique that does not require a trusted third party.
LABS
Glossary
PayJoin
A Bitcoin transaction protocol that enhances privacy by allowing a sender and receiver to combine their inputs in a single transaction, breaking the common-input-ownership heuristic.
Chainscore © 2026
definition
PRIVACY PROTOCOL
What is PayJoin?
PayJoin, also known as a Collaborative Transaction or P2EP (Pay to Endpoint), is a Bitcoin transaction protocol designed to enhance financial privacy by obfuscating the link between a sender and a receiver.
The protocol works through a collaborative handshake. When a payer initiates a payment, the recipient's wallet software (which must support PayJoin, like BTCPay Server) generates a special payment request containing a partially signed Bitcoin transaction (PSBT). The payer's wallet adds its inputs and outputs, signs its portion, and returns it. The recipient then adds their own input, signs, and broadcasts the final transaction. Crucially, the transaction appears as a standard multi-input payment on-chain, but the economic reality—a net transfer of value from one party to another—is concealed.
Key benefits of PayJoin include improved privacy for both parties, cost efficiency (as it can reduce transaction fees by consolidating UTXOs), and regulatory compliance-friendliness compared to mixing services, as it involves only the direct counterparties. A major implementation is BIP 78, which standardizes the communication protocol between wallets. While powerful, its adoption depends on wallet support and requires both sender and receiver to use compatible software, making it a cooperative opt-in privacy solution within the existing Bitcoin protocol.
etymology
TERM ORIGIN
Etymology and Origin
The term **PayJoin** is a portmanteau and a technical protocol designed to enhance Bitcoin transaction privacy by obfuscating the common input-ownership heuristic.
The word PayJoin is a compound of "Pay" and "Join", directly describing the protocol's core mechanism: a payment where the sender and receiver join their unspent transaction outputs (UTXOs) as inputs in a single, collaborative transaction. This stands in contrast to a standard Bitcoin payment, where only the sender's UTXOs are used as inputs. The term emerged from the broader Bitcoin privacy community as a more specific and descriptive name for what was previously known as a P2EP (Pay to EndPoint) transaction or a CoinJoin-style payment.
The conceptual origin of PayJoin is deeply rooted in addressing a fundamental privacy leak in Bitcoin's UTXO model. Blockchain analysts use common-input-ownership heuristic, which assumes all inputs to a transaction are controlled by the same entity. By having two parties co-sign a transaction with their respective inputs, this heuristic is broken, making it significantly harder for third parties to determine the payment's sender, receiver, and amount. The protocol was formally proposed and refined by developers and researchers like Adam Ficsor and others, building upon the privacy foundations laid by earlier concepts like CoinJoin.
The development of the BIP 78 standard was a pivotal moment in PayJoin's history. This Bitcoin Improvement Proposal provides a standardized, interoperable protocol for wallets to negotiate and construct these transactions. Before BIP 78, implementing PayJoin required custom, non-interoperable solutions. The standardization effort, led by developers including Dan Gould, aimed to make the privacy-enhancing technique accessible to any wallet that chose to implement it, promoting wider adoption and better user privacy across the ecosystem.
In practice, a PayJoin transaction appears on-chain as a perfectly ordinary transaction, but its internal structure tells a different story. For example, if Alice pays Bob 0.5 BTC, a classic PayJoin would have one input from Alice (1.0 BTC) and one from Bob (0.2 BTC), with outputs going to Bob (0.7 BTC change) and a new address for Alice (0.5 BTC). To an external observer, it is unclear if this was a payment from Alice to Bob, Bob to Alice, or a payment to a third party, effectively adding plausible deniability to the transaction graph.
key-features
PAYJOIN
Key Features and Characteristics
PayJoin is a privacy-enhancing Bitcoin transaction protocol that breaks the common-input-ownership heuristic by creating a transaction with inputs from multiple participants.
