WavePay
Open-Source Crypto Payment Gateways: Top 5 Solutions Compared
Published 2026年6月2日18 min read
A developer's dual-monitor workstation at night. Left monitor shows a terminal with `docker-compose up` output; right monitor shows a crypto payment dashboard with transaction rows and a wallet QR code. Soft RGB keyboard glow, coffee mug, mechanical

You're tired of three things: 2–5% processor fees that compound into real money at scale, mandatory KYC enrollment that drags your customers into someone else's compliance funnel, and infrastructure lock-in that means a vendor's roadmap dictates your product timeline. That's why you're shopping for an open-source crypto payment gateway — you want the control surface back. Fair warning: open-source is not free. It's a trade. You exchange a managed vendor's overhead for your own ops cycle — patching, uptime, mempool watch duty at odd hours. This piece compares five solutions you're probably already evaluating: BTCPay Server, CoinGate, Cryptomus, PassImPay, and WavePay — across deployment topology, custody posture, license terms, and the total cost of ownership nobody puts on the pricing page.

Table of Contents

When Open-Source Becomes Your Competitive Advantage (Not Just a Cost Cut)

Most operators evaluate an open-source crypto payment gateway on a single axis: "free." That's the wrong axis. The axis that matters is control surface — who decides fee policy, which chains you list, when customer data is purged, and whether a vendor can deplatform you mid-quarter because a compliance team in another time zone updated a risk model.

Three business archetypes structurally require self-hosting or a non-custodial protocol:

The Marketplace Operator. You run a multi-vendor platform — an NFT marketplace, a freelance escrow product, a digital goods storefront with thousands of sellers. You cannot route every vendor payout through a single MSB-licensed processor without inheriting KYC overhead for every vendor on your platform. Self-hosted or non-custodial link-based routing keeps each vendor's tax and regulatory posture independent. It's the difference between operating a payment platform and becoming a payment processor by accident.

The Payment Service Provider. You're reselling crypto checkout to sub-merchants. Margin only exists if processor fees are zero or near-zero. A managed gateway at 1–2% destroys the resale model before it starts. You need the underlying infrastructure to be yours.

The High-Volume Merchant. Above roughly $100K/month in crypto volume, the fee delta between 1% managed processing and about 0.1% in on-chain costs (gas plus DEX aggregator fee) covers a full-time DevOps salary. The math is uncomfortable for managed gateways above that volume threshold.

Now the hidden costs of managed solutions that nobody mentions in a sales call:

  • Fee bleed compounds. A 1% fee on $200K monthly volume is $24K/year. That's not noise — that's a hire.
  • Feature lock-in. You can't add a niche chain like Sei, Berachain, or a new L2 without your vendor's roadmap approval. Your product velocity inherits theirs.
  • Vendor risk. Sudden KYC tightening, a regional service withdrawal, or a multi-day outage can freeze settlement during your biggest sales window.
  • Data residency. Managed processors centralize customer wallet addresses, creating a honeypot you didn't ask for and can't audit.

Then there are the trade-offs you accept when you go open-source or self-hosted:

  • You own the security patch cycle — Bitcoin Core upgrades, Lightning channel rebalancing, smart contract audits if you fork.
  • You own uptime. Managed gateways publish 99.9% SLAs; your VPS does not, unless you build for it.
  • You own customer support escalation when a transaction is stuck in the mempool at 2 a.m. and your largest customer is on the phone.

Open-source doesn't eliminate payment processing risk. It transfers it from a vendor to your team — and the right question is which risk your team is actually equipped to absorb.

WavePay is in this review because it sidesteps several of those ops burdens — no server-side fund custody, no liquidity ops (handled by 1inch Fusion+) — while preserving the non-custodial property that pure self-hosters actually want. It's not classically open-source in the MIT/AGPL sense, but it sits in the same decision matrix as self-hosted payment processing for anyone optimizing for vendor independence and non-custodial fund flow.

The Feature Matrix That Actually Separates These Five Gateways

Surface-level comparisons — "Does it accept Bitcoin? Ethereum?" — miss what actually breaks integrations once you're live. The eight criteria below are the ones that, if you get them wrong, force a re-platform within 12 months. The criteria aren't features; they're the load-bearing decisions.

