SubLink

The Problem.

Every online subscription leaks your identity. Payment processors, merchants, and on-chain observers see exactly who pays whom, how much, and how often. That payment trail gets tied to your reading, viewing, and community habits — forever. Creators carry the other half: they inherit subscriber PII, compliance burden, and can't serve audiences who need to stay anonymous.

On-chain subscriptions today don't solve this — they just move the leak from Stripe's database to a public ledger.

SubLink.

A privacy-preserving subscription protocol. Recurring on-chain payments where sender, receiver, and amount are all private. Creators verify subscriber access without ever learning their identity, wallet, or payment history.

Built on Unlink Protocol (private transfers on Base). SubLink turns one-shot private transfers into a full subscription primitive: plans, recurring charges, bearer auth, access verification — end-to-end private.

How It Works.

Creator: connect wallet, create a plan, drop one API call into your site. Return 200 → grant access. Return 402 → show paywall.

Subscriber: connect wallet, sign two messages, fund the dedicated account. Done. The backend handles recurring charges via Unlink's private rails.

What the creator learns: "auth key 0xabc… has an active subscription." Nothing else. Not the wallet. Not the amount. Not the history.

Design Choices.

• Per-plan isolated accounts. Each subscription gets its own deterministic Unlink account. Cancel one by withdrawing — the rest are untouched.
• Auth key ≠ payment key. Bearer tokens sign with a separate secp256k1 key. Leaked tokens can't touch funds. (Don't use your bank PIN as your website password.)
• Zero server-side token storage. Tokens are subId.expiry.signature — server recovers the signer via ECDSA per request. No session table, no revocation list.
• HTTP 402 as discovery. Unauth'd verify requests return plan metadata + API URL embedded — frontends inline the paywall with no out-of-band config.

Honest Tradeoffs.

This is a hackathon build, not a production protocol. SubLink runs a backend that holds subscribers' dedicated payment keys so it can charge on schedule — users trust it to only charge according to plan terms. Future paths that could remove this trust: TEE execution so keys are never exposed to the operator, and smart wallet session keys so the backend only ever holds a scoped delegation instead of raw account keys. For now: it works, it's private end-to-end, and the tradeoff is explicit rather than hidden.

Who Needs This.

Newsletter creators who don't want to hand Substack a reader list. Paywalled journalism in hostile jurisdictions. Adult platforms where subscriber privacy is a safety issue. Any gated community where membership itself is sensitive.

Stack: Bun monorepo (workspaces for frontend, backend, ops, mock sites). Frontend: Vue 3 + Vite, Reown AppKit + wagmi/vue for wallet connection, viem for signing. Backend: Bun + Hono, SQLite via Bun's native driver, in-process cron loop for recurring charges.

Partner tech: Unlink Protocol (@unlink-xyz/sdk): powers every private transfer on Base Sepolia. Backend uses the SDK to create Unlink accounts, fund them, and fire recurring charges. It's the core primitive — without it, the privacy guarantee doesn't exist.

Crypto plumbing: viem handles everything — message signing, Keccak256, secp256k1 derivation, ECDSA pubkey recovery. No JWT lib: bearer tokens are subscriptionId.expiry.signature and the server recovers the signer directly, so zero token storage server-side.