01
Breaks Heuristic Analysis
Standard Bitcoin transactions assume all inputs are controlled by the same entity (common-input-ownership heuristic). PayJoin breaks this by creating a collaborative transaction where the sender and receiver both contribute inputs and receive outputs, making it impossible for external observers to definitively link the payment to a single party.
02
P2EP (Pay-to-Endpoint) Structure
The core mechanism is Pay-to-Endpoint (P2EP), where the payment receiver provides a fresh UTXO as an input to the transaction. This creates a transaction with a mixed set of inputs, obscuring the flow of funds. The protocol is often implemented via BIP 78, which standardizes the communication between wallets.
03
Improves Privacy Without Mixing
Unlike CoinJoin, which requires coordinating multiple parties for a dedicated mixing round, PayJoin enhances privacy as a byproduct of a legitimate payment. It does not require a trusted third party or change the fundamental trust model of Bitcoin, making it a practical, incremental privacy improvement.
04
Sender & Receiver Benefits
- Sender: Gains plausible deniability, as on-chain analysis cannot confirm they were the sole funder of the payment.
- Receiver: Improves the privacy of their entire UTXO set by receiving funds into a new output that is cryptographically linked to an input they controlled, breaking common ownership assumptions.
06
Limitations and Considerations
- Not Anonymous: Improves privacy but does not provide full anonymity like Chaumian CoinJoin.
- Requires Cooperation: Both parties must run compatible software.
- Fee Implications: The receiver pays fees for their input, which may slightly increase total transaction cost.
- Blockchain Analysis: Sophisticated analysis may still infer participant roles through timing or amount analysis.
how-it-works
MECHANISM
How PayJoin Works: Step-by-Step
A technical walkthrough of the PayJoin protocol, detailing the collaborative transaction flow between a sender and a receiver to enhance Bitcoin privacy.
A PayJoin transaction, also known as a P2EP (Pay to Endpoint), is a collaborative Bitcoin transaction initiated when a sender pays a receiver. Unlike a standard payment where the receiver provides only a destination address, in a PayJoin, the receiver also contributes at least one of their own unspent transaction outputs (UTXOs) to the transaction. This creates a single transaction with inputs from both parties, which is then cooperatively signed and broadcast to the network. The critical privacy benefit is that on-chain observers cannot definitively distinguish which output is change and which is the payment, breaking the common-input-ownership heuristic used by chain analysis firms.
The protocol begins with the BIP78 specification, which standardizes the communication. The sender's wallet first requests a payment from the receiver's server using a BIP21 URI that includes a pj= parameter. The receiver's server responds with a PSBT (Partially Signed Bitcoin Transaction) that is partially constructed. This PSBT already contains the receiver's contribution: one or more of their UTXOs as inputs and a corresponding output back to themselves. The sender's wallet then adds its own payment input and destination output, ensures the transaction is balanced, signs its part, and returns the PSBT to the receiver for final signing.
A key operational requirement is that the transaction must obey the No Value Increase rule. The total output value cannot exceed the total input value; otherwise, the transaction would create money. To prevent this, the receiver typically designates one of their outputs as a change output. The sender verifies this rule before signing. Furthermore, implementations often use output swapping, where the order of outputs is randomized between the payment and change outputs to further obfuscate their purpose. Wallets must also handle edge cases like fee management and ensuring the collaborative transaction remains economically rational for both participants.
From a network perspective, a completed PayJoin transaction appears as a standard Bitcoin transaction with multiple inputs and multiple outputs. However, its internal structure subverts analytical assumptions. Chain surveillance tools that rely on identifying the sender's change output based on new address creation or precise output values are confounded, as both outputs are effectively new to the network and their values do not neatly conform to a simple 'payment minus fee' pattern. This increases the anonymity set for the coins of both parties, providing stronger privacy guarantees than sequential, independent transactions.
examples
PAYJOIN
Examples and Implementations
PayJoin is implemented through specific transaction protocols and wallet integrations that enable collaborative, privacy-enhancing payments. These examples demonstrate the practical applications and technical variations of the concept.