  • Chain and token breadth — single-chain solutions force you to ship multiple integrations later.
  • Custody model — determines your MSB or VASP exposure.
  • Cross-chain swap — without it, a customer's USDC-on-Polygon can't pay a merchant who wants USDT-on-Tron without manual treasury work.
  • Deployment surface — Docker-only vs. bare-metal vs. SaaS-hybrid changes who on your team can run it.
  • License — MIT lets you fork and close-source; AGPL forces you to publish modifications.
  • API surface — REST vs. webhook-only vs. GraphQL changes integration time by an order of magnitude.
  • Plugin ecosystem — WooCommerce, Shopify, Magento plugins existing or not.
  • Support tier — community Discord vs. paid SLA.
CriterionBTCPay ServerCoinGateCryptomus
Chain/token breadthBTC, LN, ETH, LTC, XMR + altcoin plugins70+ coins (managed)30+ coins
Custody modelMerchant-custodial (self-hosted)CustodialCustodial / semi-custodial
Cross-chain swapNot native; manualYes (CoinGate's books)Yes (in-platform)
DeploymentDocker, bare metal, VPSSaaS onlySaaS + limited self-host
LicenseMITProprietaryProprietary
API maturityREST + webhooks + GreenfieldREST + webhooksREST + webhooks
PluginsWooCommerce, Shopify, Magento, DrupalWooCommerce, Magento, OpenCartWooCommerce, WHMCS
SupportCommunity Discord + paid integratorsEmail + SLA tiersTicketed + Telegram
CriterionPassImPayWavePay
Chain/token breadth20+ coins, EVM-focusedMulti-chain via 1inch Fusion+ (EVM + L2s)
Custody modelCustodial on their nodesNon-custodial (direct to user wallet)
Cross-chain swapYes (in-platform)Yes (1inch Fusion+ atomic)
DeploymentOn-premise enterpriseDecentralized (no server to host)
LicenseProprietaryProprietary (non-custodial protocol)
API maturityRESTPayment-link API + webhooks
PluginsWooCommerce, customLink-embed (works anywhere a URL works)
SupportEnterprise account mgmtDocs + community

A few patterns jump off the matrix once you read it twice.

BTCPay Server is the only true open-source choice by license. The other four are proprietary even where they offer on-premise deployment. That matters if your business model requires forkability, or if your jurisdiction's procurement rules favor OSS, or if you simply want the ability to audit the code that touches your customers' money.

CoinGate, Cryptomus, and PassImPay are custodial. All three hold customer funds during settlement. That's a regulated activity in most jurisdictions and pulls you into AML and CFT obligations even when you're not the named custodian on paper. Your customers' funds pause in someone else's wallet — that pause is where the regulatory weight lives.

BTCPay is merchant-custodial. Your self-hosted wallet holds funds until you sweep. The regulatory weight is lighter than third-party custody, but you still control private keys, which means the operational risk is yours alone. Lose the seed phrase, lose the money.

The platform under review is structurally different. Funds never touch a server or wallet operated by the protocol — the payer's wallet sends, 1inch Fusion+ swaps cross-chain, the recipient's wallet receives. It's the only architecture in the matrix where the protocol operator cannot freeze, seize, or lose user funds, because the protocol operator never has signing authority over them.

Cross-chain handling separates the five sharply. BTCPay punts to manual treasury ops. CoinGate, Cryptomus, and PassImPay handle it on internal books — you're trusting their solvency and their swap pricing. WavePay routes through 1inch Fusion+ atomic swaps — on-chain, auditable, no intermediary book.

If your only criterion is "true open-source self-hosting," BTCPay Server is the only fit and the conversation ends. If your criterion is "non-custodial with zero infrastructure," only one option in this list qualifies. The other three sit in the middle — managed convenience purchased with custody trade-offs.

Deployment Architecture: Where These Five Actually Run in Production

Deployment topology determines three operational realities: who patches the OS, where customer data physically lives, and how the system behaves under traffic spikes. Pick the wrong topology for your team's size and you'll be reading runbooks at midnight. The five gateways span four tiers — and one of them isn't really a tier so much as the absence of one.

Tier 1 — Single VPS or self-hosted VM.

  • Fits: BTCPay Server (canonical setup), Cryptomus self-hosted node.
  • Spec: 2 vCPU, 4 GB RAM, 80 GB SSD — about $10–25/month on Hetzner or DigitalOcean.
  • Reality: workable under roughly 500 transactions/day. Single point of failure. You handle backups and full-node sync. A BTCPay deployment running a Bitcoin full node needs about 600 GB pruned, or 700 GB+ archival.
  • Maintenance: about 3–5 hours/month for OS updates, node upgrades, log rotation.

