Environment Variables

This guide covers all environment variables and configuration settings for Lightning Enable.

Required Configuration

Database Encryption Key

DB_ENCRYPTION_KEY=your-base64-encoded-32-byte-key

Purpose: Encrypts sensitive fields (API keys, provider keys) at rest using AES-256-GCM.

Generate a secure key:

# Linux/Mac
openssl rand -base64 32

# PowerShell
[Convert]::ToBase64String((1..32 | ForEach-Object { Get-Random -Maximum 256 }))

Critical

• BACKUP THIS KEY - If lost, all encrypted merchant data is permanently unrecoverable
• NEVER CHANGE after deployment - existing encrypted data becomes unreadable

Admin API Key

ADMIN_API_KEY=your-secure-admin-key

Purpose: Authenticates admin API requests for:

• /api/admin/* endpoints
• /hangfire dashboard access

Recommended: Generate using the same method as DB_ENCRYPTION_KEY.

Database Connection

ConnectionStrings__DefaultConnection="Server=your-server;Database=LightningEnable;..."

Purpose: SQL Server connection string for the application database.

For Azure SQL with Entra ID authentication:

Server=your-server.database.windows.net;Database=LightningEnable;Authentication=Active Directory Managed Identity;

Stripe Configuration

All Stripe settings are required for subscription management.

Secret Key

Stripe__SecretKey=sk_live_xxxxxxxxxxxxx

Purpose: Server-side Stripe API authentication.

• Production: Use sk_live_... keys
• Development: Use sk_test_... keys

Publishable Key

Stripe__PublishableKey=pk_live_xxxxxxxxxxxxx

Purpose: Client-side Stripe Checkout initialization.

Webhook Secret

Stripe__WebhookSecret=whsec_xxxxxxxxxxxxx

Purpose: Verifies webhook signatures from Stripe.

Get this from: Stripe Dashboard → Webhooks → Select endpoint → Signing secret

Base URL

Stripe__BaseUrl=https://api.lightningenable.com

Purpose: Base URL for success/cancel redirect URLs after checkout.

Pricing Plans

{
  "Stripe": {
    "PricingPlans": {
      "standalone": "price_xxxxxxxxxxxxx",
      "kentico": "price_xxxxxxxxxxxxx",
      "l402": "price_xxxxxxxxxxxxx"
    }
  }
}

Purpose: Maps product tiers to Stripe Price IDs.

Payment Provider Configuration

Lightning Enable supports multiple payment providers. Configure your preferred provider below.

Default Provider

PaymentProvider__Default=Strike

Values: Strike (default) or OpenNode

This sets the default provider for merchants that don't have an explicit provider configured. Per-merchant provider selection is available via the merchant settings API.

Strike Configuration

PaymentProvider__Strike__BaseUrl=https://api.strike.me/v1

Setting	Default	Description
PaymentProvider:Strike:BaseUrl	https://api.strike.me/v1	Strike API base URL. Use https://api.dev.strike.me/v1 for sandbox.

Merchants configure their Strike API key via the merchant settings API. The key is encrypted at rest using AES-256-GCM.

Strike vs OpenNode

Feature	Strike	OpenNode
Invoice creation	2-step (create + quote)	Single step
Preimage support	Direct from API	Parsed from BOLT11
Native refunds	No (uses payment-quotes)	Yes
Webhook format	Thin (entityId only)	Full payload
Currencies	BTC, USD, EUR, GBP	BTC, USD
Best for	L402, general payments	Refund-heavy workflows

OpenNode Configuration

Environment

OpenNode__Environment=production

Values:

• dev - Uses https://dev-api.opennode.com (testnet Bitcoin)
• production - Uses https://api.opennode.com (mainnet Bitcoin)

Webhook URL (Optional)

PaymentProvider__WebhookUrl=https://api.lightningenable.com/api/webhooks/opennode

Purpose: Override auto-detected webhook URL. Used as the callback URL for all payment providers (OpenNode and Strike).

Auto-detection order:

1. PaymentProvider:WebhookUrl from config (if set)
2. WEBSITE_HOSTNAME environment variable (Azure App Service)
3. APP_URL environment variable (custom deployment)
4. localhost:5096 (local development fallback)

L402 Configuration

Root Key

L402_ROOT_KEY=your-secret-l402-root-key

Purpose: Secret key for macaroon signing. Required in production.

caution

In development, a default key is used. Always set this in production.

