diff --git a/include/secp256k1_extrakeys.h b/include/secp256k1_extrakeys.h
index 0a37fb6b..4a3ca0b1 100644
--- a/include/secp256k1_extrakeys.h
+++ b/include/secp256k1_extrakeys.h
@@ -166,6 +166,20 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_
     const unsigned char *tweak32
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
 
+/** Sorts xonly public keys according to secp256k1_xonly_pubkey_cmp
+ *
+ *  Returns: 0 if the arguments are invalid. 1 otherwise.
+ *
+ *  Args:     ctx: pointer to a context object
+ *  In:   pubkeys: array of pointers to pubkeys to sort
+ *      n_pubkeys: number of elements in the pubkeys array
+ */
+SECP256K1_API int secp256k1_xonly_sort(
+    const secp256k1_context* ctx,
+    const secp256k1_xonly_pubkey **pubkeys,
+    size_t n_pubkeys
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
+
 /** Compute the keypair for a secret key.
  *
  *  Returns: 1: secret was valid, keypair is ready to use
diff --git a/include/secp256k1_musig.h b/include/secp256k1_musig.h
index 46fe6c28..b86eeca9 100644
--- a/include/secp256k1_musig.h
+++ b/include/secp256k1_musig.h
@@ -137,8 +137,14 @@ typedef struct {
 } secp256k1_musig_partial_signature;
 
 /** Computes a combined public key and the hash of the given public keys.
+ *
  *  Different orders of `pubkeys` result in different `combined_pk`s.
  *
+ *  The pubkeys can be sorted before combining with `secp256k1_xonly_sort` which
+ *  ensures the same resulting `combined_pk` for the same multiset of pubkeys.
+ *  This is useful to do before pubkey_combine, such that the order of pubkeys
+ *  does not affect the combined public key.
+ *
  *  Returns: 1 if the public keys were successfully combined, 0 otherwise
  *  Args:        ctx: pointer to a context object initialized for verification
  *                    (cannot be NULL)
diff --git a/src/modules/extrakeys/main_impl.h b/src/modules/extrakeys/main_impl.h
index 8c7c819d..beefecfd 100644
--- a/src/modules/extrakeys/main_impl.h
+++ b/src/modules/extrakeys/main_impl.h
@@ -155,6 +155,28 @@ int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context* ctx, const u
             && secp256k1_fe_is_odd(&pk.y) == tweaked_pk_parity;
 }
 
+/* This struct wraps a const context pointer to satisfy the secp256k1_hsort api
+ * which expects a non-const cmp_data pointer. */
+typedef struct {
+    const secp256k1_context *ctx;
+} secp256k1_xonly_sort_cmp_data;
+
+static int secp256k1_xonly_sort_cmp(const void* pk1, const void* pk2, void *cmp_data) {
+    return secp256k1_xonly_pubkey_cmp(((secp256k1_xonly_sort_cmp_data*)cmp_data)->ctx,
+                                      *(secp256k1_xonly_pubkey **)pk1,
+                                      *(secp256k1_xonly_pubkey **)pk2);
+}
+
+int secp256k1_xonly_sort(const secp256k1_context* ctx, const secp256k1_xonly_pubkey **pubkeys, size_t n_pubkeys) {
+    secp256k1_xonly_sort_cmp_data cmp_data;
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(pubkeys != NULL);
+
+    cmp_data.ctx = ctx;
+    secp256k1_hsort(pubkeys, n_pubkeys, sizeof(*pubkeys), secp256k1_xonly_sort_cmp, &cmp_data);
+    return 1;
+}
+
 static void secp256k1_keypair_save(secp256k1_keypair *keypair, const secp256k1_scalar *sk, secp256k1_ge *pk) {
     secp256k1_scalar_get_b32(&keypair->data[0], sk);
     secp256k1_pubkey_save((secp256k1_pubkey *)&keypair->data[32], pk);
diff --git a/src/modules/extrakeys/tests_impl.h b/src/modules/extrakeys/tests_impl.h
index 07e4bbde..781e5f7f 100644
--- a/src/modules/extrakeys/tests_impl.h
+++ b/src/modules/extrakeys/tests_impl.h
@@ -611,6 +611,112 @@ void test_hsort(void) {
 }
 #undef NUM
 