Tier 2 — Docker / docker-compose.

  • Fits: BTCPay Server (officially supported per the BTCPay deployment docs), PassImPay containerized enterprise build.
  • Most common production pattern. Reproducible, easier disaster recovery via volume snapshots, friendlier hand-off when a teammate quits.
  • Caveat: still single-host unless paired with orchestration. A container is not a scalability strategy.

Tier 3 — Kubernetes or orchestrated.

  • Fits: BTCPay (community Helm charts exist), PassImPay (enterprise tier).
  • Justified above roughly 5,000 transactions/day or when multi-region is a requirement.
  • State management caveat that bites teams: Bitcoin and Lightning node state is stateful. You can't autoscale node pods horizontally. Treat the node as a StatefulSet with persistent volumes, and accept that the node is a pet, not cattle.
  • Estimated all-in: roughly $200–600/month for a small managed cluster (GKE, EKS, or DOKS).

Tier 4 — Decentralized / no server state.

  • Fits: WavePay.
  • There is no gateway server to host. The payment link is generated client-side, swap routes are computed by 1inch Fusion+, settlement is on-chain to the recipient's wallet.
  • Operator burden: monitoring payment-link UX, not payment infrastructure. You watch conversion rates, not container restarts.
  • Cost: zero infrastructure on the operator side. Transaction-time gas and 1inch Fusion+ resolver fees apply to the payer.
Infographic: Deployment Tiers vs. Supported Gateways

Your deployment choice is not just infrastructure. It decides whether you own liquidity provisioning, KYC workflow, and the physical geography of your customer's data.

The honest read across the four tiers: most teams overestimate their capacity to run Tier 3 and underestimate the ops drag of Tier 1. Tier 2 is where the majority of serious self-hosted crypto payment processing deployments actually live, because Docker gives you reproducibility without forcing you into Kubernetes complexity. Tier 4 exists for teams who decided the right amount of infrastructure to run is none.

Custody, Compliance, and What "Non-Custodial" Actually Buys You

Side-by-side schematic-style diagram on a whiteboard or tablet screen. Left side labeled "Custodial" shows Payer → Gateway Wallet → Merchant Wallet with a clock icon labeled "T+1–T+3." Right side labeled "Non-Custodial"

Developers routinely conflate "open-source" with "no compliance burden." They're independent variables. You can run a fully open-source gateway and still trigger MSB registration; you can use a proprietary protocol and sit clean of money transmission scope. The license dictates your software freedom. The custody posture dictates your regulatory exposure.

There are three custody postures in practice, and the distinction between them is where most teams get the law wrong.

Third-party custodial (CoinGate, Cryptomus, PassImPay). The processor's wallets receive funds, hold them, and settle to you later — often T+1 to T+3. The processor is performing a money transmission function in most jurisdictions. Even though you aren't the regulated entity, you inherit reputational and counterparty risk. If the processor freezes for a regulatory inquiry, your settlement queue freezes with it.

Merchant-custodial (BTCPay Server, self-hosted). Funds land in a wallet you control. You are the custodian of your own funds. In most jurisdictions, accepting payment for your own goods or services is not money transmission — but routing funds for third parties is. If you're a marketplace splitting payments across vendors, your merchant-custodial gateway just became a payment platform in the eyes of a regulator.

True non-custodial. Funds never enter an intermediary wallet at all. The payer's wallet signs a transaction; the recipient's wallet receives. A non-custodial protocol may facilitate the swap (in WavePay's case, via 1inch Fusion+), but the protocol cannot intercept, freeze, or misroute funds. No party other than payer and recipient ever has signing authority. That property is what compliance counsel actually cares about.

Now the compliance map across the jurisdictions most teams care about.

United States. According to the FinCEN 2019 guidance on convertible virtual currency, convertible virtual currency exchangers are treated as money services businesses. Custodial gateways operating in the US typically register as MSBs and pursue state-by-state money transmitter licensing — a real, multi-year, multi-million-dollar undertaking. Merchant-custodial businesses accepting payment for their own goods are generally not in MSB scope. The same FinCEN guidance carves out non-custodial software providers (the language addresses "anonymizing software" and similar non-custodial tools) from the MSB definition.

