lokapay is the Loka Payment CLI and Go SDK. It pays
L402-protected (HTTP 402) APIs over Lightning — settlement chain is
whatever your lnd backend speaks (today: BTC and SUI; EVM-class chains
on the roadmap), and the same one-liner CLI works against two custody
models.
lncli is vendored from upstream lnd. Mixing custodial REST commands
into cmd/commands/* makes every upstream merge harder.
lncli is a node-operator's gRPC tool. lokapay is an end-user / AI-agent
payments CLI with HTTP, L402, fiat-onramp, and managed-node lifecycle.
lokapay needs only net/http, urfave/cli,
and survey/v2. No lnd build tree, no SUI compiler.
{`pkg/sdk/ Go client SDK (import as github.com/loka-network/paycli/pkg/sdk)
cmd/lokapay/ CLI binary
docs/ CLI + SDK + onramp + integration-test playbooks
scripts/ install.sh + local integration-test runner
.goreleaser.yml release config — tag-driven multi-platform build`}
);
}
/* ---------- Install ----------- */
function PC_Install() {
return (
<>
{`# curl (recommended — macOS / Linux)
curl -fsSL https://github.com/loka-network/paycli/releases/latest/download/install.sh | sh
# Homebrew — coming soon
# brew install loka-network/tap/lokapay
# Go (installs from main; requires Go 1.25+)
go install github.com/loka-network/paycli/cmd/lokapay@latest`}
lokapay init
init is a fully interactive wizard. It detects existing
config, asks for custody mode (hosted or node),
and walks through the per-route setup.
{`lokapay init`}
It asks:
hosted or nodehttps://agents-pay.loka.cash), register vs log in, credentialsguided (lokapay downloads + runs lnd) or manual (point at an existing one), Sui chain, faucet, seed peersregister / login /
node start.
{`lokapay init # pick route=hosted
lokapay services # browse Prism catalog
lokapay fund --amount 5 --unit USD --via stripe --open # top up (operator-controlled)
lokapay request -i --debug https://service1.prism.loka.cash/data.json`}
init downloads + starts a local Sui-backed lnd, hits the
faucet on devnet/testnet, connects to Loka seed peers, and opens a
5 SUI outbound channel so routing works immediately.
{`lokapay init # pick route=node + guided
lokapay node status # confirm pubkey + channel is active
lokapay services
lokapay request -i --debug https://service1.prism.loka.cash/data.json
# need more SUI later (devnet/testnet only):
lokapay node faucet`}
);
}
/* ---------- Routes ----------- */
function PC_Routes() {
return (
<>
| Route | Wallet location | Funding | Best for |
|---|---|---|---|
| node | User's own machine | BOLT11 only (real on-chain SUI) | "Self-custody, programmatic agent-to-agent, real Lightning" |
| hosted | Loka custodial server agents-pay-service |
BOLT11 invoice (also fiat onramp via operator) | "Just pay APIs — don't make me run anything" |
{`lokapay route # prints the active route
lokapay route hosted # switch to custodial
lokapay route node # switch to self-custody
lokapay route toggle # flip`}
Switching does not wipe the other side's credentials — both
buckets (hosted.* and node.*) coexist in
config. Once init ran once per route, you can flip freely.
Every command dispatches through a Wallet interface in
pkg/sdk. Both backends — agents-pay-service REST and a
local lnd gRPC — satisfy that interface. The L402Doer takes
a Wallet and runs the same 402 → invoice → preimage replay
regardless of which is plugged in.
wallets · whoamiHosted route is multi-wallet (one per agent). Node route is single-wallet.
{`lokapay whoami # hosted: balance, wallet meta; node: pubkey, channels
# hosted only
lokapay wallets add # creates a sub-wallet
lokapay wallets list
lokapay wallets use # switch active
lokapay wallets show # print admin + invoice keys
lokapay wallets remove `}
fund · pay| User says | --unit | Notes |
|---|---|---|
| "100k sats" | sat (default) | Lightning native |
| "0.001 SUI" / "100000 mist" | mist | SUI base unit |
| "$5" / "5 USD" | USD (or EUR, …) | requires --via stripe | paypal (operator-controlled) |
{`# BOLT11 top-up (returns invoice to pay from another wallet)
lokapay fund --amount 100000 --memo "agent budget"
# Pay any BOLT11 invoice from the active route
lokapay pay `}
requestThe 402 dance — GET → 402 → pay → retry with LSAT header → 200 — is automatic.