02
P2EP (Pay-to-End-Point)
An earlier conceptual precursor to PayJoin, Pay-to-End-Point describes the core mechanism where the receiver contributes an input to the transaction. This breaks the common-input-ownership heuristic used by chain analysis firms, as the transaction now has inputs controlled by two separate entities. It is the foundational privacy principle that BIP 78 and other implementations operationalize.
04
v2 vs. v1 PayJoin
Two primary structural variants exist:
- v1 PayJoin: The receiver adds a new change output to the transaction. This is simpler but can sometimes be filtered by heuristics looking for non-standard output counts.
- v2 PayJoin (P2PEP): The receiver replaces one of the sender's intended output values. This results in a transaction that is indistinguishable from a standard 2-party payment, offering stronger privacy by preserving the standard input/output count pattern.
05
Liquid Network's Confidential PayJoin
An advanced implementation on the Liquid sidechain that combines PayJoin with Confidential Transactions (CT). This allows the amounts of the receiver's input and any change outputs to be cryptographically blinded, while still proving the transaction is valid. It provides a stronger privacy guarantee than PayJoin on the base Bitcoin layer alone.
06
Limitations & Considerations
While powerful, PayJoin has practical constraints:
- Requires Coordination: Both parties must be online and use compatible software.
- Fee Management: The receiver pays fees for their input, which may require economic incentives.
- Partial Anonymity Set: Privacy improves with each use but does not create a large shared anonymity set like a CoinJoin. It is most effective for breaking direct input-linkability between sender and receiver.
PRIVACY PROTOCOLS
PayJoin vs. CoinJoin: A Comparison
A technical comparison of two Bitcoin transaction privacy techniques, highlighting their core mechanisms and trade-offs.
| Feature / Metric | PayJoin (P2EP) | CoinJoin |
|---|---|---|
Core Mechanism | Sender and receiver collaborate on a single transaction | Multiple, unrelated parties combine inputs in one transaction |
Primary Privacy Goal | Break common-input-ownership heuristic | Break common-input-ownership heuristic |
Transaction Graph Obfuscation | Links sender and receiver, but obfuscates change output | Creates a dense, non-linear cluster of inputs and outputs |
Minimum Participants | 2 (sender + intended receiver) | 3+ (coordinator + multiple payers) |
Coordination Required | Direct, peer-to-peer between transaction parties | Via a coordinator server or protocol (e.g., Chaumian) |
Fungibility Impact | Increases by disguising change as a co-payment | Increases by creating uniform, indistinguishable outputs |
On-Chain Footprint | Appears as a standard 2-of-2 transaction | Appears as a large, multi-party transaction |
Implementation Complexity | Medium (requires receiver infrastructure) | High (requires coordination and round protocols) |
security-considerations
PAYJOIN
Security and Privacy Considerations
PayJoin is a privacy-enhancing Bitcoin transaction protocol that breaks the common-input-ownership heuristic by having the recipient also contribute an input to the payment, making transaction graph analysis more difficult.
01
Breaking the Common-Input-Ownership Heuristic
A core privacy vulnerability in Bitcoin is the common-input-ownership heuristic, which assumes all inputs in a transaction are controlled by the same entity. PayJoin breaks this by structuring a transaction where:
- The sender provides one or more inputs to pay the recipient.
- The recipient also contributes at least one of their own unspent transaction outputs (UTXOs) as an input.
- This creates a transaction with inputs from two distinct parties, confusing blockchain analysis tools that rely on this heuristic to cluster addresses.
02
Implementation: P2EP and BIP 78
PayJoin is standardized primarily through two methods:
- Pay-to-EndPoint (P2EP): An early implementation where the recipient's input is added to a transaction, increasing its size and breaking the change output pattern.
