Building in Public

How Rythm's Non-Custodial Architecture Works

A technical deep dive into how Rythm verifies payments without holding funds, storing proofs, or reading email content. Cashu ecash + Lightning.

Sean

Sean

When we say Rythm is non-custodial, we mean it structurally. Not as a marketing claim. As an architecture decision that’s enforced at every layer of the system.

Rythm never holds your funds. Never stores Cashu tokens. Never reads or retains email content. For the broader concept, see our guide to what economic email filtering is. This post explains how that works, technically, for people who care about the details.

The Problem We Needed to Solve

Rythm charges unknown senders a small cover charge to deliver their email. That means a payment has to happen. And where there’s a payment, there’s usually a custodian: someone holding the money between sender and recipient.

We didn’t want to be that custodian. Holding funds means money transmitter licensing, compliance burden, and trust requirements that don’t match what we’re building. We wanted the payment to prove intent without Rythm touching the money.

How It Works: Cashu Ecash

Rythm uses the Cashu protocol, ecash over the Lightning Network. Here’s the flow:

1. Sender pays the cover charge.

When an unknown sender’s email is held, they receive a notification with a payment option. They pay the cover charge through a standard Lightning invoice or by minting Cashu tokens.

2. Sender includes proof of payment.

The sender attaches a Cashu token to their follow-up message. This token is a cryptographic proof that payment was made. It’s a self-contained string of text that represents value.

3. Rythm verifies the token.

When the email arrives, Rythm scans for the Cashu token. This happens in-memory, in milliseconds. We check one thing: is this a valid, unspent token? That’s it.

4. Token is melted (redeemed) to the recipient’s wallet.

If the token is valid, Rythm immediately melts it, redeeming it via the Lightning Network to the recipient’s configured wallet (Strike, Cash App, Blink, or any LNURL endpoint). The funds go directly from the mint to the recipient. Rythm never holds the value.

5. Email content is discarded.

After checking for the token, all email content is immediately discarded from memory. Nothing is written to disk, database, or logs. The only record is the messageId, a reference to the email, not its content.

The entire transmission is peer-to-peer. Person A sends person B a string of text inside an email. That string carries value. It’s the digital equivalent of a dollar bill in an envelope — except it settles in seconds and works across the internet. This is what peer-to-peer ecash was designed for.

What “Non-Custodial” Means Technically

  • No token storage. Cashu tokens are referenced by messageId only. The token itself is never persisted. It’s verified and melted in a single operation.
  • No funds held. The Lightning payment settles from mint to recipient wallet. Rythm’s infrastructure is a pass-through. At no point does Rythm control or have access to the funds.
  • No email content stored. In-memory scan only. After verification, the content is gone. Not archived, not logged, not cached.

The Cashu Protocol

For those unfamiliar: Cashu is an ecash protocol built on top of the Lightning Network. It uses blinded signatures (David Chaum’s ecash scheme) for privacy.

Key properties relevant to Rythm:

  • Bearer instrument. A Cashu token is a string of text that represents value. Whoever holds the string holds the value. No account required.
  • Blinded signatures. The mint that issues the token cannot link it to the person who redeemed it. The sender’s payment and the recipient’s redemption are unlinkable.
  • Instant settlement. Token melt settles via Lightning in seconds.
  • Token versions. Rythm handles both V3 (cashuA prefix) and V4 (cashuB prefix) tokens via the @cashu/cashu-ts library.

Why This Matters

Non-custodial architecture isn’t just a technical preference. It has practical consequences:

For the user: Your money never sits in someone else’s system. It settles to your wallet immediately. If Rythm shuts down tomorrow, you haven’t lost anything.

For Rythm: We don’t touch funds, so we don’t have the compliance burden of a money transmitter. We’re an email protection service that uses micropayments as a verification mechanism. For a more narrative walkthrough of this exact flow, see how it actually works under the hood.

For privacy: Blinded signatures mean the mint cannot link token issuance to redemption. At the protocol level, the sender’s payment and the recipient’s settlement are unlinkable.

Fail-Open Design

One more architectural note: Rythm uses fail-open design. If any part of the system has an issue (token verification fails, melt fails, Lambda times out) the email delivers normally. You never miss an email because of Rythm. We describe our privacy posture in more detail in all muscle, no curiosity.

This is a deliberate tradeoff. We’d rather let an unverified email through than risk holding someone’s mail. The bouncer steps aside when they can’t do their job.

Open Questions

We’re not claiming the architecture is perfect. A few things we’re actively working on:

  • Multi-mint support for resilience (not dependent on a single Cashu mint)
  • Per-mint circuit breakers for fault isolation
  • Cover charge UX for non-technical senders

If you have questions about the architecture, we’re happy to discuss. We believe in building in public and showing our work.

Ready to take back your inbox?

Secure My Inbox
non-custodial Cashu Lightning Network architecture privacy email security