What is a .onion link and how does it work?

.onion addresses are to the dark web what .com or .co.uk addresses are to the regular web: access points to websites — except they operate on a radically different logic. They are not registered with a registrar, do not depend on any public DNS, and are not accessible via an ordinary browser. This article explains in detail what a .onion link is, how it is generated, how onion routing provides anonymity, and how to verify the authenticity of an address before connecting.

⚫ We know why you are here. It's not this page. Tor access →

Anatomy of a .onion address

A v3 .onion address takes the form of 56 random characters followed by the .onion suffix. For example, the BBC's official address on Tor is bbcnewsd73hkzno2ini43t4gblxvycyac5aw4gnv7t2rccijh7745uqd.onion. These 56 characters are not arbitrary: they correspond to the base32 representation of a cryptographic public key. Specifically, this key is a 256-bit Ed25519 public key to which a checksum and a version number are appended. Once encoded, the result is exactly 56 characters — no more, no less.

This design has a fascinating consequence: the address itself is the public key. When you connect to a .onion address, your Tor Browser uses that key to cryptographically authenticate the remote server. No one can impersonate the legitimate server without possessing the corresponding private key, which remains on the origin server. This mathematical authentication makes traditional TLS certificates (like those issued by Let's Encrypt for .com sites) unnecessary, and explains why .onion services work without old-style HTTPS.

Why exactly 56 characters?

The length was not chosen for aesthetics: it follows directly from cryptographic constraints. An Ed25519 key is 32 bytes (256 bits). With the checksum and version, you reach 35 bytes. Encoded in base32 (one letter or digit per 5 bits), that gives exactly 56 characters. This length guarantees an astronomical address space: 2^256 possible addresses — a number with 78 decimal digits, far greater than the estimated number of atoms in the observable universe (around 10^80). Guessing an address at random would statistically take longer than the age of the universe.

Vanity addresses

Some organizations create addresses whose first characters form a readable word, like Facebook with facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion, which starts with "facebook." These addresses, called vanity addresses, are not "privileged" addresses: they are generated by computing billions of Ed25519 keys until one is found that produces the desired prefix. Six characters take a few hours on a modern GPU, eight characters take several days; beyond that it becomes industrially expensive. The tool mkp224o is the go-to generator for this operation. A readable prefix improves recognition but confers no additional security.

Onion routing explained

The name "Tor" is an acronym for The Onion Router. The "onion" refers to the layered encryption structure: your traffic is wrapped in several successive layers, each of which can only be decrypted by the corresponding relay on its path. This architecture is what provides the network's fundamental anonymity.

The three-relay circuit

When you send a request via Tor Browser, your traffic passes through a circuit of three consecutive relays, chosen from among the roughly 7,000 volunteer relays in the Tor network. The first is the entry node (guard node): it sees your real IP address (because it receives your direct connection) but does not know where your request is headed. The second is the middle node: it sees neither your IP nor the final destination — only the two relays it communicates with. The third is the exit node for clearnet requests: it establishes the final connection to the visited website and sees the destination, but does not know your IP.

Layered encryption

Before sending your request, Tor Browser encrypts it successively with the public keys of the three relays. The entry node decrypts the first layer, which reveals the middle node's address. The middle node decrypts the second layer, revealing the exit node's address. The exit node decrypts the third layer, revealing the final request it forwards to the destination. Each relay only sees what it needs; no relay has a complete view of the chain.

This architecture ensures that an observer cannot link your IP to your activity, unless they simultaneously control both the entry node and the exit node of your circuit — statistically unlikely for an isolated attacker, and requiring state-level resources to become feasible. Circuits are automatically renewed every ten minutes to further strengthen this protection.

How a hidden service works on the server side

For .onion services (also called hidden services or onion services), the architecture is even more elaborate. Not only are you anonymous as a client — the server hosting the site is anonymous too. No one, including you as a visitor, can know the real IP address of the .onion server.

Introduction Points

When a hidden service starts up, it selects several Tor relays to act as Introduction Points. These relays announce the existence of the service by publishing a list signed with the service's private key into the Tor network's Distributed Hash Table (DHT). Introduction Points never know the real IP of the server — they communicate with it only through a standard Tor circuit.

The Rendezvous Point

When you connect to a .onion service, your Tor Browser retrieves the list of Introduction Points from the DHT, contacts one of them, and proposes a Rendezvous Point — another randomly chosen relay. The Introduction Point relays this proposal to the hidden service, which builds a circuit to the Rendezvous Point. You and the service "meet" there: your respective circuits connect, and communication can begin. Each has traveled half the path without revealing their IP.

This three-step architecture (publication, introduction, rendezvous) is the heart of Tor's genius. It allows an anonymous server to offer a service to anonymous clients, with no mutual revelation. Only the service's public key (the .onion address) is shared. That is why .onion services can operate behind a NAT, without a fixed public IP address, and can resist many forms of censorship.

The difference between .onion v2 and v3

Older Tor users will remember 16-character .onion addresses, such as the old Facebook address facebookcorewwwi.onion. Those were v2 addresses, in service from 2004 to 2021. They were definitively replaced by 56-character v3 addresses starting with Tor version 0.4.6, released in October 2021.

Why the change?

Several reasons justified the upgrade. v2 addresses relied on RSA-1024, an algorithm considered insufficiently secure against modern threats, including the eventual emergence of quantum computers. Their short length (80-bit identifier) also made them vulnerable to certain cryptographic collision attacks. Researchers had demonstrated the feasibility of generating v2 addresses that "look like" a known address for phishing attacks. v3, with its 256-bit Ed25519 keys, makes such attacks practically impossible and offers better quantum resistance.

Consequences for users

If you come across a 16-character .onion address in an old article, an archive, or an old forum, it will no longer work: the v2 protocol has been entirely disabled. Major services (Facebook, BBC, ProPublica, DuckDuckGo, etc.) have all migrated to v3 and published their new addresses through their official clearnet sites. To verify them, always cross-reference the address through multiple trusted sources, such as our OnionDir directory, official service announcements, or their verified social media accounts.

How to verify that a .onion address is authentic

The length of v3 .onion addresses is a cryptographic protection, but it also introduces a practical problem: no one memorizes 56 random characters. This difficulty is exploited by scammers who create .onion addresses visually similar to legitimate ones (for example, by modifying a few characters in the middle) to trick users and capture their information. It is therefore essential to verify the authenticity of an address before any sensitive connection.

Verification methods

Official clearnet source. Most major services publish their .onion address on their official clearnet site. For Facebook, that is facebook.com; for the BBC, bbc.com; for ProtonMail, proton.me. If the .onion address does not appear on the authentic clearnet site, it is probably not legitimate.

Verified directories. Directories like OnionDir manually verify every listed address. Cross-referencing an address through several independent directories (OnionDir, The Hidden Wiki, Ahmia) provides reasonable confidence.

PGP signatures. Some services, particularly privacy tools (Tor Project, Whonix, Tails), publish their .onion address signed with their official PGP key. Verifying the signature confirms the address has not been substituted.

Official communications. Verified social accounts of services (Twitter/X, Mastodon) regularly publish their .onion addresses. AFP, BBC, and other serious media outlets include them in their reporting.

Warning signs

Be especially wary of addresses shared only by an unknown user on a forum, addresses that look "a little too much" like a known service (.onion phishing plays on subtle character differences in the middle), and any service that immediately demands credentials or payment without a verifiable history. When in doubt, abstain: fraudulent imitations have cost users millions.

Legitimate uses of .onion

Contrary to the dominant media image, .onion is massively used for perfectly legitimate reasons. Major international media outlets — BBC, New York Times, ProPublica, Deutsche Welle, Radio Free Europe — maintain .onion versions to let their readers circumvent state censorship in authoritarian countries. Encrypted email services like ProtonMail and Riseup offer .onion access to strengthen the privacy of their users' connections.