L402 Options (appsettings.json)

{
  "L402": {
    "Enabled": true,
    "ServiceName": "lightning-enable",
    "Location": "https://api.lightningenable.com",
    "DefaultPriceSats": 100,
    "InvoiceExpirySeconds": 600,
    "DefaultTokenValiditySeconds": 3600,
    "CacheVerifiedTokens": true,
    "TokenCacheSeconds": 300,
    "AllowLegacyLsatScheme": true,
    "MaxProxyRequestBodyBytes": 1048576,
    "MaxProxyResponseBodyBytes": 10485760,
    "ProtectedPaths": ["/api/l402/*"],
    "ExcludedPaths": ["/api/l402/pricing", "/api/l402/status"],
    "EndpointPricing": [
      {
        "PathPattern": "/api/l402/demo",
        "PriceSats": 1,
        "ServiceName": "demo",
        "TokenValiditySeconds": 3600
      }
    ]
  }
}

Setting	Default	Description
Enabled	true	Enable L402 authentication middleware
ServiceName	lightning-enable	Service identifier in macaroons
Location	-	Base URL for the service
DefaultPriceSats	100	Default price in satoshis for unpriced endpoints
InvoiceExpirySeconds	600	Lightning invoice expiry (10 min)
DefaultTokenValiditySeconds	3600	Token validity period (1 hour)
CacheVerifiedTokens	true	Cache verified tokens for performance
TokenCacheSeconds	300	Token cache duration (5 min)
AllowLegacyLsatScheme	true	Accept the legacy "LSAT" auth scheme in addition to "L402"
MaxProxyRequestBodyBytes	1048576	Max request body size through L402 proxy (1 MB). Set to 0 to disable
MaxProxyResponseBodyBytes	10485760	Max response body size through L402 proxy (10 MB). Set to 0 to disable
ProtectedPaths	[]	Glob patterns for protected endpoints
ExcludedPaths	[]	Glob patterns to exclude from L402
EndpointPricing	[]	Per-endpoint pricing rules (array of PathPattern, PriceSats, ServiceName, TokenValiditySeconds)

MCP Server Configuration

The MCP (Model Context Protocol) server enables AI agents to use Lightning Enable tools. These variables configure the standalone MCP server.

Wallet Configuration

All MCP tools are free — no API key or subscription required. Just configure a wallet below.

Choose one wallet provider (listed in default priority order):

LND (Best for L402):

LND_REST_HOST=https://your-lnd-node:8080
LND_MACAROON_HEX=your-admin-macaroon-hex

Nostr Wallet Connect (NWC):

NWC_CONNECTION_STRING=nostr+walletconnect://pubkey?relay=wss://relay.example.com&secret=xxx

Strike (Recommended for USD users):

STRIKE_API_KEY=your-strike-api-key

OpenNode:

OPENNODE_API_KEY=your-opennode-api-key
OPENNODE_ENVIRONMENT=production  # or "dev" for testnet

Wallet Priority

If multiple wallet credentials are configured, they are used in this order:

1. LND (if LND_REST_HOST and LND_MACAROON_HEX are set)
2. NWC (if NWC_CONNECTION_STRING is set)
3. Strike (if STRIKE_API_KEY is set)
4. OpenNode (if OPENNODE_API_KEY is set)

This order prioritizes wallets that return a preimage, which is required for L402. OpenNode does not return preimages, so L402 will not work with it. You can override the priority with the WALLET_PRIORITY environment variable (values: lnd, nwc, strike, opennode).

Only the first configured wallet is used.

Spending Limits Configuration

Recommended: Use config file (AI-proof)

Budget limits are configured via ~/.lightning-enable/config.json:

{
  "currency": "USD",
  "tiers": {
    "autoApprove": 0.10,
    "logAndApprove": 1.00,
    "formConfirm": 10.00,
    "urlConfirm": 100.00
  },
  "limits": {
    "maxPerPayment": 500.00,
    "maxPerSession": 100.00
  }
}

This file is created automatically on first run. AI agents cannot modify this file.

Legacy: Environment variables

For backward compatibility, environment variables are also supported:

L402_MAX_SATS_PER_REQUEST=1000
L402_MAX_SATS_PER_SESSION=10000

Note: Config file settings take precedence over environment variables.