{`# production: real domain, real TLS
lokapay request -i https://api.some-merchant.com/v1/data
# with body
lokapay request -X POST -d '{"k":"v"}' \\
-H "Content-Type: application/json" \\
-i https://api.some-merchant.com/v1/echo
# local dev: faked Host header + self-signed cert
lokapay request -H "Host: service1.com" --insecure-target -i --debug \\
https://127.0.0.1:8080/data.json`}
| Flag | Purpose |
|---|---|
-i | also print response status + headers |
--debug | render the L402 exchange as a sequence diagram on stderr |
-H "Host: X" | override Host (local dev with no DNS) |
--insecure-target | skip TLS verify — only for 127.0.0.1 / self-signed |
--max-retries N | retry the whole 402 cycle on transient failures (default 1) |
services · history · events{`lokapay services # full Prism catalog (host_regexp, price, etc.)
lokapay services -s research # filter by substring
lokapay history --limit 20 # wallet-backend ledger (lnbits or lnd)
lokapay events -n 20 # local L402 settlement log (~/.lokapay/events.jsonl)
lokapay events -t L402_PAID --json
lokapay payment-status
lokapay rate # spot rate (default USD)
lokapay rate EUR`}
node — self-custody lnd lifecycleOnly meaningful when route=node. Wraps the bundled loka-lnd binary so users never see raw lncli.
| Intent | Command |
|---|---|
| Install lnd binary | lokapay node install |
| Start lnd | lokapay node start [--network …] |
| Stop lnd | lokapay node stop |
| Restart | lokapay node restart |
| Health check | lokapay node status |
| Tail logs | lokapay node logs -f |
| Top up dev wallet | lokapay node faucet (devnet/testnet only) |
| Connect Loka seeds | lokapay node start --connect-seeds |
config{`lokapay config show # full config, secrets masked
lokapay config show --reveal # include secrets
lokapay config keys # list every editable key
lokapay config get prism_url
lokapay config set prism_url https://prism.example.com`}
Common keys: route, prism_url, insecure_tls, hosted.base_url, hosted.active_wallet, node.endpoint, node.macaroon_path.
skill/SKILL.md in the repo — every line maps a
natural-language user intent to the exact lokapay command(s). This page is the
human view of that mapping.
Every command dispatches through one of two routes, chosen during
lokapay init and stored as route: hosted | node in
~/.lokapay/config.json. An agent must know which route is active
before running any command — many behave differently.
| User says | Command |
|---|---|
| "who am I?" / "what account?" | lokapay whoami |
| "what's my balance?" | hosted: whoami · node: node status |
| "add a new agent wallet" | lokapay wallets add <alias> (hosted only) |
| "top up my wallet" | lokapay fund --amount … |
| "pay this invoice" | lokapay pay <bolt11> |
| "buy something on a paid API" | lokapay request URL |
| "show me what I've spent" | lokapay history / events |
| "show me the FX rate" | lokapay rate [CCY] |
| "switch routes" | lokapay route hosted | node | toggle |
| Symptom (error substring) | Meaning · next step |
|---|---|
payment failed: insufficient_balance | Hosted: wallet too low. Node: no channels or no outbound capacity. |
FAILURE_REASON_INCORRECT_PAYMENT_DETAILS | Invoice expired in transit. Retry once with --max-retries 2. |
FAILURE_REASON_NO_ROUTE | No path through the LN graph. Topology issue — not client-side. |
x509: certificate is valid for X, not Y | TLS hostname mismatch. Add --insecure-target for local dev. |
apikey is invalid / 401 | Stale or wrong admin key. Re-run lokapay login or init. |
lnd RPC didn't come up within 60s | lnd boot stuck. Check lokapay node logs. |
self-payments not allowed | Operator needs --allow-circular-route, or test against a different service. |
502 Bad Gateway after step 3 | LSAT auth OK — Prism's upstream backend is down. Operator problem. |
status pending for a long time | Force re-query with lokapay payment-status <hash>. |
lokapay <cmd> --help. If intent is ambiguous, ask — don't guess.init on a working setup. Mostly idempotent now, but it prompts many times.--debug, errors, and progress notices go to stderr; response bodies go to stdout.lokapay pay".lokapay returns 0 on success, 1 on any error with a stderr message. Show the message — don't paraphrase.lokapay mcp and an MCP-aware AI client (Claude Desktop,
Cursor, Continue, …) can drive lokapay through structured JSON tool
calls instead of shell-execing the CLI. Shipped in
cmd/lokapay/cmd_mcp.go.
