Definition
SIGHASH_ANYPREVOUT (APO), specified in BIP 118 and formerly known as SIGHASH_NOINPUT, is a proposed Taproot signature mode. A standard signature commits to the specific previous output (UTXO) being spent, binding it to one coin and one coin only. An ANYPREVOUT signature omits that commitment, so the same signature can later be rebound to any other output that shares the matching script. To be clear about status: APO is a proposed soft fork, not active on Bitcoin mainnet, though it has been deployed on test networks such as Signet so developers can experiment with the constructions it enables.
The plainest way to grasp what APO changes is to look closely at what an ordinary signature promises. Normally, signing an input is a promise about one exact coin: this signature authorizes spending this specific previous output and nothing else in existence. ANYPREVOUT deliberately loosens that promise to "any output that looks like this one," detaching the signature from any particular coin while still binding it to a script. That single, targeted relaxation is what makes clean off-chain protocols like eltoo possible in the first place, and it is also exactly why the proposal is handled with such care — a signature that can validly apply to more than one coin is powerful precisely because it can be pointed at coins its author never had in mind.
Two modes
BIP 118 defines two related sighash flags with different degrees of looseness. SIGHASH_ANYPREVOUT still commits to the spent output's script — its scriptPubKey and the tapleaf being used — so a signature binds to outputs using that script but not to any particular UTXO. SIGHASH_ANYPREVOUTANYSCRIPT is broader, committing to even less, which makes a signature reusable across a wider set of outputs. Both rely on the Schnorr signatures introduced by Taproot, which is why APO is framed as a Taproot-era proposal rather than something retrofittable onto older output types.
Primary use case: eltoo
APO's flagship motivation is eltoo, a simplified Lightning Network channel-update mechanism. In today's penalty-based channels, publishing an outdated state risks losing your entire channel balance as a punishment, which forces both parties to store every past state forever and watch the chain vigilantly. With rebindable signatures, each new channel state can simply spend any earlier state, so honest parties only ever need to publish the latest one — the punishment model disappears and is replaced by a cleaner "newest state wins" rule. That makes channels easier to reason about, cheaper to back up, and friendlier to watchtowers and to related off-chain designs.
Why rebindability is powerful and delicate
A signature that can attach to any matching output is a genuinely new kind of spending authority, and that power cuts both ways. It is exactly what eltoo needs, but it also means a carelessly constructed ANYPREVOUT signature could be replayed against an output its author never intended to authorize. This is why the flag is designed to be opt-in at the output level — coins must explicitly commit to accepting APO spends — and why wallet designers treat it with caution. The proposal has been scrutinized for interactions with fee-bumping, transaction pinning, and replay safety before any activation could be seriously considered.
Broader context and caveats
Beyond eltoo, APO can support statechains and certain covenant-like constructions, though generally less efficiently than opcodes purpose-built for those jobs. It is often grouped with the broader covenant discussion even though its core purpose is signature flexibility rather than restricting where coins can go, and it composes naturally with off-chain primitives such as point time-locked contracts. This entry describes an experimental proposal under active review, not a settled feature of Bitcoin — treat any implementation you encounter as research, and never sign an ANYPREVOUT signature over funds you are not prepared to see rebound elsewhere.
In Simple Terms
SIGHASH_ANYPREVOUT (APO), specified in BIP 118 and formerly known as SIGHASH_NOINPUT, is a proposed Taproot signature mode. A standard signature commits to the specific previous…
