Onion Service (.onion)

An onion service (historically a "hidden service") is a server — a website, a Bitcoin node, an SSH endpoint — that is reachable only from within the Tor network, through a special address ending in .onion. Unlike browsing the ordinary web over Tor, traffic to an onion service never passes through an exit relay; both the client and the server stay inside the network end to end, hiding the server's IP address and physical location.

Self-authenticating addresses

A modern v3 onion address is 56 characters long because it is an Ed25519 public key, not merely a hash of one. The service signs a descriptor with the matching private key, and the client verifies that signature using the key encoded in the address itself. This means the address authenticates the server cryptographically — there is no certificate authority to trust and no possibility of connecting to an impostor as long as you have the correct .onion string. Connections are also encrypted end to end by construction.

Why operators use them

For sovereign infrastructure, onion services solve a real problem: exposing a home-hosted service without opening a port, renting a static IP, or revealing where you live. A Bitcoin or Lightning node, a personal Nostr relay, or a private file server can run behind an onion address and remain reachable from anywhere, while NAT and dynamic IPs become irrelevant because the Tor network handles rendezvous. The cost is added latency and a dependence on Tor being reachable.

Onion services are built on the same machinery described under Tor (The Onion Router), and they are a common companion to running infrastructure described in our broader Threat Model guidance.