- BIP 78 (A Simple PayJoin Proposal): The current standard. A sender's wallet requests a PayJoin from a recipient's server using a BIP 21 URI with a
pj=parameter. The recipient's server constructs and returns a partially signed Bitcoin transaction (PSBT) for the sender to sign and broadcast. This requires coordination but is supported by wallets like Wasabi Wallet and BTCPay Server.
03
Privacy vs. Fungibility Gains
PayJoin enhances privacy but has specific limitations:
- Strengthens Fungibility: It makes it harder for surveillance firms to taint coins by linking sender and recipient addresses, preserving the equal value of all bitcoins.
- Not Complete Anonymity: Sophisticated analysis may still infer participation in a PayJoin based on timing, amount patterns, or IP metadata if not using Tor.
- Amount Correlation: The net amount paid (sender inputs minus recipient input) is still visible on-chain, which can be correlated with invoice amounts.
04
Security Considerations for Participants
Implementing PayJoin requires careful security design to prevent attacks:
- Double-Spend Risk for Recipient: The recipient must not broadcast their signed version of the transaction until confirming the sender has not double-spent the inputs. This is typically managed by the PayJoin server logic.
- Fee Management: Transaction fees must be allocated fairly between participants, often split proportionally to their input values.
- Input Selection: Participants should avoid using UTXOs with distinctive histories (e.g., from a known exchange) to prevent weakening the privacy benefit.
05
Limitations and Detection Vectors
While disruptive, PayJoin transactions are not undetectable and have identifiable on-chain patterns:
- No Change Output: A key signal is a transaction where the sum of outputs is less than the sum of inputs, with no obvious change output, violating typical wallet behavior.
- Round Amounts: Transactions where one output is a round, merchant-like amount (e.g., 0.05 BTC) can be a heuristic for identifying the payment leg.
- Future Analysis: As adoption grows, chain analysis may develop new heuristics to probabilistically identify PayJoin transactions, creating a continuous privacy arms race.
06
Comparison to CoinJoin
PayJoin is often compared to CoinJoin, another privacy technique, but serves a different use case and model:
| Aspect | PayJoin | CoinJoin |
|---|---|---|
| Purpose | Privacy for a payment between two parties. | Privacy for consolidation among many coordinated parties. |
| Participants | 2 parties (sender & recipient). | Dozens to hundreds of anonymous participants. |
| Trust Model | Requires trust/coordination with the payment counterparty. | Trustless coordination via a coordinator (e.g., Wasabi). |
| On-chain Footprint | A single transaction. | A large, multi-input, multi-output transaction. |
| PayJoin is better suited for everyday commerce, while CoinJoin is for proactive wallet cleanup. |
FAQ
Common Misconceptions About PayJoin
PayJoin is a privacy-enhancing Bitcoin transaction protocol, but its mechanics are often misunderstood. This section clarifies frequent points of confusion.
No, PayJoin and CoinJoin are distinct privacy protocols. PayJoin (P2EP) is a collaborative transaction where the sender and receiver both contribute inputs and outputs, making the transaction appear like a normal payment. CoinJoin is a cooperative transaction where multiple participants combine their inputs and outputs to create a single, larger transaction that obscures the link between sender and receiver. While both enhance privacy, PayJoin is typically a two-party protocol integrated into a payment flow, whereas CoinJoin often involves many participants in a dedicated mixing round.
PAYJOIN
Frequently Asked Questions (FAQ)
Common questions about PayJoin, a privacy-enhancing Bitcoin transaction protocol that improves fungibility by obscuring the link between sender and receiver.
PayJoin (also known as P2EP or BIP 78) is a collaborative Bitcoin transaction protocol where the recipient contributes one or more of their own unspent transaction outputs (UTXOs) to the payment they are receiving. Instead of a simple one-input, two-output transaction (payment + change), a PayJoin creates a transaction with inputs from both the sender and the receiver, and outputs to both parties. This breaks the common-input-ownership heuristic used by blockchain analysts, as the transaction's inputs are controlled by different entities, making it significantly harder to determine which output is change and which is the actual payment, thereby enhancing financial privacy.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall