# GOXMR

Category: tools · Monero-Native Identity
Grade: B
KYC: anonymous_signup
Highlights: NO-KYC, XMR, TOR, OSS
Features: non_custodial, open_source, self_hosted, tor_mirror, xmr_native
Fees: 0% platform fees · donation-funded · MIT-licensed (repo TBD)
Web: https://goxmr.click
Tor: http://5vtyieb7przizt7rhl4ydeglinrjn5g2srx45i4dcbwve3pojcfmjzid.onion/
Contact: X: https://x.com/SlowBearDigger
Last verified: 2026-06-03
Operating since: 2025-12-22 (1y)

> Privacy-first link-in-bio for the Monero ecosystem — OpenAlias + NIP-05 + WebFinger + PGP under one handle.

## Review

Privacy-first link-in-bio for the Monero ecosystem — claim a handle at `goxmr.click/yourname`, drop in social links and a Monero wallet, share one URL. Four federated identity surfaces under one handle: **OpenAlias** (Monero-native), **NIP-05** (Nostr), **WebFinger**, **PGP**.

Privacy-first Linktree alternative with a built-in Monero store — claim a handle at `goxmr.click/yourname`, drop in social links and an XMR wallet, and share one URL. Listed at **Grade B** because the homepage publishes strong privacy claims (non-custodial, PGP encryption, MIT-licensed, 0% fees/tracking) and a Tor mirror is advertised, but zero peer-directory matches and the SPA rendered identical shell content on every hash route — the actual privacy policy, terms, and AML page text is unread by this probe.

**What it is.** Monero-native link-in-bio tool with an integrated store. Listed at **Grade B** — the homepage copy is unusually direct about the privacy model ('Payments go directly to your Monero wallet. We never touch funds.') but the site is a single-page app whose hash-route legal pages rendered identically to the shell, leaving the actual policy text opaque to automated review.

**What you trust.** Non-custodial payments: Operator-published: 'Payments go directly to your Monero wallet. We never touch funds.' (brief.spa.homepage_text). This is the strongest single trust claim on the page — custody risk is structurally eliminated rather than volunteered away. PGP encryption: Operator-published: 'Buyer info, emails, orders — encrypted client-side with your key.' (brief.spa.homepage_text). End-to-end encrypted order data means the operator cannot read buyer communications even if they wanted to. Open source: Operator-published: 'MIT-LICENSED — Audit the code, run your own instance, fork it. Zero lock-in.' (brief.spa.homepage_text). An MIT license is the most permissive open-source license. The homepage does not link to the repository — curator should verify the code is published at a discoverable GitHub/GitLab URL before the review goes live. Zero fees, zero tracking: Operator-published: '0% fees, 0% tracking.' (brief.spa.homepage_text). No platform commission, no analytics — the service operates as a free public utility if the claim holds. Privacy policy: Route exists at `#/privacy` (brief.spa.rendered./privacy) but the rendered snippet is identical to the homepage shell — cloak-browser could not extract unique policy text from the SPA hash route. The policy page is confirmed to exist but its content is unread. Terms of service: Route exists at `#/terms` and `#/tos` (brief.spa.rendered — both render the same shell). Same limitation: content unread. Curator must manually navigate the SPA and quote the operator's own terms verbatim. AML page: Route exists at `#/legal/aml` (brief.spa.rendered but content unread). The existence of an AML route on a privacy-first link-in-bio tool is itself notable — most services in this category don't publish one.