See AI Spending Security for detailed configuration.

MCP Configuration Summary

Variable	Required	Default	Description
LND_REST_HOST	If using LND	-	LND REST API host
LND_MACAROON_HEX	If using LND	-	LND admin macaroon in hex
NWC_CONNECTION_STRING	If using NWC	-	Nostr Wallet Connect URI
STRIKE_API_KEY	If using Strike	-	Strike API key (preferred for USD)
OPENNODE_API_KEY	If using OpenNode	-	OpenNode API key with withdrawal permissions
OPENNODE_ENVIRONMENT	No	production	production or dev
WALLET_PRIORITY	No	-	Override default wallet priority (lnd, nwc, strike, or opennode)
L402_MAX_SATS_PER_REQUEST	No	1000	Legacy: Max sats per single payment
L402_MAX_SATS_PER_SESSION	No	10000	Legacy: Max sats per MCP session

All Tools Free

All MCP tools are free — no license or subscription required. Just configure a wallet and go.

CORS Configuration

{
  "AllowedOrigins": [
    "https://yourapp.com",
    "https://admin.yourapp.com"
  ]
}

Purpose: Restrict browser-based API access to specific domains.

• Production: List all legitimate client domains
• Development: Automatically allows common localhost ports
• Empty array: API not accessible from browsers

Logging Configuration

{
  "Serilog": {
    "MinimumLevel": {
      "Default": "Information",
      "Override": {
        "Microsoft": "Warning",
        "Microsoft.Hosting.Lifetime": "Information"
      }
    },
    "WriteTo": [
      { "Name": "Console" },
      {
        "Name": "File",
        "Args": {
          "path": "logs/lightning-enable-.txt",
          "rollingInterval": "Day"
        }
      }
    ]
  }
}

Development Configuration

For local development, use appsettings.Development.json:

{
  "ConnectionStrings": {
    "DefaultConnection": "Server=(localdb)\\MSSQLLocalDB;Database=LightningEnable;Trusted_Connection=True;"
  },
  "AdminApiKey": "DEV-ADMIN-KEY-FOR-LOCAL-TESTING",
  "OpenNode": {
    "Environment": "dev"
  },
  "Stripe": {
    "SecretKey": "sk_test_xxxxx",
    "PublishableKey": "pk_test_xxxxx",
    "WebhookSecret": "whsec_xxxxx",
    "BaseUrl": "http://localhost:5096"
  }
}

Default encryption key in development:

DEV-ENCRYPTION-KEY-DO-NOT-USE-IN-PRODUCTION-12345678

Production Checklist

Before deploying to production, ensure:

• DB_ENCRYPTION_KEY is set and backed up securely
• ADMIN_API_KEY is set to a secure value
• ASPNETCORE_ENVIRONMENT=Production
• Database connection string configured for production SQL Server
• Payment provider configured (Strike API key or OpenNode key)
• OpenNode:Environment=production for mainnet (if using OpenNode)
• Stripe live keys configured (sk_live_..., pk_live_...)
• Stripe webhook endpoint created in Stripe Dashboard
• AllowedOrigins restricted to legitimate domains
• L402_ROOT_KEY set (if using L402)
• SSL/TLS certificate configured
• Database migrations applied

Azure App Service Configuration

When deploying to Azure App Service, set these application settings:

Setting Name	Value
ASPNETCORE_ENVIRONMENT	Production
DB_ENCRYPTION_KEY	(from Key Vault)
ADMIN_API_KEY	(from Key Vault)
L402_ROOT_KEY	(from Key Vault)
ConnectionStrings__DefaultConnection	(Azure SQL connection)
Stripe__SecretKey	(from Key Vault)
Stripe__PublishableKey	pk_live_...
Stripe__WebhookSecret	(from Key Vault)
Stripe__BaseUrl	https://api.lightningenable.com
PaymentProvider__Default	Strike
OpenNode__Environment	production (if using OpenNode)

Use Key Vault References

For sensitive values, use Azure Key Vault references:

@Microsoft.KeyVault(SecretUri=https://your-vault.vault.azure.net/secrets/DB-ENCRYPTION-KEY/)

Next Steps

• Provider Setup - Configure payment provider
• Quick Start - Test your configuration
• Webhooks - Set up webhook handling