Most agent integrations end up parsing CLI stdout — brittle, can't
distinguish a real error from a transient log, breaks when flags
evolve. The Model Context Protocol gives the same operations a
typed RPC surface: schemas are auto-derived from Go struct tags,
errors come back as IsError on the tool result, and the
client never has to reach for grep.
Two paths now coexist:
Claude Code, cursor-cli, anything that can
run lokapay …. Use the SKILL document for intent → command
mapping.
Claude Desktop, Cursor, Continue, Zed, etc. Use the MCP server — they can't shell-exec, but they can call typed tools.
Before first use, run lokapay init once in a terminal —
the MCP server reuses the same ~/.lokapay/config.json. The
wizard is TTY-interactive so it can't be run from inside an MCP session.
Claude Desktop (~/Library/Application Support/Claude/claude_desktop_config.json on macOS):
{`{
"mcpServers": {
"lokapay": {
"command": "lokapay",
"args": ["mcp"]
}
}
}`}
Cursor — same shape in ~/.cursor/mcp.json.
Continue — same shape in ~/.continue/mcp.json.
Restart the client; the lokapay tools appear in the tool picker.
Input schemas auto-derived from Go struct tags; descriptions surface the side-effect class directly to the LLM.
| Tool | Side effect | Args | Notes |
|---|---|---|---|
whoami |
read-only | — | route + identity + balance. Secrets stripped — no admin_key / bearer / invoice_key. |
services |
read-only | search? |
Lists Prism's L402 service catalog. Optional case-insensitive substring filter. |
pay |
⚠️ spends real funds | bolt11 |
Returns payment_hash + preimage + amount + status. |
request |
⚠️ may spend real funds | url, method?, headers?, host?, body?, insecure_target?, max_retries? |
HTTP with auto-L402 handling. Body truncated to 64 KiB. |
history |
read-only | limit? (default 10, max 100), offset? |
Recent payments on active wallet. Hosted + node both supported. |
Intentionally not exposed (TTY-interactive or operator-only):{' '}
init, node start/stop/restart/install/faucet,{' '}
topup, admin-set, auth-login,{' '}
register, login, route.
lokapay mcp only speaks MCP over stdio. There is no
listening socket, no SSE endpoint, no HTTP transport. SSE / HTTP
modes will not be added without first solving the
remote-auth + remote-asset-control threat model from first
principles. This is a wallet — exposing it on the network means
anyone who reaches the port can pay invoices.
lokapay mcp can talk to it (stdin/stdout). No remote attack vector.~/.lokapay/config.json. The server reads them to call Lightning APIs but strips them from every tool response.stderr — writing anything else to stdout would corrupt the transport.
Every tool invocation appends one-line JSON to ~/.lokapay/mcp-audit.log
{' '}(mode 0600) so you can see exactly what the agent did:
{`{"ts":"2026-05-20T10:24:18Z","tool":"whoami","args":null}
{"ts":"2026-05-20T10:24:19Z","tool":"services","args":{"search":"research"}}
{"ts":"2026-05-20T10:24:32Z","tool":"pay","args":{"bolt11":"lnbcrt1m1p4q…"}}
{"ts":"2026-05-20T10:25:05Z","tool":"request","args":{"url":"https://service1.prism.loka.cash/data.json","method":"","host":""}}`}
Secret-bearing args (full bolt11) are truncated; the audit row
records intent + outcome, not the recoverable payment data.