Prism is a downstream fork of{' '} lightninglabs/aperture{' '} — the HTTP 402 paywall proxy that mints and verifies L402 tokens. Prism extends it for the Loka stack with an MPP session engine, a typed admin API, a CLI / dashboard / MCP surface, and rate limiting.
Drop it in front of any HTTP or gRPC service. Configure a service
definition, pick a price, point it at your loka-p2p-lnd node,
and every unauthenticated request gets 402 Payment Required
back with a Lightning invoice.
You have a choice. Both end at the same set of L402 protocols and the same merchant economics — they differ only in who runs the proxy.
Fill a short form, hand over an invoice-only macaroon from your own LND, get paywall-as-a-service. You never hand over funds — payments settle straight to your LND.
Run the binary yourself. Full control over policy, storage, and the admin surface. Operate your own DB, TLS, and uptime.
{`# prerequisites: Go 1.25+, a reachable loka-p2p-lnd, port 8081 open
make build # produces ./prism (proxy daemon) and ./prismcli (admin CLI)
make install # installs to $GOPATH/bin
make build-withdashboard # also embeds the Next.js dashboard
# launch
prism --configfile=/path/to/aperture.yaml
# or
prism # reads ~/.aperture/aperture.yaml`}
h2. On AWS NLB use
HTTP2Preferred or HTTP2Only — gRPC clients otherwise fail
with missing selected ALPN property.
Prism speaks three payment protocols. A single service can enable any combination.
| Protocol | Challenge header | Token reuse | Typical use |
|---|---|---|---|
| L402 | WWW-Authenticate: LSAT macaroon=…, invoice=… |
until caveat expires | one-time paid subscription (e.g. 1 year) |
| MPP charge | WWW-Authenticate: Payment id=…, intent=charge |
each charge = one payment | L402-equivalent, RFC-draft protocol |
| MPP session | WWW-Authenticate: Payment id=…, intent=session |
bearer balance across N calls | high-frequency agent traffic |
Same one-time-payment semantics as L402, expressed in the newer{' '} MPP draft protocol. The macaroon can be reused; each spend creates a fresh charge.
sessionidletimeout.
aperture.yamlCompare your config against the in-repo sample-conf.yaml — every option is documented inline.
{`authenticator:
network: "devnet"
lndhost: "localhost:10009"
tlspath: "/path/to/lnd/tls.cert"
macdir: "/path/to/lnd/data/chain/sui/devnet"
enablempp: true
enablesessions: true
services:
- name: "service1"
hostregexp: '^service1.com$'
address: "127.0.0.1:9998" # HTTP backend URL (not a wallet address)
protocol: http
price: 10000000 # in lnd base units
- name: "service2"
hostregexp: '^service2.com$'
address: "10.0.0.5:8443"
protocol: https
admin:
enabled: true
macaroonpath: "~/.aperture/admin.macaroon"`}
configfile, basedir, sqlite.dbfile,
admin.macaroonpath, authenticator.tlspath, and
authenticator.macdir all accept ~, $VAR,
absolute, and CWD-relative forms.
| Field | Type | Meaning |
|---|---|---|
authenticator.network | string | mainnet · testnet · devnet |
authenticator.lndhost | string | gRPC endpoint of the LND node Prism mints invoices through |
services[].name | string | logical service ID (used in admin API / accounting) |
services[].hostregexp | regex | matched against the request Host header |
services[].pathregexp | regex | optional path match for fine-grained routing |
services[].address | string | HTTP backend target — not a wallet address |
services[].protocol | enum | http / https / grpc |
services[].price | int | per-request price in LND base units |
services[].dynamicprice | object | optional gRPC pricer endpoint for runtime pricing |
services[].whitelistpaths | []regex | paths served without authentication |
services[].ratelimits | []rule | token-bucket rules — see Rate Limiting tab |
Single-file, zero-dependency. Good for dev + single-node deployments.
Production multi-node. Required if running multiple Prism replicas behind a load balancer.
Distributed KV. Does not support the admin transaction store — pick SQLite/Postgres for full features.
