AWS Web3 Blog

Processing digital asset payments on AWS

Digital asset payments enable fast and cost-effective peer-to-peer transactions. Blockchain-based payment systems address key challenges businesses face with traditional payment methods, including high processing fees, settlement delays that impact cash flow, and complex cross-border transactions that affect their operations.

In this post, we explain how blockchain-based digital asset payment systems can reduce costs and delays. We demonstrate how to build a serverless payment system on AWS, using stablecoins such as USDC, PYUSD, or USDG as an example. This solution creates a low-cost, scalable, and decentralized alternative to legacy payment methods. The implementation is available in our GitHub repository.

This post presents a technical overview of a digital assets payment solution and does not constitute legal advice or regulatory guidance. Legal compliance, validation, and verification requirements may vary by jurisdiction and are the sole responsibility of the reader. Please conduct your own due diligence before implementing or using any payment solution described in this post.

Benefits of blockchain-based payments

Digital asset payments offer compelling benefits to businesses that incorporate them:

Cost Management

  • Reduced payment processing overhead

Settlement Efficiency

  • Access funds after blockchain confirmation, with exact timing varying by network (from seconds to minutes)

Global Reach

  • Execute cross-border transactions without multiple intermediaries and eliminate currency conversion fees

Transaction Visibility

  • Complete transaction transparency with on-chain verification for streamlined auditing

Different stakeholders can benefit from digital asset payments:

  • Merchants – Streamline e-commerce with fast, low-fee settlements.
  • Financial institutions – Facilitate cross-border payments and treasury management with reduced settlement times.
  • Shared advantages – Minimize currency conversion and payment processing fees.

Ultimately, digital asset payments help merchants and financial institutions innovate, minimize costs, and unlock new opportunities.

Solution overview

This solution enables businesses to accept payments from consumers in digital assets across Ethereum Virtual Machine (EVM) compatible networks, including Ethereum, with full automation and secure fund handling. It’s compatible with testnet and mainnet environments. In the repository, we walk through the steps to deploy and use the digital assets payment solution.

The following depicts the primary features of the solution:

Let’s explore the three core components of our digital asset payment solution in more detail.

Invoice generator

This component allows you to generate invoices and accept payments directly from customers.

The invoice generator offers the following features:

  • Deterministic invoice generation – The invoice generator facilitates one-to-one mapping between invoices and blockchain addresses. This ensures each payment is correctly matched to a corresponding invoice. The system uses an atomic counter stored in Amazon DynamoDB to maintain wallet indexes, maintaining thread-safe address generation even under high concurrency scenarios.
  • Efficient key managementBIP32/BIP44 employs a hierarchical deterministic key derivation function to generate numerous key paths from a single primary seed stored in AWS Secrets Manager, enabling structured management of multiple accounts and addresses.
  • UI-ready output – The invoice generator returns both the invoice’s deposit address and a Base64-encoded QR code in Data URL format, which can be directly embedded in an HTML <img> tag.
  • Enhanced security and privacy – Each customer receives a unique, single-use payment address, which helps prevent address reuse and helps preserve user privacy on the public blockchain.
  • Simplified accounting – Streamlined tracking facilitates accounting and auditing.

For recurring payment scenarios, the solution can be extended to derive payment addresses from stable customer identifiers. This creates consistent wallet addresses for each customer, streamlining recurring payments and simplifying customer allowlisting processes.

Automated payment detection

“The Watcher” enables payment monitoring with automated updates and event-driven notifications.

The automated payment detection component offers the following features:

  • Optimized database queries – Uses a DynamoDB global secondary index (status-index) to query only pending invoices. This maintains query performance regardless of total invoice volume growth, and significantly reduces DynamoDB read consumption.
  • Real-time balance verification – Verifies ETH and ERC-20 token balances against invoice amounts.
  • Automatic status updates – Automatically marks invoices as paid upon sufficient payment detection. (By default, the solution does not factor in finality or re-orgs. A finalized block tag can be passed to eth_getBalance in the Watcher if stronger guarantees are needed.)
  • Instant notifications – Triggers merchant notifications through Amazon SNS upon payment confirmation.

Fund reconciliation

After payment for an invoice has been received, funds are automatically swept into a designated treasury wallet (preferably a highly secure, cold wallet) for secure management.

This makes sure payments are secured offline within minutes, supporting an auditable mechanism for fund consolidation into a wallet of the merchant’s choosing.

