Environment Variables

This guide covers all environment variables and configuration settings for Lightning Enable.

Required Configuration

Database Encryption Key

DB_ENCRYPTION_KEY=your-base64-encoded-32-byte-key

Purpose: Encrypts sensitive fields (API keys, OpenNode keys) at rest using AES-256-GCM.

Generate a secure key:

# Linux/Mac
openssl rand -base64 32

# PowerShell
[Convert]::ToBase64String((1..32 | ForEach-Object { Get-Random -Maximum 256 }))

Critical

• BACKUP THIS KEY - If lost, all encrypted merchant data is permanently unrecoverable
• NEVER CHANGE after deployment - existing encrypted data becomes unreadable

Admin API Key

ADMIN_API_KEY=your-secure-admin-key

Purpose: Authenticates admin API requests for:

• /api/admin/* endpoints
• /hangfire dashboard access

Recommended: Generate using the same method as DB_ENCRYPTION_KEY.

Database Connection

ConnectionStrings__DefaultConnection="Server=your-server;Database=LightningEnable;..."

Purpose: SQL Server connection string for the application database.

For Azure SQL with Entra ID authentication:

Server=your-server.database.windows.net;Database=LightningEnable;Authentication=Active Directory Managed Identity;

Stripe Configuration

All Stripe settings are required for subscription management.

Secret Key

Stripe__SecretKey=sk_live_xxxxxxxxxxxxx

Purpose: Server-side Stripe API authentication.

• Production: Use sk_live_... keys
• Development: Use sk_test_... keys

Publishable Key

Stripe__PublishableKey=pk_live_xxxxxxxxxxxxx

Purpose: Client-side Stripe Checkout initialization.

Webhook Secret

Stripe__WebhookSecret=whsec_xxxxxxxxxxxxx

Purpose: Verifies webhook signatures from Stripe.

Get this from: Stripe Dashboard → Webhooks → Select endpoint → Signing secret

Base URL

Stripe__BaseUrl=https://api.lightningenable.com

Purpose: Base URL for success/cancel redirect URLs after checkout.

Pricing Plans

{
  "Stripe": {
    "PricingPlans": {
      "standalone": "price_xxxxxxxxxxxxx",
      "kentico": "price_xxxxxxxxxxxxx",
      "l402": "price_xxxxxxxxxxxxx"
    }
  }
}

Purpose: Maps product tiers to Stripe Price IDs.

OpenNode Configuration

Environment

OpenNode__Environment=production

Values:

• dev - Uses https://dev-api.opennode.com (testnet Bitcoin)
• production - Uses https://api.opennode.com (mainnet Bitcoin)

Webhook URL (Optional)

OpenNode__WebhookUrl=https://api.lightningenable.com/api/webhooks/opennode

Purpose: Override auto-detected webhook URL.

Auto-detection order:

1. OpenNode:WebhookUrl from config (if set)
2. WEBSITE_HOSTNAME environment variable (Azure App Service)
3. APP_URL environment variable (custom deployment)
4. localhost:5096 (local development fallback)

L402 Configuration

Root Key

L402_ROOT_KEY=your-secret-l402-root-key

Purpose: Secret key for macaroon signing. Required in production.

caution

In development, a default key is used. Always set this in production.

L402 Options (appsettings.json)

{
  "L402": {
    "Enabled": true,
    "ServiceName": "lightning-enable",
    "Location": "https://api.lightningenable.com",
    "DefaultPriceSats": 10,
    "InvoiceExpirySeconds": 600,
    "DefaultTokenValiditySeconds": 3600,
    "CacheVerifiedTokens": true,
    "TokenCacheSeconds": 3600,
    "ProtectedPaths": ["/api/l402/*"],
    "ExcludedPaths": ["/api/l402/pricing", "/api/l402/status"]
  }
}

Setting	Default	Description
Enabled	true	Enable L402 authentication middleware
ServiceName	lightning-enable	Service identifier in macaroons
Location	-	Base URL for the service
DefaultPriceSats	10	Default price for unpriced endpoints
InvoiceExpirySeconds	600	Lightning invoice expiry (10 min)
DefaultTokenValiditySeconds	3600	Token validity period (1 hour)
CacheVerifiedTokens	true	Cache verified tokens for performance
TokenCacheSeconds	3600	Token cache duration
ProtectedPaths	[]	Glob patterns for protected endpoints
ExcludedPaths	[]	Glob patterns to exclude from L402

MCP Server Configuration

The MCP (Model Context Protocol) server enables AI agents to use Lightning Enable tools. These variables configure the standalone MCP server.

License Validation

LIGHTNING_ENABLE_API_KEY=le_merchant_xxxxxxxxxxxxx

Purpose: Your merchant API key for validating L402 license status.

Required for: access_l402_resource and pay_l402_challenge tools (PAID tier).

How to get: Your API key is provided when you subscribe at https://lightningenable.com

LIGHTNING_ENABLE_API_URL=https://api.lightningenable.com

Purpose: Base URL for the Lightning Enable API (optional, defaults to production).

