how kwill works

KWILL is a publishing marketplace where readers pay creators in stablecoins (or any SPL token) and every subscription is a programmable token delegation on Solana. There is no platform tax, no custodial wallet, and no payment processor — subscribers authorise the publisher to pull funds directly from their wallet each billing period, and they can cancel at any time without asking anyone's permission.

This page explains how that works under the hood: the on-chain program that makes recurring payments possible, the encryption that enforces the paywall, and the off-chain pieces that make the whole thing feel like Substack instead of a hardware wallet.

KWILL is built on top of the Solana Subscriptions Delegation Program (program id De1egAFMkMWZSN5rYXRj9CAdheBamobVNubTsi9avR44), audited by Cantina and maintained by the Solana Foundation.

The SPL Token program only lets one account approve one delegate at a time, which makes recurring payments hard — you can't subscribe to Netflix, Spotify, and your gym from the same wallet at the same time without revoking each authorisation in turn. The Subscriptions program solves this by introducing a per-wallet, per-mint Subscription Authority (SA) that holds the one delegation slot and brokers many specific spending authorisations on top of it.

three delegation models

• Fixed delegation— one-time approval up to a cap, with optional expiry. Useful for tipping or limited spending allowances.
• Recurring delegation — pull up to X tokens every N seconds. The cap resets each period.
• Subscription plan— a publisher publishes immutable billing terms, and subscribers acceptthose terms. The publisher (or a whitelisted “puller”) can collect on each billing period.

KWILL uses the third model: every tier you create is an on-chain Plan PDA. Every subscriber who joins your tier gets their own SubscriptionDelegationPDA that snapshots your tier's price + period at the moment they subscribed. You can never raise their price mid-subscription — if you change the tier, only new subscribers see the new terms.

The platform is four layers stacked on top of each other:

┌─────────────────────────────────────────────────────────┐
│  Browser                                                 │
│  ─ Next.js 16 React Server Components                    │
│  ─ Wallet Adapter (Phantom, Solflare) → @solana/kit      │
│  ─ AES-256-GCM encryption before any post leaves the     │
│    browser                                               │
└─────────────────────────────────────────────────────────┘
                          │
                          ▼ HTTPS
┌─────────────────────────────────────────────────────────┐
│  Vercel edge                                             │
│  ─ Next.js Route Handlers (gated by SIWS sessions)       │
│  ─ Vercel Blob (encrypted post bodies)                   │
│  ─ Neon Postgres (mirror of on-chain state, off-chain    │
│    metadata, comments, email opt-ins)                    │
│  ─ Daily cron: indexer + billing                         │
└─────────────────────────────────────────────────────────┘
                          │
                          ▼ Solana RPC (Helius)
┌─────────────────────────────────────────────────────────┐
│  Solana mainnet                                          │
│  ─ Subscriptions Delegation Program                      │
│      Plan PDA          ← per tier                        │
│      SubscriptionDelegation PDA  ← per subscriber        │
│      SubscriptionAuthority PDA   ← per (wallet, mint)    │
│  ─ Token-2022 + classic SPL Token (KWILL, USDC, …)       │
└─────────────────────────────────────────────────────────┘

The chain is the source of truth for who is subscribed and what they owe. Postgres is a mirror that lets us render feeds and dashboards without round-tripping to RPC for every request. A cron worker reconciles the mirror against the chain every 24h and pulls due renewal payments.

1. Publisher creates a tier. They sign acreate_plan instruction that mints a Plan PDA storing the price, billing period, payment mint, destination wallet, and the KWILL billing wallet as the authorised puller.
2. Subscriber joins.If they don't yet have a Subscription Authority for the payment mint, one is created and given u64::MAX delegate approval over their token account. Then the subscribe instruction creates their SubscriptionDelegation PDA, snapshotting the tier's billing terms.
3. Billing cron pulls renewals. Every day, our cron walks all subscriptions whose nextRenewalAt has arrived and signs transfer_subscription. The program verifies the puller is authorised, the period allowance hasn't been exceeded, and the plan terms still match the subscriber's snapshot — then transfers funds from the subscriber's ATA to the publisher's.
4. Subscriber cancels. A signed cancel_subscription sets the end-of-current-period timestamp. They keep access until the end of the period they paid for. They can resume_subscription before then, or wait for it to expire and call revoke_delegation to close the on-chain account and reclaim the rent.

Paid posts never touch our servers in plaintext.

1. When a publisher hits publish, the editor generates a fresh 256-bit AES-GCM data encryption key (DEK) entirely in the browser.
2. The post body is encrypted with that DEK and uploaded to Vercel Blob as opaque ciphertext.
3. The DEK is sent to our API, where it's immediately wrapped with a master key and stored in Postgres. The plaintext DEK is never persisted.
4. When a subscriber requests the post, the API checks the chain for an active SubscriptionDelegation against the post's minimum tier (or any higher tier). If granted, it unwraps the DEK and returns it.
5. The subscriber's browser fetches the ciphertext from Vercel Blob, decrypts with the DEK, sanitises with DOMPurify, and renders the post.

If the chain says the subscription has lapsed, the API simply refuses to release the DEK — no platform-level enforcement, no DRM, just math.

• No custody.We never hold subscriber funds. Every transfer is wallet → publisher, signed by the platform's puller wallet (which only has authority to pull amounts already agreed to on-chain).
• No silent price hikes.A tier's billing terms are immutable once published. If a publisher wants to raise prices, they create a new tier; existing subscribers keep their original terms forever.
• Cancel without asking. Cancellation is a wallet transaction the platform cannot block.
• Rent is yours.Subscribing creates a small on-chain account (~0.002 SOL of rent). When you revoke, that rent is refunded to your wallet — not the platform's.
• Cross-platform portability. Your subscription is an on-chain account. Any other UI that knows the Subscriptions program can read your subscriptions, cancel them for you, or build alternative reader experiences.

KWILL is the default settlement token for the platform. It's a Token-2022 SPL token with a fixed supply of 1B and 6 decimals, launched on pump.fun. Publishers can also denominate tiers in USDC or any other SPL/T22 mint — the program supports both classic SPL Token and Token-2022 mints, including Token-2022 with transfer hooks.

CA · 7Sk7AcCS6gLo9xVMi5zSSTqdjtaRGehHHbpFuxNtpump

• Frontend— Next.js 16 with React Server Components, Cache Components, and Partial Prerendering. Tailwind CSS 4. Instrument Serif for display type.
• Wallet — @solana/wallet-adapter for connecting (Phantom, Solflare), bridged into @solana/kit TransactionPartialSigner for instruction building.
• On-chain SDK — @solana/subscriptions (Codama-generated). All transactions are built with the SDK's overlay helpers, which handle PDA derivation and array padding automatically.
• RPC— Helius mainnet.
• Storage— Vercel Blob for encrypted post bodies, Neon Postgres for off-chain mirror (publications, tiers, posts metadata, subscriptions cache, comments).
• Auth— Sign-In With Solana (SIWS) challenge + signed message, JWT in httpOnly cookie. Same SIWS-gated session unlocks paywall reads, comments, and settings.
• Cron— Vercel Scheduled Functions, daily. One reconciles the mirror against the chain; the other pulls due renewals.

• Subscriptions Delegation Program docs
• solana-foundation/subscriptions on GitHub (source code, audit reports, ADRs)
• Architecture Decision Records covering the SA design, plan-based subscriptions, and the versioning / migration system
• Solana Payments overview
• @solana/kit docs

Ready to publish? Start a publication.