--- name: "L402" slug: l402 layer: integration tool-type: protocol maintainer: "Lightning Labs" repo: https://github.com/lightninglabs/L402 docs: https://docs.lightning.engineering/the-lightning-network/l402 site: https://github.com/lightninglabs/aperture x: @lightning license: "MIT" --- # L402 > The HTTP-native payment protocol — pay a Lightning invoice to unlock an API, with a reusable credential proving you paid. ## What it is L402 (formerly LSAT) is an open protocol for paying for API access over plain HTTP, using the long-dormant `402 Payment Required` status code. The server answers a request for a paid resource with a **macaroon** (a bearer credential that carries its own embedded rules) and a **Lightning invoice**. The client pays the invoice; the payment preimage authenticates the macaroon; the client retries with an `Authorization: L402 :` header and gets the resource. Because the macaroon's caveats can encode expiry, rate limits, and spend scope, an agent can pay once and reuse the credential across many calls. It is the layer an autonomous agent touches first when it buys a service — no account, no card, no human pressing *approve*. ## When to use it - Gating any HTTP or gRPC API behind pay-per-call or pay-per-session access. - Letting agents purchase compute, data feeds, or inference without a pre-provisioned account. - Metering access with scoped, expiring credentials rather than long-lived API keys. ## Quick start L402 is a protocol, so you deploy an implementation. The reference proxy is **Aperture** (Lightning Labs) — it sits in front of any HTTP/gRPC service and handles the 402 challenge, invoice issuance, and verification, backed by a funded Lightning node. On the client side, `lnget` (part of [lightning-agent-tools](/tools/lightning-agent-tools)) is an L402-aware HTTP client that pays and retries automatically. The protocol spec lives in the L402 repo and is also being standardized as bLIP-0026. ## Gotchas - It is a spec, not a product — you run an implementation (Aperture, or a third-party kit) and still need a funded Lightning node behind it to issue and settle invoices. - The macaroon is a **bearer token**: anyone holding the macaroon + preimage can use the credential within its caveats. Scope it tightly and treat it as a secret. - Caveats are only as good as the verifier that enforces them — the gating service is responsible for checking expiry, rate, and spend limits on every request.