European Union. Under MiCA Regulation (EU) 2023/1114, in force from December 2024, Crypto-Asset Service Providers must obtain CASP authorization to operate. Custodial gateways serving EU users will need that authorization. Under MiCA Article 2(2), software providers that don't take custody are excluded from the CASP definition — a meaningful carve-out for non-custodial protocols.

Travel Rule. FATF Recommendation 16 applies to virtual asset service providers above a $/€1,000 transfer threshold in most adopting jurisdictions. Custodial gateways must implement Travel Rule data exchange. Non-custodial protocols sit outside the scope in most current implementations, though the jurisdictional picture is evolving — review your local NCA's stance.

Then there's the license-compliance interaction that most comparison articles skip:

  • MIT (BTCPay Server). Commercial-friendly. Fork, close-source the fork, resell, white-label — all permitted. The most flexible posture for a PSP building on top.
  • AGPL. If a gateway is AGPL-licensed and you expose it as a network service, you're obligated to publish your modifications. Treat AGPL as a commercial-risk flag for any proprietary fork strategy.
  • Proprietary on-premise (PassImPay, Cryptomus self-hosted variants). Read the EULA carefully. Some restrict resale, impose per-seat pricing tiers, or require approval for downstream redistribution — provisions that surprise payment service providers six months into a deployment.

The practical takeaway: choose your custody posture before you choose a gateway. The gateway is downstream of the legal model, not the other way around. If your counsel says "no custody," your shortlist contracts to one option in this comparison. If your counsel is comfortable with merchant custody, BTCPay opens up. If you're already running an MSB-style operation, all five are on the table — but the open-source-versus-managed decision then turns on operations and economics, not law.

Cost Reality Check: Infrastructure, Maintenance, and the Hidden Burn

The headline cost — a license fee, a percentage rate — is rarely the real cost of operating an open-source crypto payment gateway. The real cost is engineering time, liquidity friction, observability, and the long tail of monitoring. Below is the cost reality for each of the five, written from the operator's calendar, not the vendor's pricing page.

BTCPay Server.

  • Infrastructure: $10–50/month VPS, depending on whether you run a full Bitcoin node and Lightning.
  • Engineering: 8–20 hours initial setup; 3–5 hours/month ongoing for security patches, node upgrades, channel management if you accept Lightning.
  • License: MIT — zero dollars.
  • Hidden burn: full-node disk growth (about 5–7 GB/month archival on Bitcoin), Lightning channel rebalancing if you accept LN, and the occasional emergency when a Bitcoin Core point release requires immediate patching.

CoinGate.

  • Infrastructure: none — it's SaaS.
  • Engineering: 1–2 days for first integration.
  • Per-transaction fee: 1% on the standard tier.
  • Hidden burn: settlement timing risk (T+1 to T+3 can move quarter-end revenue recognition), volume tiers that change pricing as you scale, and FX spread on auto-conversion to fiat — the spread is rarely disclosed up front.

Cryptomus.

  • Self-hosted variant: roughly $30/month hosting. SaaS variant is fee-based per transaction.
  • Engineering: moderate. Proprietary core means limited debugging visibility when something fails — you log a ticket and wait.
  • Hidden burn: ticket-based support latency, undocumented rate limits that you discover at the worst possible moment, and limited transparency on the swap pricing applied to cross-chain settlement.

PassImPay.

  • Enterprise on-premise model. Pricing requires a sales conversation; typical enterprise gateways land in a roughly $500–5,000/month range plus per-transaction fees.
  • Engineering: integration team usually 2–4 weeks for first deployment.
  • Hidden burn: contract negotiation cycles, multi-year lock-in clauses, and the structural inability to pilot quickly because procurement gates everything.

WavePay.

  • Infrastructure: zero. There's no gateway to host.
  • Engineering: minutes to generate a first payment link; hours to integrate the link API for programmatic generation in a checkout flow.
  • Per-transaction cost: gas (paid by the payer) plus the 1inch Fusion+ resolver fee, with no added markup at the protocol layer.
  • Hidden burn: minimal on the operator side by design — you're not running infrastructure, so there's no infrastructure to burn time on.

