In this document, we outline the design for a Lightning Service Authentication Token (LSAT) for future services created by Lightning Labs. This specification is open source, with contributions accepted at our LSAT specification repository. LSATs are a new standard protocol for authentication and paid APIs developed by Lightning Labs. LSATs can serve both as authentication, as well as a payment mechanism (one can view it as a ticket) for paid APIs. In order to obtain a token, we require the user to pay us over Lightning in order to obtain a pre-image, which itself is a cryptographic component of the final LSAT token.

The implementation of the authentication token is chosen to be macaroons, as they allow us to package attributes and capabilities along with the token. This system allows us to automate pricing on the fly and allows for a number of novel constructs such as automated tier upgrades. In another light, this can be viewed as a global HTTP 402 reverse proxy at the load balancing level for all our services.

• ​Introduction​

• ​Authentication flow​

• ​Protocol Specification​

• ​Macaroon Minting & Verification​

Implementations

• ​Aperture: A gRPC/HTTP authentication reverse proxy using LSATs​

• ​lsat-js: A utility library for working with LSATs​

• ​boltwall: Nodejs middleware-based authentication using LSATs​

External links / References

• ​LSAT: Your Ticket Aboard the Internet's Money Rails​

  slides to Olaoluwa Osuntokun's (@roasbeef) presentation at The Lightning Conference 2019 in Berlin.

• ​LSAT Playground​

• ​Macaroons: Cookies with Contextual Caveats​

  the 2014 paper published on Google Scholar.

• ​HTTP/1.1 RFC, Section 6.5.2: 402 Payment Required​

• ​Proposal for OAuth style delegated authentication using LSATs​