Skip to content

docs: token generalization and version field for L402 spec#21

Open
Roasbeef wants to merge 1 commit into
masterfrom
docs/blip-0026-spec-update
Open

docs: token generalization and version field for L402 spec#21
Roasbeef wants to merge 1 commit into
masterfrom
docs/blip-0026-spec-update

Conversation

@Roasbeef

Copy link
Copy Markdown
Member

In this PR, we generalize the L402 protocol from macaroon-specific to
token-format agnostic based on protocol feedback. The
WWW-Authenticate challenge header now uses token= instead of the
former macaroon=, and includes a new version="0" parameter to
enable future protocol evolution without breaking existing clients.

Any authentication token that can commit to a payment hash may now be
used as the credential format. Macaroons remain the RECOMMENDED default
due to their support for delegation, attenuation via caveats, and
stateless HMAC-chain verification.

The protocol spec gets several additions on top of the recent RFC-style
restructure:

  • Token Format (Section 5.3): Lays out the three requirements a
    token format must satisfy: commit to payment hash, stateless
    verification, and scope restriction.
  • Backwards Compatibility (Section 10): Explicit rules for
    accepting both L402/LSAT scheme names, token=/macaroon=
    parameter names, and missing version parameters from older clients.
  • Simplified gRPC flow: Uses standard trailing headers
    (Grpc-Message + Grpc-Status: 13) with the token sent as
    Custom-Metadata, replacing the old grpc-status-details-bin proto
    approach.

All supporting docs, diagrams, and the README are updated to match the
new header format.

In this commit, we generalize the L402 protocol from macaroon-specific
to token-format agnostic. The WWW-Authenticate challenge header now
uses token= instead of the former macaroon= and includes a new
version="0" parameter to enable future protocol evolution. Any
authentication token that can commit to a payment hash may now be used,
with macaroons remaining the RECOMMENDED format due to their support
for delegation, attenuation, and stateless verification.

We also add a new "Token Format" section (Section 5.3) to the protocol
spec laying out the three requirements a token format must satisfy, and
expand the backwards compatibility section with explicit rules for
accepting both L402/LSAT scheme names and token=/macaroon= parameter
names. The gRPC flow is simplified to use standard trailing headers
(Grpc-Message + Grpc-Status: 13) with the token sent as Custom-Metadata.

All supporting docs are updated to match: the auth-flow mermaid diagram
now shows the version="0" and token= header format, the introduction
adds a token-agnostic paragraph, and the macaroons chapter notes that
its conventions are RECOMMENDED but not mandatory. The README gets a
"What's New" section, a "Token Format" section, and Fewsats added to
the implementations list.

This aligns the spec with bLIP-0026.
@Roasbeef Roasbeef force-pushed the docs/blip-0026-spec-update branch from f48f7d1 to a7b2442 Compare March 20, 2026 19:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant