Docs / Migration guide / BTCPay Server

This migration guide helps you move off the operational burden of running BTCPay Server while keeping HMAC-SHA256 webhook signing, refunds, and on-demand payouts intact.

Use this page to retire the merchant-operated payment stack: replace the invoice contract with Payvra payments, swap the webhook signature scheme, hand reconciliation to the dashboard, and only then shut down the self-hosted instance.

Create free sandbox Review webhook docs

The safe rollout: keep the BTCPay instance live for in-flight invoices, point new payment creation at Payvra in sandbox, prove the signed webhook path, then promote to live and decommission the self-hosted stack on a calm day.

What to prove before cutover

No more on-call rotation for payments

BTCPay puts node sync, Lightning channel rebalancing, and security patches on the merchant. Payvra takes that off the team's plate without giving up HMAC signing or refunds.

Multi-chain stablecoin coverage

BTCPay is Bitcoin- and Lightning-first. Payvra adds first-party support for Ethereum, Solana, Base, Tron, and major stablecoins with auto-conversion built in.

Cutover reversibility

Leave the existing BTCPay instance accepting outstanding invoices and route only new traffic through Payvra until the new path is boring.

Cutover facts

Auth change

Replace the BTCPay token ... authorization with a Payvra secret key (sk_test_ in sandbox, live secret-key prefix in production).

Signing change

BTCPay signs with HMAC-SHA256 using a BTCPay-Sig header in sha256=hex form. Payvra uses HMAC-SHA256 over a timestamp-bound payload encoded in base64.

Settlement change

Payouts no longer depend on Lightning channel state or on-chain mempool conditions. On-demand withdrawals execute against Payvra's hot-wallet pool.

Decommission rule

Only shut down the BTCPay instance once all in-flight invoices have settled or expired and the Payvra live path has run for a full reconciliation cycle.

Overview

Treat this page as a migration brief for operators and developers. Confirm the commercial gap, map the API contract, prove the webhook path, and only then switch live volume.

BTCPay Server and Payvra both accept crypto payments, but the operating model is fundamentally different. BTCPay is a self-hosted stack the merchant runs, monitors, and patches. Payvra is a managed multi-chain platform with the same security properties without the operational burden.

Treat this migration as an infrastructure decommission, not just an endpoint rename. You are replacing the invoice lifecycle, the webhook signature format, the payout mechanics, and the on-call rotation that supports them.

Why switch now

This should read like a production decision, not a feature wish list. Each row below explains the practical reason to move traffic away from the old provider.

Eliminate the on-call rotation

Stop carrying the pager for node sync, Lightning channel rebalancing, security patches, and BTCPay version upgrades.

First-party stablecoin auto-conversion

Receive any supported coin and auto-convert to USDC or your preferred stablecoin at the executed rate. BTCPay leaves merchants holding mixed-coin inventory.

Multi-chain coverage

Ethereum, Solana, Base, Tron, and major stablecoins are first-class. BTCPay is Bitcoin and Lightning with limited first-party multi-chain support.

Compliance and reconciliation lift

Hand the auditor a managed-vendor SOC report instead of a merchant-operated infrastructure inventory. Reconciliation moves to a hosted dashboard with first-party ledger entries.

API mapping

Every BTCPay endpoint you depend on has a Payvra equivalent. The main rewrite is replacing the store-scoped path structure with the account-scoped Payvra resources and the on-prem signing with managed HMAC.

