A blind, end-to-end-encrypted marketplace for AI inference. Run on your hardware. Settled in sats.
The dead paid Charon an obol to ferry them across the Styx. He didn’t ask where they were going or why. He took the coin and he rowed.
That’s the whole design.
The problem
You have a GPU and an Ollama install. Someone three timezones away needs the model you’re running and would happily pay for it. Today there’s no clean way to connect you — not without an account on someone’s platform, a cut to a SaaS middleman who reads every prompt, and a data path that runs your traffic through a company that logs it.
The cloud filled this gap by becoming the gap. Every “marketplace” is a watcher in the middle.
Charon removes the watcher without removing the market.
What it is
Charon is two binaries and a relay:
- A provider client runs next to Ollama. You pick which models to sell and what they cost. It dials out — no open ports, no public IP — and waits.
- A consumer client runs an OpenAI-compatible endpoint on your machine. Point any agent at it. It finds a provider, pays, and streams the answer back.
- The gateway sits between them, introduces them, relays the traffic, and takes its coin.
The catch — the good catch — is that the gateway is blind. The prompt and the reply are encrypted end-to-end between the two clients. Charon ferries sealed cargo. It can prove it got paid. It can prove nothing else.
your agent Charon someone's Ollama
┌────────────┐ localhost ┌──────────────────┐ relay ┌──────────────────┐
│ Claude │──────────────►│ consumer client │◄══════════►│ provider client │
│ Code / any │ plain │ pay · encrypt │ GATEWAY │ decrypt · serve │
│ OpenAI app │ └──────────────────┘ (blind) └────────┬─────────┘
└────────────┘ │
── prompt + reply: end-to-end encrypted ── ┌─────▼─────┐
── gateway sees a coin, not the cargo ── │ Ollama │
└───────────┘Identity is a NUTS token
Both clients authenticate to the gateway with a NUTS ahp_ token from auth.nuts.services. One identity, every service in the fleet — the same token that already gates Grub and Shivvr gates your ferry crossing. The gateway checks the token, matches a rider to a boat, and steps aside.
That identity does triple duty: it gates the connection, it anchors the encryption key, and it carries your reputation. One key, three jobs.
The provider: pick what you ferry
You run Ollama. You write a few lines of config — which models, what price per million tokens — and start the client:
name = "qwen2.5-coder:32b"
price_msat_per_mtok_in = 200000 # 200 sat / 1M in
price_msat_per_mtok_out = 600000 # 600 sat / 1M out[[models]] in the provider configThat’s the whole “join the market” step. The client registers your models, publishes a signed encryption key bound to your identity, and waits for sealed work. It decrypts a job only after the payment for it has cleared, checks the request matches what was paid for, runs it on your box, and seals the answer on the way out. Your machine never opens a port. The gateway never sees a byte of it.
The consumer: bring any agent
The consumer client speaks plain OpenAI. Anything that speaks OpenAI speaks to it — and that includes Nemesis8, our sealed-container agent orchestrator. Fire up Claude Code, OpenClaw, Cline, Aider, whatever, inside a Nemesis8 session, and point its provider at the local Charon endpoint:
type = "openai"
base_url = "http://host.docker.internal:8088/v1"
models = ["qwen2.5-coder:32b"][providers.charon] in the agent's provider configThe agent thinks it’s talking to OpenAI. Behind that endpoint, Charon resolves the model to a provider you trust, pays the invoice, runs the encrypted handshake, and streams the reply into your terminal. Because Nemesis8 scopes network access per session, you can grant the agent the right to reach exactly one model and nothing else on the internet. A coding agent on a leash, paid by the token, reading nobody’s prompts.
The coin
You pay per request, in bitcoin. Cashu ecash is the native rail: the consumer hands over a token, the gateway swaps it at the mint, keeps its cut, and forwards the rest to the provider — change returned if you overpaid. L402 over Lightning and prepaid balances work too.
Pair Cashu with the end-to-end encryption and the ferryman goes doubly blind: ecash hides who paid, encryption hides what was asked. Charon can prove it was paid and prove nothing about who crossed or where they were going. That is the obol on the tongue — a coin with no name attached.
Pricing is on the cap you set, not the tokens you happen to use, so you know the fare before you board. And because Charon can’t read your prompt, it can’t route it — which means you pick the model, not a classifier in the cloud. That’s a feature. The fastest way to a five-cent answer is a server deciding your one-line question deserves a frontier reasoning model. Charon never makes that call. You send the small question to the small model, because you’re holding the wheel.
What we gave up, honestly
End-to-end means the gateway can’t read your traffic. It does not mean the provider can’t — they decrypt to run the model. If your threat model includes the box doing inference, you want confidential compute, the same TEE path our hosted mint already walks. And a blind relay still sees the shape of traffic — how big the chunks are, when they arrive. We think that’s an acceptable leak for what you get. If you disagree: the code is yours. Fork the gateway, run your own, ferry your own dead. Reputation travels with your identity, not with our server, so leaving costs you nothing.
That’s the posture. Charon is a ferryman, not a bank, not a watcher, not a landlord. It connects two strangers who’d never have found each other, carries what they trade without looking inside, and takes a coin for the crossing.
Source: github.com/DeepBlueDynamics/charon.
Charon is in active development. Code at github.com/DeepBlueDynamics/charon — provider and consumer clients ship as single binaries and Docker images; the gateway is self-hostable. Identity runs on auth.nuts.services. — DeepBlue Dynamics
// transmission ends