Run L402 Anywhere: Hermes + NWC
Give an AI agent a tiny Lightning wallet and the Lightning Enable MCP server, and it can pay L402-protected APIs anywhere on the internet — no card, no account, no hosted infrastructure. With Hermes as the host, the same setup reaches you on your phone over Telegram, Signal, WhatsApp, and other chat apps.
Most "agent pays for things" demos have a deployment problem: the agent needs a wallet and a host before it can pay for anything. Hermes runs the MCP locally and bridges to your phone, so you get mobile agent payments without a hosted MCP to run or trust. Your wallet stays yours; Lightning Enable never holds funds.
The beginner stack
| Layer | Pick | Why |
|---|---|---|
| Agent host | Hermes | Local MCP client with Telegram/Signal/WhatsApp gateways — mobile access, no hosted layer. |
| Payment tools | Lightning Enable MCP | Gives the agent access_l402_resource, pay_l402_challenge, wallet + budget tools. |
| Wallet | CoinOS via NWC | Browser-based, beginner-friendly, and returns the Lightning preimage that L402 requires. |
| Budget | A small funded wallet | The wallet balance is the hard leash; software limits are defense-in-depth. |
L402 verification needs the payment preimage. NWC wallets (CoinOS, Alby Hub, CLINK), LND, and Strike return it. OpenNode does not and can't be used to pay L402 resources.
Prerequisites
- macOS, Linux, Windows, or WSL
- The .NET 9 runtime (for the .NET MCP tool) or Python 3.10+ (for the Python one)
- Hermes installed
- A CoinOS account with a small amount of sats (1,000–10,000 is plenty to start)
Step 1 — Install Hermes
curl -fsSL https://hermes-agent.nousresearch.com/install.sh | bash
Run the setup wizard (pick your model/provider), then confirm it's healthy:
hermes setup
hermes doctor
Step 2 — Install the Lightning Enable MCP
# .NET (recommended)
dotnet tool install -g LightningEnable.Mcp
# Or Python — for an NWC wallet, install the optional extra:
pip install "lightning-enable-mcp[nwc]"
Confirm the command is on your PATH:
command -v lightning-enable-mcp
pip install lightning-enable-mcp works on every platform, but NWC wallets need
the extra: pip install "lightning-enable-mcp[nwc]". The .NET tool needs no extra.
Step 3 — Create a CoinOS NWC connection
- Go to coinos.io and create or log in to an account.
- Fund it with a small amount (e.g. 1,000–10,000 sats).
- Open Nostr Wallet Connect (NWC) in settings and create a new connection for your agent.
- Grant the permissions an L402-paying agent needs:
pay_invoiceget_balance- (optional)
make_invoiceif the agent should also receive payments
- If CoinOS offers a per-connection spend limit, set one.
- Copy the
nostr+walletconnect://…connection string.
Anyone with the connection string can spend within its permissions and limits. Keep it out of chat, screenshots, and shared configs.
Step 4 — Configure the wallet + budget
Create ~/.lightning-enable/config.json:
{
"currency": "USD",
"tiers": {
"autoApprove": 0.10,
"logAndApprove": 1.00,
"formConfirm": 10.00
},
"limits": {
"maxPerPayment": 5.00,
"maxPerSession": 20.00
},
"wallets": {
"nwcConnectionString": "nostr+walletconnect://PASTE_YOUR_COINOS_STRING_HERE",
"priority": "nwc"
}
}
Lock the file down (NWC strings are sensitive):
chmod 600 ~/.lightning-enable/config.json
| Threshold | Behavior |
|---|---|
| Under $0.10 | Auto-pay silently |
| $0.10 – $1.00 | Pay and log |
| $1.00 – $5.00 | Confirmation required (server prints a code to its console for you) |
| Over $5/payment or $20/session | Denied |
NWC strings contain characters that are easy to break in shell profiles and GUI
launchers, so the config file is the reliable path. (If you prefer env vars, the
equivalents are NWC_CONNECTION_STRING and WALLET_PRIORITY=nwc.)
Step 5 — Add the MCP to Hermes
Because the wallet lives in the config file, adding the server is one line:
hermes mcp add lightning-enable --command lightning-enable-mcp
hermes mcp test lightning-enable
Expected:
✓ Connected
✓ Tools discovered: 15 (23 with a Lightning Enable API key)
Step 6 — Verify for 1 sat
This is the moment of truth — a real end-to-end L402 payment against the public 1-sat test endpoint. It proves your wallet, the preimage flow, and L402 all work, for one satoshi.
First, check the agent can see the wallet:
Check the Lightning Enable wallet balance.
Then pay the test endpoint:
Access this L402 resource: https://api.lightningenable.com/l402/test/ping
What happens under the hood:
- The agent requests the URL and gets
402 Payment Requiredwith a 1-sat Lightning invoice + macaroon. - The MCP pays the invoice through your CoinOS NWC wallet.
- CoinOS returns the preimage.
- The MCP retries with
Authorization: L402 <macaroon>:<preimage>. - The endpoint returns
200 OK.
If you get the 200, your whole stack works. (Prefer the command line? The same
endpoint responds to curl https://api.lightningenable.com/l402/test/ping with the
402 challenge so you can inspect the invoice before paying.)
Step 7 — Take it to your phone
Point Hermes' messaging gateway at Telegram (or Signal, WhatsApp, etc.) and talk to your agent from anywhere:
hermes gateway setup
hermes gateway run
Now you can message your agent "pay the 1-sat test endpoint" or "buy the premium forecast from this API" from your phone, and it pays over Lightning from the bounded wallet — no hosted MCP required.
What the agent can do next
Once it can pay L402, the same agent handles real tasks. Pair this setup with the open-source pay-l402-anywhere skill (it works in Hermes, Claude Code, and Cursor unmodified) — discover a paid API, check what you can afford, confirm, pay, and report the sats spent.
Key consumer tools the MCP exposes:
access_l402_resource— fetch a URL and auto-pay the L402 challengepay_l402_challenge— pay a challenge you already holddiscover_api— search the L402 registry or fetch an API's manifestcheck_wallet_balance/get_budget_status— know your funds and limitsconfirm_payment— approve an over-threshold payment with the console code
Security posture
The safe design isn't "trust the agent" — it's bound what it can spend:
- Use a dedicated small wallet for the agent.
- Fund only what it's allowed to spend — the balance is the real ceiling.
- Set a CoinOS per-connection limit if available.
- Keep the MCP budget caps as defense-in-depth.
- Keep
~/.lightning-enable/config.jsonat600. - Rotate the NWC connection if it leaks or you're done with it.
A 5,000-sat wallet cannot spend 50,000 sats, no matter what any prompt says.
Next steps
- Wallet Configuration — other NWC wallets (Alby Hub, CLINK) and LND
- AI Spending Security — how the budget tiers and confirmation gate work
- MCP Complete Guide — all 23 tools