**Operational specs.** Pricing: Operator-published: '0% fees' (brief.spa.homepage_text). The service appears to be free for both profile creators and buyers — revenue model is either donation-funded (per the 'SUPPORT_THE_MISSION 45% SLOWB' progress bar) or not yet implemented. Payment surface: Monero-only. The homepage references only Monero ('built-in Monero store', 'GET XMR', 'your Monero wallet'). No Bitcoin, Lightning, or fiat references in the rendered shell. Coin coverage: Monero-native — this is not a multi-coin tool with Monero bolted on. The entire product is XMR-first. Tor mirror: Advertised at `http://5vtyieb7przizt7rhl4ydeglinrjn5g2srx45i4dcbwve3pojcfmjzid.onion/` (brief.onion). The auto-seed caveat notes that the onion does not appear in the clearnet `Onion-Location` header (brief.technical.advertised_onion: null) — this is a listing drift caveat, not a fatal gap, but curators should verify the onion resolves. Domain: `goxmr.click` — the `.click` TLD is a budget gTLD. Not inherently suspicious but it's an unusual choice for a privacy tool. No history of `.click` domains being seized en masse, but the TLD registry is less established than `.org` or `.com`. SPA architecture: 39/39 paths return the same 3042-byte shell page (brief.sweep_summary: 39 found, all 200). All content lives behind hash routes. This is neutral for functionality but hostile to automated audit — the probe cannot independently verify claims made in pages it cannot navigate. API surface: A hash route `#/api` exists (brief.spa.rendered) but rendered no unique content. The homepage does not describe an API. Possible it's an internal route or a stub.

**Operator philosophy.** The homepage copy is unusually direct about the trust model — no marketing polish, just structural claims: non-custodial, PGP-encrypted, MIT-licensed, 0% fees, 0% tracking (operator-published, brief.spa.homepage_text). The positioning as 'Sovereign Privacy-First Link-in-Bio' (brief.sweep./.title) plus the Monero-only payment surface suggests a project built by and for the XMR community rather than a commercial play seeking broad adoption. The MIT license and 'run your own instance, fork it' language signal a project that expects to be self-hosted by users in the long term.

**Grade rationale.** Listed at **Grade B** because the homepage publishes a coherent and unusually direct privacy model — non-custodial payments, PGP encryption, MIT license, zero fees, zero tracking, and a Tor mirror — all from a single 3KB page. That is a stronger trust-signal surface than most Linktree alternatives. Grade A is withheld because: (1) zero peer-directory matches (brief.peer_matches._any_count: 0) — the service appears to have no external trust footprint; (2) the SPA rendered identical shell content on all hash routes, meaning the privacy policy, terms, AML page, and FAQ exist as routes but their actual policy text is unread by the probe; (3) the `.click` TLD and single-source trust signal place this firmly in experimental-tool territory. Among link-in-bio services in this directory, a published code repository (not just the MIT license claim) and unique hash-route policy pages would raise this to Grade A.

**Caveats.** The SPA rendered identical 3042-byte shell content on all 39 probed paths and all hash routes — cloak-browser successfully loaded the SPA (the shell text is rich and captures homepage copy) but could not execute the hash-route navigation to extract unique per-page content. This means the privacy policy, terms, AML page, FAQ, and API page are confirmed to exist as routes but their text is unread by this review. Every operator claim in the editorial is sourced from the homepage shell; curator must navigate the SPA manually to verify the policy pages. The `.click` TLD is a budget gTLD operated by Uniregistry. It has no history of mass seizures but it's an unusual choice for a privacy tool — most privacy-centric projects use `.org`, `.com`, `.net`, or a self-hosted domain. The onion mirror partially mitigates this concern for Tor users but clearnet visitors are exposed to a less-established TLD registry. The operator-published 'MIT-LICENSED' claim is not independently verified — no repository URL appears in the homepage shell text. The 'audit the code, run your own instance, fork it' language strongly implies a public repo exists, but curators should locate and link it before the review goes live. An MIT license claim without a discoverable repo is an unverifiable trust signal. The 'SUPPORT_THE_MISSION 45%' progress bar in the shell text suggests the project is in an active funding phase. This is not a red flag (many good tools start this way) but it means the service's sustainability model is unproven — curators should track whether the progress bar advances or stalls over subsequent re-checks.

Source: https://xmr.club/tools/goxmr