Privacy tools such as SecureDrop, OnionShare, and Ricochet Refresh are fundamentally built on the .onion architecture to offer anonymous communications between sources and journalists, ephemeral file sharing, and serverless messaging. Specialized search engines like Ahmia and Torch index the .onion ecosystem to make it navigable. And community forums like Dread provide anonymous discussion spaces on technical, political, or cultural topics.

For a structured exploration of the legitimate ecosystem, see our top 30 unusual and legitimate .onion sites, which covers around thirty services in detail — from public institutions (CIA, Tor Project) to cultural curiosities (radio stations, chess, libraries).

Creating your own .onion service

One of Tor's most original features is that it lets anyone create their own .onion service, without registering with a registrar, without buying a domain name, and without obtaining an SSL certificate. The basic procedure takes less than ten minutes and works on any server or even a personal computer.

The process involves installing Tor, running a local web server (nginx, Apache, Caddy, or even Python's built-in HTTP server for a quick test), then adding two lines to the torrc configuration file to declare a hidden service pointing to that local server. After restarting Tor, the software automatically generates an Ed25519 key pair: the private key is stored locally (never shared), and the public key becomes your .onion address.

For occasional or ephemeral use, the OnionShare tool automates the entire process: a single click turns your computer into a temporary .onion server for sharing a file or a static site. For a permanent service, a VPS from a privacy-respecting host such as Njalla or Ablative Hosting offers better reliability than a personal computer. Hosting a legitimate .onion site is perfectly legal, just like running a clearnet site.

Going further

You now have an in-depth understanding of what a .onion link is and how the ecosystem works. To continue your exploration, several complementary resources are available. Our complete guide to accessing the dark web safely covers the step-by-step installation of Tor Browser and essential security rules. Our selection of the best legitimate .onion sites offers a guided tour of the ecosystem.

Our technical glossary defines every specialized term (Ed25519, Hidden Service, Rendezvous Point, Directory Authority, etc.) with both short and in-depth definitions. To debunk the misconceptions circulating about .onion, see our 50 fact-checked dark web myths. And for more surprising questions about how the dark web works, our unusual FAQ answers fifty common questions.

FAQ on .onion links

Why are .onion addresses so long?
Because they directly encode a 256-bit Ed25519 cryptographic public key, converted to base32. The 56 characters are not arbitrary: they correspond exactly to the representation of that key. This length makes brute-force practically impossible (the address space is 2^256, larger than the number of atoms in the observable universe).
Can I choose a .onion address that starts with a word?
Yes, this is called a 'vanity' address. It is generated by computing billions of Ed25519 keys until one is found whose first characters match the desired word. Six characters take a few hours on a good GPU, eight characters take several days; beyond that it becomes industrially expensive. Tools like mkp224o make this generation easier.
Do .onion v2 addresses still work?
No, v2 addresses (16 characters) were definitively deprecated in October 2021 with version 0.4.6 of Tor. They are no longer accessible. All usable .onion addresses today are v3 (56 characters). If you come across an old v2 address in an archive or an old article, it will no longer work.
How do I verify that a .onion address is authentic?
Cross-reference the address through several independent sources: the service's official clearnet site, trusted directories like OnionDir, and official communications from the service on social media. Be wary of addresses found only on forums or shared by unknown parties. Fraudulent imitations (phishing .onion) are common and visual differences are easy to hide among 56 characters.
Can a .onion address be seized by the police?
Not the address itself, which is a cryptographic key. But a hidden service can be seized if authorities identify and locate the server hosting it — either through opsec mistakes by the administrator or through sophisticated de-anonymization attacks. Operations Onymous (2014), Bayonet (2017), and others have demonstrated that hidden services are not invulnerable to targeted investigations.
Can I easily create my own .onion service?
Yes, and that is one of Tor's remarkable features. A few lines of configuration in the torrc file are enough to turn a local web server into a hidden service. Tor automatically generates the Ed25519 key pair and your .onion address. For occasional or ephemeral use, OnionShare even lets you publish a file or a site without any technical configuration.