# Toreador

> Toreador is a free, non-custodial crypto QR code generator and lightweight payment API.
> It generates QR codes for native blockchain payments (BTC, ETH, SOL, POL) and creates
> hosted payment sessions for ERC-20 stablecoins (USDC, USDT, EURC) on Ethereum, Polygon
> and Base. Toreador never holds, custodies or routes funds — every payment goes directly
> from the payer's wallet to the merchant's wallet on-chain.

## Product

- [Web app](https://toreador.io/) — landing page and product overview
- [QR code generator](https://toreador.io/generate-crypto-qr-code) — main user-facing tool
- [Pricing](https://toreador.io/go-pro) — Free, Plus ($4.99/mo), Pro ($20/mo)
- [Documentation](https://toreador.io/docs) — REST API and TypeScript SDK reference
- [Full LLM dump](https://toreador.io/llms-full.txt) — entire reference inlined for crawlers
- [OpenAPI spec](https://toreador.io/openapi.json) — machine-readable API contract

## Public API

Base URL: `https://toreador.io/api/v1/public`

**Free tier (no API key needed):**
- POST /generate-qr — generate a QR code for a native token (BTC, ETH, SOL, POL) or Solana SPL (USDC on Solana). Rate-limited per IP: 50/hour, 200/day. Response includes a `_meta` block with tier and rate limit info.

**Pro tier (header `X-API-Key: tdr_...`):**
- POST /generate-qr — same endpoint, 100/hour per key, no daily cap.
- POST /create-session — create a payment session for ERC-20 stablecoins (USDC, USDT, EURC) on Ethereum/Polygon/Base.
- GET /payment/:id/status — poll the status of a payment session.
- GET /history — last 50 generated QR codes for the authenticated user.
- GET /sessions — last 50 payment sessions for the authenticated user.

## Webhooks

Pro users can register HTTPS endpoints at /dashboard#webhooks to receive HMAC-signed events:
- session.created, session.submitted, session.confirming
- session.completed, session.expired, session.failed

Signature header: `Toreador-Signature: t=<unix>,v1=<hex_hmac_sha256_of_t.body>`

## SDK

The official TypeScript SDK is published as `@toreador/sdk` on npm.
It works on Node.js 18+, Deno, and edge runtimes (Cloudflare Workers, Vercel).
The SDK exposes a webhook signature verifier (`webhooks.constructEvent`).

## Trust

- 100% non-custodial — Toreador's backend never holds private keys, never receives funds.
- Open architecture — payments use standard URI schemes (BIP21, EIP-681, Solana Pay).
- No third-party data brokers in the payment flow.

## Optional

- [Legal](https://toreador.io/legal)
- [Privacy](https://toreador.io/privacy)
- [Sitemap](https://toreador.io/sitemap.xml)