BTCPay Server	Payvra	Notes
`POST` `/api/v1/stores/{storeId}/invoices`	`POST` `/v1/payments`	BTCPay invoices become Payvra payments. `amount` and `currency` map directly; `metadata` carries through for reconciliation.
`GET` `/api/v1/stores/{storeId}/invoices/{invoiceId}`	`GET` `/v1/payments/{id}`	Same read path with richer settlement and conversion detail.
`GET` `/api/v1/stores/{storeId}/invoices`	`GET` `/v1/payments`	Payvra adds cursor pagination, status, and chain filters.
`POST` `/api/v1/stores/{storeId}/invoices/{invoiceId}/refund`	`POST` `/v1/refunds`	Refunds become a top-level resource on Payvra rather than a sub-resource on the invoice.
`POST` `/api/v1/stores/{storeId}/payment-requests`	`POST` `/v1/payment-links`	BTCPay payment requests map to reusable Payvra payment links with the same shareable behavior.
`POST` `/api/v1/stores/{storeId}/payouts`	`POST` `/v1/withdrawals`	Self-hosted payouts depend on Lightning channel state; Payvra withdrawals execute on-demand.

Code examples

Show the old and new contract side by side so the implementation team can replace the integration without hunting through multiple docs surfaces.

Create a payment

Replace the invoice-creation call first. This is the fastest way to prove auth, request validation, hosted checkout, and the first state transition without touching the rest of the system.

BTCPay Server

1// BTCPay Server
2const response = await fetch(
3  "https://btcpay.example.com/api/v1/stores/STORE_ID/invoices",
4  {
5    method: "POST",
6    headers: {
7      Authorization: `token ${BTCPAY_API_KEY}`,
8      "Content-Type": "application/json",
9    },
10    body: JSON.stringify({
11      amount: "49.99",
12      currency: "USD",
13      metadata: { orderId: "order_123" },
14      checkout: {
15        redirectURL: "https://yoursite.com/success",
16      },
17    }),
18  },
19);
20
21const invoice = await response.json();
22// Redirect to: invoice.checkoutLink

Payvra

1// Payvra
2import Payvra from "payvra";
3
4const payvraSecretKey = process.env.PAYVRA_SECRET_KEY;
5if (!payvraSecretKey) {
6  throw new Error("Set PAYVRA_SECRET_KEY before running this example.");
7}
8
9const payvra = new Payvra(payvraSecretKey);
10
11const payment = await payvra.payments.create({
12  amount: "49.99",
13  currency: "USDC",
14  metadata: { orderId: "order_123" },
15});
16
17// Redirect to: payment.checkoutUrl

Verify webhooks

Both providers use HMAC-SHA256, but the encoding and headers differ. BTCPay signs the raw body and emits sha256=hex. Payvra signs a timestamp-bound payload and emits a base64 signature with replay-protection headers.

BTCPay Server webhook

1// BTCPay Server webhook handler
2app.post("/webhooks/btcpay", (req, res) => {
3  const signature = req.headers["btcpay-sig"];
4  const expected =
5    "sha256=" +
6    crypto
7      .createHmac("sha256", WEBHOOK_SECRET)
8      .update(req.rawBody)
9      .digest("hex");
10
11  if (signature !== expected) {
12    return res.status(401).send("Invalid");
13  }
14
15  const { type, invoiceId, metadata } = req.body;
16  if (type === "InvoiceSettled") {
17    // Mark order paid, metadata.orderId
18  }
19
20  res.sendStatus(200);
21});

Payvra webhook

1// Payvra webhook handler
2app.post("/webhooks", (req, res) => {
3  const signature = req.headers["webhook-signature"];
4  const timestamp = req.headers["webhook-timestamp"];
5  const webhookId = req.headers["webhook-id"];
6
7  const signedContent = `${webhookId}.${timestamp}.${req.rawBody}`;
8  const expected = crypto
9    .createHmac("sha256", WEBHOOK_SECRET)
10    .update(signedContent)
11    .digest("base64");
12
13  if (signature !== `v1,${expected}`) {
14    return res.status(401).send("Invalid");
15  }
16
17  const { type, data } = req.body;
18  if (type === "payment.completed") {
19    // Mark order paid, data.metadata.orderId
20  }
21
22  res.sendStatus(200);
23});

Webhook mapping

BTCPay sends invoice events with PascalCase types. Payvra uses typed payment. events so your handler can branch on the event name directly rather than parsing invoice state.

