| description |
|---|
Lightning Service Authentication Tokens cleverly combine the capabilities of macaroons with that of a Lightning payment, making it easy to charge satoshis for API requests. |
In this document, we outline the design for a Lightning Service Authentication Token (LSAT) for future services created by Lightning Labs. This specification is open source, with contributions accepted at our LSAT specification repository. LSATs are a new standard protocol for authentication and paid APIs developed by Lightning Labs. LSATs can serve both as authentication, as well as a payment mechanism (one can view it as a ticket) for paid APIs. In order to obtain a token, we require the user to pay us over Lightning in order to obtain a pre-image, which itself is a cryptographic component of the final LSAT token.
The implementation of the authentication token is chosen to be macaroons, as they allow us to package attributes and capabilities along with the token. This system allows us to automate pricing on the fly and allows for a number of novel constructs such as automated tier upgrades. In another light, this can be viewed as a global HTTP 402 reverse proxy at the load balancing level for all our services.
{% page-ref page="introduction.md" %}
{% page-ref page="authentication-flow.md" %}
{% page-ref page="protocol-specification.md" %}
{% page-ref page="macaroons.md" %}
- Aperture: A gRPC/HTTP authentication reverse proxy using LSATs
- lsat-js: A utility library for working with LSATs
- boltwall: Nodejs middleware-based authentication using LSATs
-
LSAT: Your Ticket Aboard the Internet's Money Rails
slides to Olaoluwa Osuntokun's (@roasbeef) presentation at The Lightning Conference 2019 in Berlin.
-
Macaroons: Cookies with Contextual Caveats
the 2014 paper published on Google Scholar.
-
Proposal for OAuth style delegated authentication using LSATs