Enable in config with admin.enabled: true. On first start
Prism generates a 32-byte root key and a macaroon at
admin.macaroonpath — all endpoints except GetHealth require it,
hex-encoded in the Grpc-Metadata-Macaroon header.
| RPC | REST | Description |
|---|---|---|
GetHealth | GET /api/admin/health | Health check (no auth) |
GetInfo | GET /api/admin/info | Server info · network · TLS · MPP config |
ListServices | GET /api/admin/services | List proxied services |
CreateService | POST /api/admin/services | Register a new service (live) |
UpdateService | PUT /api/admin/services/{`{name}`} | Partial update |
DeleteService | DELETE /api/admin/services/{`{name}`} | Remove |
ListTransactions | GET /api/admin/transactions | Query L402 transactions |
ListTokens | GET /api/admin/tokens | List issued tokens |
RevokeToken | DELETE /api/admin/tokens/{`{id}`} | Revoke |
GetStats | GET /api/admin/stats | Revenue + per-service breakdown |
Services created through the admin API are persisted and survive restarts. Routing-table updates take effect immediately — pricing changes or backend swaps require no downtime.
prismcliDesigned to be ergonomic for humans (tables when stdout is a TTY) and AI agents (JSON when piped, semantic exit codes).
{`prismcli --insecure health
prismcli --insecure services list
prismcli --insecure services create --name myapi --address 127.0.0.1:8080 --price 100
prismcli --insecure services update --name myapi --price 500
prismcli --insecure stats
prismcli schema --all # dump full command tree as JSON
prismcli --dry-run services delete --name myapi`}
prismcli embeds an MCP (Model Context Protocol) server that exposes every admin
RPC as a typed tool over stdio JSON-RPC. Drop it into Claude Code, Cursor, or any
agent framework:
{`{
"mcpServers": {
"prism": {
"command": "prismcli",
"args": ["--insecure", "mcp", "serve"]
}
}
}`}
Built with make build-withdashboard, Prism embeds a Next.js dashboard
served at /: service management, transaction history with filtering /
pagination, revenue charts, and token administration. The dashboard talks to the
admin API through a server-side proxy that injects the macaroon — loopback only.
Per-endpoint token-bucket rate limiting, keyed on L402 token ID (or IP for unauthenticated requests). Multiple rules layer — a request is rejected if any matching rule denies it.
{`services:
- name: "myservice"
hostregexp: "api.example.com"
address: "127.0.0.1:8080"
protocol: https
ratelimits:
- requests: 100 # 100/s per client, global
per: 1s
burst: 100
- pathregexp: '^/api/v1/expensive.*$'
requests: 5
per: 1m
burst: 5`}
| Option | Required | Meaning |
|---|---|---|
pathregexp | no | Regex on path. Matches all paths if omitted. |
requests | yes | Requests per window |
per | yes | Time window: 1s · 1m · 1h · … |
burst | no | Burst capacity; defaults to requests |
Protocol-aware:
429 Too Many Requests with a Retry-After headerResourceExhaustedprism.loka.cash. Register your API,
hand over an invoice-only macaroon from your own
LND node, and Loka's gateway will paywall, meter, and route paying
traffic to your backend — settlement goes straight to your wallet,
Loka never holds your funds.
| Register on hosted gateway | Self-host Prism | |
|---|---|---|
| Time-to-revenue | Minutes after the form approves | Hours to days (build · deploy · TLS · ops) |
| What you operate | Just your existing backend + your own LND | + a Prism instance + a database + uptime |
| Who holds your funds | You — Loka never sees them (invoices settle straight to your LND) | You |
| Macaroon scope you hand over | invoices:write + invoices:read only |
n/a |
| Routing graph access | Loka's existing peering / liquidity | You build channels & manage liquidity yourself |
| Best for | API merchants, indie devs, fast iteration | Privacy-critical / regulated, large fleets, advanced policy |
The application form mirrors the per-service config block from
Prism's sample-conf.yaml — same field names, so once
you've filled it in, you've effectively authored the YAML that
Loka will load on your behalf.