BTCPay event	Payvra	Notes
`Webhook` `InvoiceCreated`	`Webhook` `payment.created`	Invoice created and awaiting deposit.
`Webhook` `InvoiceReceivedPayment`	`Webhook` `payment.confirming`	Deposit detected, waiting for confirmations.
`Webhook` `InvoiceProcessing`	`Webhook` `payment.confirming`	Same intermediate confirming state.
`Webhook` `InvoiceSettled`	`Webhook` `payment.completed`	Final settled state, order should advance to paid here.
`Webhook` `InvoiceExpired`	`Webhook` `payment.failed`	Expiry maps to a terminal failed state on Payvra.
`Webhook` `InvoiceInvalid`	`Webhook` `payment.failed`	Invalid invoices map to the same failed state.

Migration steps

Run this as a controlled cutover, not a blind rewrite. Keep the old provider draining existing payments while the new Payvra path proves itself in sandbox first.

Create sandbox credentials and keep BTCPay live

Start with sk_test_... and leave the existing BTCPay instance accepting in-flight invoices. The first milestone is proving the new Payvra path, not forcing an all-at-once cutover.

Install the Payvra SDK and replace invoice creation

Point one environment at Payvra payment creation while preserving your existing order metadata. The BTCPay metadata.orderId field maps cleanly to Payvra metadata.orderId.

Terminal

1npm install payvra

Replace the webhook handler before trusting paid-state updates

Do not treat the cutover as done until the signed webhook path is live in sandbox. The order should only move to paid after the Payvra signature is accepted, the timestamp is within tolerance, and the event type is handled.

Run one full sandbox order to completion

Confirm payment creation, hosted checkout, confirmation, and the final order update in one pass. Watch the webhook log and your application log together while the payment settles.

Promote to live and schedule the BTCPay decommission

Once the sandbox flow is stable, generate a live key and start routing live traffic through Payvra. Only shut down the BTCPay instance after all outstanding invoices have settled or expired and a full reconciliation cycle has completed.

Operator FAQ

Use these answers when the rollout owner wants to know what happens to existing traffic, settlement assumptions, and store-side behavior during the cutover.

Do I have to shut down BTCPay immediately?

No. Keep the existing instance live for outstanding invoices and route only new payments through Payvra. Decommission once all in-flight invoices have settled.

What about Lightning Network payments?

Lightning is on the Payvra roadmap. Today, the highest-volume Bitcoin and stablecoin flows are covered, and Lightning can run in parallel on the residual BTCPay instance during transition.

How does signing differ?

Both use HMAC-SHA256, but BTCPay encodes signatures as `sha256=hex` over the raw body. Payvra encodes signatures as base64 over a timestamp-bound payload with explicit webhook-id and webhook-timestamp headers for replay protection.

What about self-custody?

BTCPay is fully self-custodial. Payvra is custodial during the conversion and settlement window, then withdraws to any wallet address you control. Merchants who require strict self-custody throughout should evaluate that tradeoff before migrating.

Ready to retire your BTCPay instance?

Start in sandbox, prove the signed webhook path, and only then shift live traffic. The migration stays reversible if you treat it as a controlled cutover instead of a same-day rewrite.

Get sandbox keys Open API reference

This migration guide helps you move off the operational burden of running BTCPay Server while keeping HMAC-SHA256 webhook signing, refunds, and on-demand payouts intact.

BTCPay Server

Payvra

Notes

POST /api/v1/stores/{storeId}/invoices

POST /v1/payments

BTCPay invoices become Payvra payments. `amount` and `currency` map directly; `metadata` carries through for reconciliation.

GET /api/v1/stores/{storeId}/invoices/{invoiceId}

GET /v1/payments/{id}

Same read path with richer settlement and conversion detail.