+void test_xonly_sort_helper(secp256k1_xonly_pubkey *pk, size_t *pk_order, size_t n_pk) {
+    size_t i;
+    const secp256k1_xonly_pubkey *pk_test[5];
+
+    for (i = 0; i < n_pk; i++) {
+        pk_test[i] = &pk[pk_order[i]];
+    }
+    secp256k1_xonly_sort(ctx, pk_test, n_pk);
+    for (i = 0; i < n_pk; i++) {
+        CHECK(secp256k1_memcmp_var(pk_test[i], &pk[i], sizeof(*pk_test[i])) == 0);
+    }
+}
+
+void permute(size_t *arr, size_t n) {
+    size_t i;
+    for (i = n - 1; i >= 1; i--) {
+        size_t tmp, j;
+        j = secp256k1_testrand_int(i + 1);
+        tmp = arr[i];
+        arr[i] = arr[j];
+        arr[j] = tmp;
+    }
+}
+
+void rand_xonly_pk(secp256k1_xonly_pubkey *pk) {
+    unsigned char seckey[32];
+    secp256k1_keypair keypair;
+    secp256k1_testrand256(seckey);
+    CHECK(secp256k1_keypair_create(ctx, &keypair, seckey) == 1);
+    CHECK(secp256k1_keypair_xonly_pub(ctx, pk, NULL, &keypair) == 1);
+}
+
+void test_xonly_sort_api(void) {
+    int ecount = 0;
+    secp256k1_xonly_pubkey pks[2];
+    const secp256k1_xonly_pubkey *pks_ptr[2];
+    secp256k1_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount);
+
+    pks_ptr[0] = &pks[0];
+    pks_ptr[1] = &pks[1];
+
+    rand_xonly_pk(&pks[0]);
+    rand_xonly_pk(&pks[1]);
+
+    CHECK(secp256k1_xonly_sort(none, pks_ptr, 2) == 1);
+    CHECK(secp256k1_xonly_sort(none, NULL, 2) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_xonly_sort(none, pks_ptr, 0) == 1);
+    /* Test illegal public keys */
+    memset(&pks[0], 0, sizeof(pks[0]));
+    CHECK(secp256k1_xonly_sort(none, pks_ptr, 2) == 1);
+    CHECK(ecount == 2);
+    memset(&pks[1], 0, sizeof(pks[1]));
+    CHECK(secp256k1_xonly_sort(none, pks_ptr, 2) == 1);
+    CHECK(ecount > 2);
+
+    secp256k1_context_destroy(none);
+}
+
+void test_xonly_sort(void) {
+    secp256k1_xonly_pubkey pk[5];
+    unsigned char pk_ser[5][32];
+    int i;
+    size_t pk_order[5] = { 0, 1, 2, 3, 4 };
+
+    for (i = 0; i < 5; i++) {
+        memset(pk_ser[i], 0, sizeof(pk_ser[i]));
+    }
+    pk_ser[0][0] = 5;
+    pk_ser[1][0] = 8;
+    pk_ser[2][0] = 0x0a;
+    pk_ser[3][0] = 0x0b;
+    pk_ser[4][0] = 0x0c;
+    for (i = 0; i < 5; i++) {
+        CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk[i], pk_ser[i]));
+    }
+
+    permute(pk_order, 1);
+    test_xonly_sort_helper(pk, pk_order, 1);
+    permute(pk_order, 2);
+    test_xonly_sort_helper(pk, pk_order, 2);
+    permute(pk_order, 3);
+    test_xonly_sort_helper(pk, pk_order, 3);
+    for (i = 0; i < count; i++) {
+        permute(pk_order, 4);
+        test_xonly_sort_helper(pk, pk_order, 4);
+    }
+    for (i = 0; i < count; i++) {
+        permute(pk_order, 5);
+        test_xonly_sort_helper(pk, pk_order, 5);
+    }
+    /* Check that sorting also works for random pubkeys */
+    for (i = 0; i < count; i++) {
+        int j;
+        const secp256k1_xonly_pubkey *pk_ptr[5];
+        for (j = 0; j < 5; j++) {
+            rand_xonly_pk(&pk[j]);
+            pk_ptr[j] = &pk[j];
+        }
+        secp256k1_xonly_sort(ctx, pk_ptr, 5);
+        for (j = 1; j < 5; j++) {
+            CHECK(secp256k1_xonly_sort_cmp(&pk_ptr[j - 1], &pk_ptr[j], ctx) <= 0);
+        }
+    }
+}
+
 void run_extrakeys_tests(void) {
     /* xonly key test cases */
     test_xonly_pubkey();
@@ -624,6 +730,8 @@ void run_extrakeys_tests(void) {
     test_keypair_add();
 
     test_hsort();
+    test_xonly_sort_api();
+    test_xonly_sort();
 }
 
 #endif