| Project name | Display name (alphanumeric + dashes) |
| Contact email | For approval + outage notices |
| Service identifier | Unique slug, e.g. my-summariser. Becomes services[].name |
hostregexp | e.g. ^api.example.com$. Matched against the request Host header |
| Backend address | The HTTP/gRPC origin Prism forwards to (must be reachable from prism.loka.cash) |
| Protocol | http · https · grpc |
| Price per request | e.g. 10000000 MIST = 0.01 SUI; or a dynamic pricer endpoint |
| Network | mainnet · testnet · devnet |
| LND gRPC endpoint | host:port, must be reachable from the gateway (public IP or VPN) |
| LND TLS certificate | Paste the PEM contents |
| Invoice-only macaroon | Hex-encoded. See below for how to bake one |
pathregexp | Path-level routing match (default .*) |
| Whitelist paths | Paths served without authentication (health checks, docs) |
| Rate limits | Token-bucket rules per path (see Rate Limiting) |
| MPP session | Enable prepaid-session billing on top of L402 |
| Dynamic pricer | gRPC endpoint Prism queries on every challenge for runtime pricing |
| Macaroon root-key ID | So you can revoke later with lncli deletemacaroonids |
Do not hand over admin.macaroon. Prism
only ever needs to create invoices and watch for
settlement — two permissions. Bake a fresh macaroon scoped to
exactly that, with your own root-key ID so you can revoke it later
without touching anything else.
{`# 1. Bake a fresh invoice-only macaroon
lncli bakemacaroon \\
--save_to ~/loka-prism.macaroon \\
--root_key_id 42 \\
invoices:write invoices:read
# 2. Hex-encode for the form (or copy the file)
xxd -ps -u -c 1000 ~/loka-prism.macaroon
# → 0201036c6e6402...
# 3. Sanity-check the scope
lncli printmacaroon --macaroon_file ~/loka-prism.macaroon`}
invoices:write alone cannot send a single sat. It can
only call AddInvoice (mint a receipt). invoices:read
lets Prism poll SubscribeInvoices to learn when each
is paid. No onchain:*, no offchain:write
(sending) — Prism literally cannot drain your wallet with this token.
{`# Revocation later — instantly invalidates everything signed by root key 42
lncli deletemacaroonids 42`}
One number, applied to every request. Default for most APIs.
Submit it as an integer in MIST (or sat / msat
depending on network).
For tiered or per-token billing, host a small gRPC pricer service that Prism calls on each challenge. Form asks for the endpoint URL and TLS cert. See Configuration → dynamicprice.
Modelled on Solana Pay's merchant intake.
The form lives at {APPLY_URL} — same fields as in
the previous section, plus signature on the Terms.
Macaroons are encrypted with a per-service key and stored in
Prism's aperturedb. Revoke at any time by sending
lncli deletemacaroonids <root_key_id> from your LND;
Prism will see the next AddInvoice fail and disable the
service on the spot.
Once activated, you get an admin token scoped to your service. Use it with the standard{' '} Prism admin API to update pricing, swap backend addresses, or change rate limits — no form re-submission needed:
{`# rotate the price
curl -X PUT https://prism.loka.cash/api/admin/services/my-summariser \\
-H "Grpc-Metadata-Macaroon: $LOKA_MERCHANT_TOKEN" \\
-d '{"price": 5000000}'
# pause the service (e.g. during a backend rollout)
curl -X PUT https://prism.loka.cash/api/admin/services/my-summariser \\
-H "Grpc-Metadata-Macaroon: $LOKA_MERCHANT_TOKEN" \\
-d '{"enabled": false}'
# query revenue
curl https://prism.loka.cash/api/admin/stats?service=my-summariser \\
-H "Grpc-Metadata-Macaroon: $LOKA_MERCHANT_TOKEN"`}
POST /api/admin/services on Prism, so plug whatever
form tool's webhook into a small worker that calls the admin API
and you're done. Reference setup that Loka uses: Typeform → Vercel
function → Prism admin API. The function also bakes a per-merchant
admin token and emails it back to the applicant.