GET /api/v1/stores/{storeId}/invoices

GET /v1/payments

Payvra adds cursor pagination, status, and chain filters.

POST /api/v1/stores/{storeId}/invoices/{invoiceId}/refund

POST /v1/refunds

Refunds become a top-level resource on Payvra rather than a sub-resource on the invoice.

POST /api/v1/stores/{storeId}/payment-requests

POST /v1/payment-links

BTCPay payment requests map to reusable Payvra payment links with the same shareable behavior.

POST /api/v1/stores/{storeId}/payouts

POST /v1/withdrawals

Self-hosted payouts depend on Lightning channel state; Payvra withdrawals execute on-demand.

1// BTCPay Server 2const response = await fetch( 3 "https://btcpay.example.com/api/v1/stores/STORE_ID/invoices", 4 { 5 method: "POST", 6 headers: { 7 Authorization: `token ${BTCPAY_API_KEY}`, 8 "Content-Type": "application/json", 9 }, 10 body: JSON.stringify({ 11 amount: "49.99", 12 currency: "USD", 13 metadata: { orderId: "order_123" }, 14 checkout: { 15 redirectURL: "https://yoursite.com/success", 16 }, 17 }), 18 }, 19); 20 21const invoice = await response.json(); 22// Redirect to: invoice.checkoutLink

1// Payvra 2import Payvra from "payvra"; 3 4const payvraSecretKey = process.env.PAYVRA_SECRET_KEY; 5if (!payvraSecretKey) { 6 throw new Error("Set PAYVRA_SECRET_KEY before running this example."); 7} 8 9const payvra = new Payvra(payvraSecretKey); 10 11const payment = await payvra.payments.create({ 12 amount: "49.99", 13 currency: "USDC", 14 metadata: { orderId: "order_123" }, 15}); 16 17// Redirect to: payment.checkoutUrl

1// BTCPay Server webhook handler 2app.post("/webhooks/btcpay", (req, res) => { 3 const signature = req.headers["btcpay-sig"]; 4 const expected = 5 "sha256=" + 6 crypto 7 .createHmac("sha256", WEBHOOK_SECRET) 8 .update(req.rawBody) 9 .digest("hex"); 10 11 if (signature !== expected) { 12 return res.status(401).send("Invalid"); 13 } 14 15 const { type, invoiceId, metadata } = req.body; 16 if (type === "InvoiceSettled") { 17 // Mark order paid, metadata.orderId 18 } 19 20 res.sendStatus(200); 21});

1// Payvra webhook handler 2app.post("/webhooks", (req, res) => { 3 const signature = req.headers["webhook-signature"]; 4 const timestamp = req.headers["webhook-timestamp"]; 5 const webhookId = req.headers["webhook-id"]; 6 7 const signedContent = `${webhookId}.${timestamp}.${req.rawBody}`; 8 const expected = crypto 9 .createHmac("sha256", WEBHOOK_SECRET) 10 .update(signedContent) 11 .digest("base64"); 12 13 if (signature !== `v1,${expected}`) { 14 return res.status(401).send("Invalid"); 15 } 16 17 const { type, data } = req.body; 18 if (type === "payment.completed") { 19 // Mark order paid, data.metadata.orderId 20 } 21 22 res.sendStatus(200); 23});

BTCPay event

Payvra

Notes

Webhook InvoiceCreated

Webhook payment.created

Invoice created and awaiting deposit.

Webhook InvoiceReceivedPayment

Webhook payment.confirming

Deposit detected, waiting for confirmations.

Webhook InvoiceProcessing

Webhook payment.confirming

Same intermediate confirming state.

Webhook InvoiceSettled

Webhook payment.completed

Final settled state, order should advance to paid here.

Webhook InvoiceExpired

Webhook payment.failed

Expiry maps to a terminal failed state on Payvra.

Webhook InvoiceInvalid

Webhook payment.failed

Invalid invoices map to the same failed state.