diff --git a/Caddyfile b/Caddyfile
index cfc5a4d..5686d52 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -1,10 +1,8 @@
-{$DOMAIN:localhost} {
+(common) {
 	root * /srv
 	encode gzip
 
-	# Security headers
 	header {
-		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 		X-Content-Type-Options "nosniff"
 		X-Frame-Options "DENY"
 		Referrer-Policy "no-referrer"
@@ -12,13 +10,20 @@
 		Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; form-action 'none'; frame-ancestors 'none'; base-uri 'none'"
 	}
 
-	# Short URL rewrite: /s/CODE -> s.php?c=CODE
 	@shorturl path_regexp short ^/s/([a-zA-Z0-9]+)$
 	rewrite @shorturl /s.php?c={re.short.1}
 
-	# PHP via FPM
 	php_fastcgi 127.0.0.1:9000
-
-	# Static files
 	file_server
 }
+
+# Clearnet (auto-HTTPS)
+{$DOMAIN:localhost} {
+	import common
+	header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+}
+
+# Tor hidden service (HTTP only, no TLS needed)
+:8080 {
+	import common
+}
diff --git a/Dockerfile b/Dockerfile
index 60d571c..e433b9f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -31,7 +31,7 @@ COPY Caddyfile /etc/caddy/Caddyfile
 COPY docker-entrypoint.sh /usr/local/bin/
 RUN chmod +x /usr/local/bin/docker-entrypoint.sh
 
-EXPOSE 80 443
+EXPOSE 80 443 8080
 
 VOLUME ["/srv/data", "/data/caddy"]
 
diff --git a/README.md b/README.md
index 27c5b50..1173f46 100644
--- a/README.md
+++ b/README.md
@@ -14,7 +14,7 @@ You need a VPS with a domain pointing to it. Then:
 curl -sL https://xmrpay.link/install.sh | sh -s your-domain.com
 ```
 
-Done. HTTPS is automatic (via Caddy + Let's Encrypt).
+Done. HTTPS is automatic (via Caddy + Let's Encrypt). A **Tor hidden service** (.onion) is included — the installer shows your onion address after setup.
 
 ### Requirements
 
@@ -66,6 +66,9 @@ XMRPAY_IMAGE=schmidt1024/xmrpay:latest
 EOF
 
 docker compose pull && docker compose up -d
+
+# Show your onion address
+docker exec xmrpay-tor cat /var/lib/tor/hidden_service/hostname
 ```
 
 ### Uninstall
diff --git a/docker-compose.yml b/docker-compose.yml
index 7030887..f36d54f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -12,6 +12,29 @@ services:
       - xmrpay-data:/srv/data
       - caddy-data:/data/caddy
 
+  tor:
+    image: alpine:latest
+    container_name: xmrpay-tor
+    restart: unless-stopped
+    depends_on:
+      - xmrpay
+    entrypoint: /bin/sh
+    command:
+      - -c
+      - |
+        apk add --no-cache tor > /dev/null 2>&1
+        mkdir -p /var/lib/tor/hidden_service
+        chmod 700 /var/lib/tor/hidden_service
+        cat > /etc/tor/torrc <<EOF
+        SocksPort 0
+        HiddenServiceDir /var/lib/tor/hidden_service
+        HiddenServicePort 80 xmrpay:8080
+        EOF
+        echo "Starting Tor..."
+        tor -f /etc/tor/torrc
+    volumes:
+      - tor-keys:/var/lib/tor/hidden_service
+
   watchtower:
     image: containrrr/watchtower
     container_name: watchtower
@@ -25,3 +48,4 @@ services:
 volumes:
   xmrpay-data:
   caddy-data:
+  tor-keys:
diff --git a/install.sh b/install.sh
index 0b26dc4..406daf9 100644
--- a/install.sh
+++ b/install.sh
@@ -52,7 +52,23 @@ docker compose up -d
 
 ok "xmrpay is running!"
 echo ""
-echo "  https://$DOMAIN"
+echo "  Clearnet:  https://$DOMAIN"
+
+# Wait for Tor to generate the onion address (up to 30s)
+info "Waiting for Tor hidden service..."
+ONION=""
+for i in $(seq 1 30); do
+  ONION=$(docker exec xmrpay-tor cat /var/lib/tor/hidden_service/hostname 2>/dev/null || true)
+  [ -n "$ONION" ] && break
+  sleep 1
+done
+if [ -n "$ONION" ]; then
+  ok "Tor hidden service ready"
+  echo "  Onion:     http://$ONION"
+else
+  echo "  Onion:     (still starting — run: docker exec xmrpay-tor cat /var/lib/tor/hidden_service/hostname)"
+fi
+
 echo ""
 echo "  Watchtower checks for updates every 6 hours."
 echo "  Data stored in Docker volume: xmrpay-data"