Now the hidden-cost taxonomy that applies across all five — the line items that don't show up in any vendor's pricing page:

  • Developer-hours-as-currency. A senior backend engineer at $120K/year fully loaded costs about $80/hour. A self-hosted gateway consuming 5 hours/month is roughly $4,800/year before infrastructure costs. Compare that against managed gateway transaction fees at your expected volume — sometimes the managed gateway is the cheaper choice, and the operator-pride answer is the wrong one.
  • Liquidity sourcing. If your gateway doesn't swap natively, you'll either run a treasury process (selling crypto to fiat via Kraken or Coinbase Prime) or build a DEX integration. Either path costs 2–6 weeks of engineering plus ongoing ops. Treasury is not free.
  • Observability. None of these gateways ship with production-grade monitoring out of the box. Plan on $20–100/month for Grafana Cloud, Datadog, or equivalent, plus a PagerDuty seat for alerting. If you're running a payment system without alerts on stuck transactions, you're not running a payment system — you're running a hope.

Open-source infrastructure costs are never zero. They're just unbilled — until you measure them in your team's calendar.

The honest TCO model for crypto payment gateway cost is a 12-month spreadsheet with five columns: infrastructure, engineering hours times loaded cost, transaction fees, observability, and support. Build it before you commit. The answer is usually different from what the GitHub star count suggests.

Implementation Readiness Checklist: The Decision Gates Before You Commit

Treat the items below as decision gates, not a to-do list. Each gate forks your path. Answer the question honestly and your shortlist narrows on its own. Skip a gate and you'll re-platform inside a year.

Phase 1: Pre-deployment Gates

Answer all six before you write a single line of integration code.

  1. Regulatory posture. Does your jurisdiction regulate the act of accepting crypto for goods or services? Fork: If yes, engage counsel before vendor choice — the custody decision drives everything downstream. If no, proceed to gate 2.
  2. Custody policy. Will your business hold customer funds at any moment, even briefly? Fork: Yes → BTCPay Server (merchant-custodial) or one of CoinGate, Cryptomus, PassImPay (third-party custodial). No → WavePay is the only non-custodial crypto payment gateway that fits in this comparison set.
  3. Chain scope. Single-chain or multi-chain? Fork: Bitcoin or Lightning-centric → BTCPay is canonical. Multi-chain EVM with cross-chain swap requirements → WavePay or one of the managed gateways. Single EVM chain → most options work; decide on the next gate.
  4. Integration surface. Off-the-shelf plugin needed (WooCommerce, Shopify, Magento) or custom backend? Fork: Plugin → consult the feature matrix above. Custom → API maturity is the deciding criterion; BTCPay's Greenfield API and WavePay's payment-link API lead the field on developer experience.
  5. Volume profile. Expected monthly transaction count and average ticket size? Fork: Under $10K/month → fees barely matter; pick on UX and integration speed. $10K–$100K/month → fee delta is real; model both managed and self-hosted scenarios. Over $100K/month → self-hosted or non-custodial almost always wins on TCO.
  6. Team ops capacity. Do you have someone on-call for a stuck transaction at 2 a.m.? Fork: No → managed (CoinGate). Yes, with limits → BTCPay Server. Want to skip the question entirely → WavePay has no infrastructure to be on-call for.

Phase 2: Proof-of-Concept Gates

Do all six before production cutover. Skipping any of these is how teams ship payment bugs to real customers.

  1. Testnet deployment within 14 days. If your team can't get the gateway running on testnet in two weeks, that's a signal — either the documentation is insufficient or your team isn't sized for the choice you're about to make. Either way, the answer is to step back.
  2. Process 25 test transactions across every chain and token you plan to support. Confirm webhook delivery, settlement timing, and the refund path. Test refunds before you need to refund a real customer in production.
  3. Load-test peak volume times three. If your peak is 50 tx/hour, test 150. Single-VPS BTCPay deployments often hit a wall around 200 tx/hour without tuning. Find your ceiling in staging, not on Black Friday.
  4. License and IP review. Have counsel confirm the license terms align with your distribution model. AGPL surprises are real, and so are proprietary on-premise EULAs that restrict resale.
  5. Twelve-month TCO model. A spreadsheet — infrastructure plus engineering hours times loaded cost plus transaction fees plus observability plus support. Compare your top two candidates side by side. The winner is rarely the one with the best landing page.
  6. Decommission plan. Document how you'd migrate off this gateway in 90 days. If the honest answer is "we can't," that's the lock-in cost. Price it in before you sign anything.

The gateway that survives all twelve gates is the right one for your business — not the one with the most GitHub stars, not the one with the loudest community, and not the one your CTO already has an opinion about. Run the gates, trust the answer.