The fund reconciliation process offers the following features:

  • Triggered by DynamoDB Streams – It detects confirmed payments through filtered stream triggers (status is paid). Built-in mechanisms handle network congestion and temporary blockchain issues.
  • Gas optimization – It dynamically calculates network gas prices for cost-effective transactions.
  • Gas top-up mechanism – A dedicated hot wallet “gas tank” keeps a reserve of the network’s native token (for example, ETH). It is used solely to top up ERC-20 invoices so they can be swept into the cold storage treasury while incurring a minimal gas fee.
  • Secure transfers – Private keys are derived deterministically in-memory and not stored. They are used to execute transfers from individual invoices. This is done within Lambda, where AWS holds no operator access.
  • Status updates – It updates invoice status to swept upon successful completion.

The following diagram illustrates the solution architecture. This architecture is intended as a proof of concept for serverless digital asset payment processing and is not considered production ready. Additional enhancements are required to meet production standards for security, reliability, compliance, and auditability.

The system consists of three main components: invoice generation (steps 1–5, blue arrows), payment tracking (steps 6–7, green arrows), and automated fund sweeping (steps 8–10, orange arrows). Step 11 (black arrow) represents invoice management.

The numbers of each of the steps in the following flow, depicting a stablecoin payment on the Ethereum network, correspond with the numbers in the architecture diagram above:

  1. The merchant creates a stablecoin invoice through a request to the /create-invoice REST API provided by Amazon API Gateway. This is secured using an API key.
  2. The Invoice Generator, an AWS Lambda function, gets triggered and fetches a mnemonic seed phrase from AWS Secrets Manger. The seed phrase is required to create (and recover) an invoice’s corresponding key pair.
  3. The Invoice Generator increments an atomic counter in Amazon DynamoDB. The value of the atomic counter represents an index. This is used with the seed phrase to deterministically derive a hierarchical deterministic (HD) wallet address for the specific payment.
  4. The Invoice Generator Lambda function creates a new invoice and stores it with status: pending in DynamoDB, where data is automatically encrypted at rest using AWS Key Management Service (AWS KMS).
  5. The QR code generated in the previous step, which has the target deposit address, currency, and amount encoded, is returned to the merchant. The merchant shares the QR code with their customer. The customer makes the stablecoin payment by sending the appropriate amount of funds to the deposit address.
  6. A Lambda function, the Watcher, is triggered every minute through an Amazon EventBridge schedule. The Watcher fetches pending invoices from DynamoDB and checks for payments made through the provided RPC endpoint. It updates an invoice to paid if payment has arrived.
  7. The Watcher Lambda function shares a payment confirmation with the merchant using Amazon Simple Notification Service (Amazon SNS).
  8. When a payment is detected (when the status transitions to paid) in the CryptoInvoices database, an event is emitted using Amazon DynamoDB Streams. This triggers the Lambda Sweeper function.
  9. The Sweeper function calculates the required gas for the sweeping transaction and requests Eth because this an ERC20 invoice.
  10. Once sufficient Eth is available, the Sweeper function sends the tokens associated with the invoice to the offline treasury wallet. The Sweeper function does this by requesting the seed phrase for the HD wallet, and deriving the private key to sign the transaction. The invoice is then marked as swept in the CryptoInvoices database. If an error occurs during the sweeping process, failures will be logged, and up to three more retry attempts will be made.
  11. The merchant can manage invoices through the REST endpoint exposed using API Gateway (to view an invoice’s current status or cancel a pending invoice).

Refer to the GitHub repository for a detailed visualization of the payment, payment monitoring, and sweeping flow.

Conclusion

This serverless solution provides a secure, efficient, and cost-effective system for processing digital asset payments on AWS. By using AWS services and blockchain technology, organizations can reduce payment processing costs, gain faster access to funds, increase their cash flow, and operate in a global landscape.

Check out the complete implementation on GitHub and start building your own secure, serverless digital asset payment solution on AWS.

About the authors

Simon Goldberg

Simon Goldberg

Simon is a Blockchain/Web3 Specialist Solutions Architect at AWS. Outside of work, he enjoys music production, reading, climbing, tennis, hiking, attending concerts, and researching Web3 technologies.

David Dornseifer

David Dornseifer

David is a Blockchain and Confidential Compute Architect at AWS. He focuses on helping customers design, develop and scale end-to-end blockchain and confidential compute solutions. His primary focus is on digital asset custody and key management solutions.