The L402 Protocol

L402 is a standard to support the authentication and payment of services over the internet. Built with a focus on agentic commerce, optimized for machine-to-machine interaction. No accounts. No intermediaries.

Read the spec View on GitHub
The origin story

From a forgotten status code to the
payment layer for machines.

1997
HTTP 402 defined
RFC 2068 reserves status code 402 "Payment Required" for future use. No digital cash system exists yet. The code sits unused for decades.
RFC 2068
2009
Bitcoin is born
The genesis block is mined. For the first time, a decentralized digital cash system exists natively on the internet. The prerequisite for HTTP 402 becomes real.
Genesis block
2018
Lightning Network launches
Lightning goes live on Bitcoin mainnet. Instant micropayments at scale become possible. The infrastructure for a native payment protocol finally exists.
Mainnet launch
2020
L402 specification published
Lightning Labs publishes the draft spec for L402 and releases Aperture, the first L402-aware reverse proxy. Goes straight to production powering Lightning Loop.
Aperture + Loop
2023
LangChain integration ships
Lightning Labs releases the LangChain integration, giving AI agents the ability to traverse paid APIs over Lightning for the first time. Programmatic clients become first-class L402 consumers.
AI + LangChain
2025
Production at scale
L402 runs in production across Lightning Loop, Pool, and Aperture. The formal protocol specification is published on GitHub. An ecosystem of L402-powered services begins to take shape.
Formal spec
2026
Agents transact autonomously
Lightning Labs launches lnget and Lightning Agent Tools — seven composable skills covering the full agent commerce stack. AI agents discover, pay for, and earn from services with real sats on mainnet.
lnget + Agent Tools
What's next
The Agentic Economy
Billions of autonomous agents discovering, consuming, and selling services over L402. No accounts. No API keys. No gatekeepers. Machine-readable credentials, instant settlement, stateless verification — a global economy where software pays software at the speed of light.
L402 native
1 / 8
Lightning HTTP 402 Protocol

L402

A standard for authentication and payment of API services over Lightning. Built for agentic commerce.
The protocol

One round-trip.

GET /api/v2/forecast → request
402 Payment Required ← response
WWW-Authenticate: L402
macaroon=AGIAJEem...k90Cg==
invoice=lnbc500n1p...qqqvjq
⚡ Lightning payment <1s
preimage=a]1234abcd...preimage
amount=50 sats
200 OK — Access granted ← response
Authorization: L402 macaroon:preimage
Verification: stateless ✓
Client sends a standard HTTP request to a protected resource. Server responds with 402 and a WWW-Authenticate header containing a macaroon and a Lightning invoice. Client pays the invoice over Lightning. Settlement in less than one second. The preimage is cryptographic proof of payment. Client re-sends the request with macaroon + preimage. Stateless API authentication — no database, no session, no intermediary. Just math.
Default credential format

Not a cookie. A macaroon.

A cryptographic API key for distributed systems. Validated by the issuer without a central database. Permissions embedded. Holders can add their own restrictions.

L402 macaroon Lightning Loop — production
services lightning_loop:0
lightning_loop_capabilities loop_out,loop_in
loop_out_monthly_volume_sats 200000000
payment_hash 163102a9c88f...7bea
user_id fed74b3ef248...1013
HMAC(HMAC(secret, identifier), caveats...) → verify with root key only
Verify
Validated cryptographically by the issuer. No access to a central database required — only the root key.
Permissions
Macaroons can include their own permissions. The API endpoint reads them, verifies the signature, and executes accordingly.
Attenuate
Macaroons can be attenuated by the bearer with further restrictions. This allows delegating permissions safely.
Pay-to-complete
L402 macaroons include a third-party caveat — a Lightning invoice. The macaroon is only complete upon payment.
Read the macaroon spec →
Agent-native

Built for machines.

Credentials Machine-readable bearer tokens. Structured HTTP headers, not browser cookies.
Discovery Hit a 402, get an invoice. Programmable payments — no docs to read, no keys to request.
Delegation Credential delegation via caveat attenuation. Pass scoped access between agents. No central authority.
Spending Cap costs per-request or per-agent. Bake spending limits into the credential itself. Payment without intermediary.
Security Remote signer isolates private keys. Censorship-resistant settlement. The agent never touches sensitive material.
No accounts. No OAuth. No human in the loop. The AI agent payments protocol — software paying for software, settled in under a second.
01
Request
Client calls endpoint
02
Challenge
402 + macaroon + invoice
03
Pay
Lightning settles, preimage returned
04
Access
Stateless verification, resource served
< 1s
Settlement
1 sat
Minimum payment
≈ $0.001 · payments at any scale
0
Accounts required
Stateless
Verification
The stack
Everything you need to deploy L402.
Aperture
L402 reverse proxy
A reverse proxy that acts as a decentralized API payment and authentication gateway. Implements both the L402 and MPP specifications. Handles gRPC over HTTP/2 and REST over HTTP/1. Verifies credentials and forwards valid requests, or issues macaroons with Lightning invoices. Supports dynamic pricing per request. Used in production by Lightning Loop and Pool.
git clone https://github.com/lightninglabs/aperture.git && make install
GitHub Docs
lnget
L402-aware HTTP client
A command-line HTTP client like wget or curl, designed for programmatic access to paid APIs. When it hits a 402 response, it automatically pays the Lightning invoice, caches the token, and retries with the proper Authorization header. Supports LND, LNC, and regtest backends.
lnget https://api.example.com/data
GitHub Blog post
Lightning Agent Tools
AI agent toolkit
Seven composable skills for the full agent commerce stack: running a Lightning node, isolating keys with a remote signer, baking scoped macaroons, paying L402 APIs, hosting paid endpoints, and querying node state via MCP. Built for agents that transact autonomously.
Install Lightning Agent Tools and set up a Lightning node with remote signer
GitHub Blog post
Client SDK

One protocol. Every language.

L402sdk is the client SDK for AI agent frameworks. Written in Rust, compiled to native and WASM. Drop it into your stack and start paying for APIs with Lightning.

Rust
npm / WASM
Go
Python
# Add to Cargo.toml
[dependencies]
l402-core = "latest"

// Rust — pay for an L402-gated API
let client = L402Client::new(lnd_config);
let response = client.get("https://api.example.com/data").await?;
# Install via npm
npm install @lightninglabs/l402

// JavaScript / TypeScript — WASM-powered
import { L402Client } from '@lightninglabs/l402';
const client = new L402Client(config);
const res = await client.get('https://api.example.com/data');
# Install the Go binding
go get github.com/lightninglabs/L402sdk/bindings/l402-go

// Go — native binding via FFI
client := l402.NewClient(lndConfig)
resp, err := client.Get("https://api.example.com/data")
# Install via pip
pip install l402

# Python — pay for APIs in 3 lines
from l402 import L402Client
client = L402Client(lnd_config)
response = client.get("https://api.example.com/data")
Core
Written in Rust. Single codebase compiled to native binary, WASM, and cross-language bindings via FFI. No runtime overhead.
Automatic
Detects 402 responses, pays Lightning invoices, caches credentials, retries. The L402 handshake is invisible to your application code.
Framework-ready
Drop into LangChain, CrewAI, OpenClaw, or any AI agent framework. Your agents pay for APIs without custom payment logic.
GitHub →
Agent-ready infrastructure

Ready for agents.

L402 gives autonomous software a native way to discover, pay for, and authenticate with any service. Private machine payments, settled in under a second. No accounts, no intermediaries, no human in the loop.

agent — lnget
# Agent discovers a paid API
$ lnget https://api.weather.com/v2/forecast
# Server returns 402 Payment Required
⚡ Invoice: 50 sats — paying automatically...
Payment settled in <1 second
L402 token cached for api.weather.com
# Subsequent requests reuse the token — no re-payment
$ lnget https://api.weather.com/v2/history
200 OK — authenticated via cached L402
01
Pay-per-request APIs
Turn any API into a metered, pay-per-call service with Aperture. Agents pay per request with Lightning micropayments — no subscription, no billing integration, no signup. Dynamic pricing based on query complexity. Decentralized API payments at scale.
02
Machine-to-machine commerce
One agent hosts a paid service, another consumes it. lnget on the client side, Aperture on the server side. Software paying for software — the full commerce loop runs without humans, without intermediaries, settled on Lightning.
03
Privacy-preserving credentials
Bake pay-only macaroons with spending limits. Delegate sub-credentials via caveat attenuation. Censorship-resistant settlement. Key isolation via remote signer. No identity required — private machine payments by default.

The agentic payments protocol. Works with OpenClaw, Claude Code, Codex, or any framework that can run a shell command.

Get the Agent Tools