Wallet Configuration

Choose one wallet provider (in priority order):

Strike (Recommended for USD users):

STRIKE_API_KEY=your-strike-api-key

OpenNode:

OPENNODE_API_KEY=your-opennode-api-key
OPENNODE_ENVIRONMENT=production  # or "dev" for testnet

Nostr Wallet Connect (NWC):

NWC_CONNECTION_STRING=nostr+walletconnect://pubkey?relay=wss://relay.example.com&secret=xxx

Wallet Priority

If multiple wallet credentials are configured, they are used in this order:

1. Strike (if STRIKE_API_KEY is set)
2. OpenNode (if OPENNODE_API_KEY is set)
3. NWC (if NWC_CONNECTION_STRING is set)

Only the first configured wallet is used.

Spending Limits Configuration

Recommended: Use config file (AI-proof)

Budget limits are configured via ~/.lightning-enable/config.json:

{
  "currency": "USD",
  "tiers": {
    "autoApprove": 0.10,
    "logAndApprove": 1.00,
    "formConfirm": 10.00,
    "urlConfirm": 100.00
  },
  "limits": {
    "maxPerPayment": 500.00,
    "maxPerSession": 100.00
  }
}

This file is created automatically on first run. AI agents cannot modify this file.

Legacy: Environment variables

For backward compatibility, environment variables are also supported:

L402_MAX_SATS_PER_REQUEST=1000
L402_MAX_SATS_PER_SESSION=10000

Note: Config file settings take precedence over environment variables.

See AI Spending Security for detailed configuration.

MCP Configuration Summary

Variable	Required	Default	Description
LIGHTNING_ENABLE_API_KEY	For PAID tools	-	Merchant API key for license validation
LIGHTNING_ENABLE_API_URL	No	https://api.lightningenable.com	API base URL
STRIKE_API_KEY	If using Strike	-	Strike API key (preferred for USD)
OPENNODE_API_KEY	If using OpenNode	-	OpenNode API key with withdrawal permissions
OPENNODE_ENVIRONMENT	No	production	production or dev
NWC_CONNECTION_STRING	If using NWC	-	Nostr Wallet Connect URI
L402_MAX_SATS_PER_REQUEST	No	1000	Legacy: Max sats per single payment
L402_MAX_SATS_PER_SESSION	No	10000	Legacy: Max sats per MCP session

Feature Tiers

• FREE tools (no license needed): pay_invoice, check_wallet_balance, get_payment_history, get_budget_status
• PAID tools (requires L402 subscription): access_l402_resource, pay_l402_challenge

CORS Configuration

{
  "AllowedOrigins": [
    "https://yourapp.com",
    "https://admin.yourapp.com"
  ]
}

Purpose: Restrict browser-based API access to specific domains.

• Production: List all legitimate client domains
• Development: Automatically allows common localhost ports
• Empty array: API not accessible from browsers

Logging Configuration

{
  "Serilog": {
    "MinimumLevel": {
      "Default": "Information",
      "Override": {
        "Microsoft": "Warning",
        "Microsoft.Hosting.Lifetime": "Information"
      }
    },
    "WriteTo": [
      { "Name": "Console" },
      {
        "Name": "File",
        "Args": {
          "path": "logs/lightning-enable-.txt",
          "rollingInterval": "Day"
        }
      }
    ]
  }
}

Development Configuration

For local development, use appsettings.Development.json:

{
  "ConnectionStrings": {
    "DefaultConnection": "Server=(localdb)\\MSSQLLocalDB;Database=LightningEnable;Trusted_Connection=True;"
  },
  "AdminApiKey": "DEV-ADMIN-KEY-FOR-LOCAL-TESTING",
  "OpenNode": {
    "Environment": "dev"
  },
  "Stripe": {
    "SecretKey": "sk_test_xxxxx",
    "PublishableKey": "pk_test_xxxxx",
    "WebhookSecret": "whsec_xxxxx",
    "BaseUrl": "http://localhost:5096"
  }
}

Default encryption key in development:

DEV-ENCRYPTION-KEY-DO-NOT-USE-IN-PRODUCTION-12345678

Production Checklist

Before deploying to production, ensure:

• DB_ENCRYPTION_KEY is set and backed up securely
• ADMIN_API_KEY is set to a secure value
• ASPNETCORE_ENVIRONMENT=Production
• Database connection string configured for production SQL Server
• OpenNode:Environment=production for mainnet
• Stripe live keys configured (sk_live_..., pk_live_...)
• Stripe webhook endpoint created in Stripe Dashboard
• AllowedOrigins restricted to legitimate domains
• L402_ROOT_KEY set (if using L402)
• SSL/TLS certificate configured
• Database migrations applied

Azure App Service Configuration

When deploying to Azure App Service, set these application settings:

Setting Name	Value
ASPNETCORE_ENVIRONMENT	Production
DB_ENCRYPTION_KEY	(from Key Vault)
ADMIN_API_KEY	(from Key Vault)
L402_ROOT_KEY	(from Key Vault)
ConnectionStrings__DefaultConnection	(Azure SQL connection)
Stripe__SecretKey	(from Key Vault)
Stripe__PublishableKey	pk_live_...
Stripe__WebhookSecret	(from Key Vault)
Stripe__BaseUrl	https://api.lightningenable.com
OpenNode__Environment	production

Use Key Vault References

For sensitive values, use Azure Key Vault references:

@Microsoft.KeyVault(SecretUri=https://your-vault.vault.azure.net/secrets/DB-ENCRYPTION-KEY/)

Next Steps

• OpenNode Setup - Configure OpenNode integration
• Quick Start - Test your configuration
• Webhooks - Set up webhook handling