Skip to main content

Release Notes

API​

Documentation Accuracy Overhaul (July 2026)​

Full reconciliation audit of the docs site against the shipped product, fixing pages that had drifted from the code.

  • Corrected the documented webhook, refund, and payment API contracts to match actual response shapes and endpoints
  • Removed endpoints and features that never shipped (including a phantom Exchange Rates API) and fixed plan-matrix contradictions
  • Removed internal runbook content and any tutorial patterns that put API keys in browser-side code
  • Backfilled these release notes β€” the API section had not been updated since March 2026

L402 Protocol Fixes (June 2026)​

  • Caveat intersection β€” repeated macaroon caveats now intersect (monotonic narrowing) instead of last-write-wins, closing a scope-widening hole
  • Proxy macaroon scoping β€” proxy macaroon verification is bound to the merchant and path it was issued for
  • Spec-compliant identifier encoding β€” the macaroon identifier is encoded as raw bytes per the L402 spec, improving interoperability with other L402 tooling

Security Hardening (May–June 2026)​

Fixes from the May 2026 security audit, plus CI scanning.

  • Per-IP auth-failure throttle β€” repeated failed authentication attempts from one IP return 429 with a Retry-After header (defaults: 20 failures per 60-second window); also covers the Hangfire dashboard
  • Constant-time comparisons on all secret checks (API keys, admin key, webhook signatures)
  • Public checkout status endpoints trimmed to return only { status } β€” enumeration-safe, no side effects
  • Antiforgery enforcement on dashboard login and magic-link forms
  • HSTS header (staged, config-driven rollout; June 2026)
  • CodeQL, Semgrep, and gitleaks security scanning added to CI

Native L402 Server SDKs (May 2026)​

Native mode launched: monetize your API on your own domain β€” traffic never flows through Lightning Enable. See the Native Integration guide.


Dashboard: Smart Setup & Test-It Panel (May 2026)​

  • Smart Setup β€” paste an OpenAPI spec URL and the dashboard auto-detects your endpoints to create an L402 proxy
  • Test-It panel β€” live 402 preview per endpoint, so you can see exactly what agents receive before going live
  • Merged Pricing tab and self-service Regenerate API key button on Settings

Merchant CORS Auto-Allowlist & Canonical Shopify Identity (May 2026)​

  • Merchant-origin CORS auto-allowlist β€” merchant storefront domains are allowed automatically via the MerchantOrigins table; no manual CORS configuration per merchant
  • Canonical Shopify shop identity β€” the *.myshopify.com handle and primary domain are read from Shopify's own shop.json (never derived heuristically) on OAuth install, credential save, and an explicit dashboard refresh button; admin backfill and scope-probe diagnostics heal legacy rows

Premium Guides & L402 Tool APIs (May 2026)​

  • Premium guide catalog expanded and repriced; guides are L402-protected content endpoints β€” pay per guide with any L402 client (first shipped March 2026)
  • Tier 1 L402 tool APIs added to the registry

Shopify: Draft-Order Tax & Required Buyer Location (April 2026)​

  • Tax via Shopify Draft Orders β€” checkout creates a temporary draft order to get Shopify-calculated tax, which is included in the Lightning invoice total (requires the write_draft_orders scope)
  • X-Buyer-Location header is now required at Shopify checkout ({country}-{state}-{zip}, the buyer's location); the stored default-location fallback was removed
  • 30-day free trial on Agentic Commerce plans (card required, no charge until the trial ends)

v1.3.0 β€” Public L402 Test Endpoint (March 2026)​

  • Public test endpoint β€” GET https://api.lightningenable.com/l402/test/ping returns a 402 with a 1-sat invoice, no API key or signup required
  • Pay the invoice, retry with Authorization: L402 <macaroon>:<preimage>, get a 200 β€” full L402 round-trip in two curl commands
  • Alby Hub officially verified as L402-compatible

Shopify L402 Integration (March 2026)​

AI agents can browse a Shopify catalog, pay via Lightning, and create real Shopify orders β€” L402 cryptographic proof is the payment verification, no webhook dependency.

  • Public store endpoints: catalog β†’ checkout (402 + Lightning invoice) β†’ claim with Authorization: L402 {macaroon}:{preimage} + shipping address
  • Shopify OAuth app install from the dashboard, with manual token entry preserved as an advanced fallback
  • Claim tokens allow a configurable window (default 30 days) to provide shipping details after payment; expired unclaimed orders are auto-purged
  • Active Shopify stores are auto-registered in the L402 API registry for agent discovery
  • See the Shopify Commerce docs

v1.2.0 β€” L402 Producer API (March 2026)​

Agents can now earn, not just spend. The L402 Producer API enables Agentic Commerce subscribers to create L402 payment challenges and verify payments β€” powering agent-to-agent commerce where AI agents autonomously buy and sell services.

New Features​

  • L402 Producer API β€” Two new endpoints (POST /api/l402/challenges, POST /api/l402/challenges/verify) let merchants programmatically create L402 payment challenges and verify L402 tokens
  • Challenge idempotency β€” Same resource + price from the same client within 60 seconds returns the same invoice, preventing duplicate charges on retries
  • Two new MCP tools β€” create_l402_challenge and verify_l402_payment bring producer capabilities directly to AI agents via MCP

Documentation​


Strike Payment Provider (February 2026)​

Multi-provider settlement abstraction: merchants choose Strike or OpenNode as their payment provider. Lightning Enable does not hold funds β€” the configured provider facilitates custody and settlement.

  • Strike is the default provider on the hosted service (PaymentProvider:Default); each merchant can override per-account
  • Strike returns the preimage on outgoing payments, which L402 requires β€” making it the recommended provider for L402 workloads
  • Strike webhooks supported (thin payloads β€” the API fetches full entity details after receipt)
  • Multi-currency support via Strike (USD, EUR, GBP, AUD, BTC, USDT)

v1.1.0 β€” Security Audit & Quality Hardening (February 2026)​

Comprehensive security audit and code quality pass across the entire API surface. Added 244 new tests, bringing total coverage from 407 to 651 tests.

Security Hardening (7 Critical + 13 High Priority)​

Critical fixes:

  • SSRF protection on webhook callback URLs and proxy target URLs β€” block internal/private network ranges
  • Webhook signature verification β€” constant-time HMAC comparison to prevent timing attacks
  • L402 amount binding β€” macaroon caveats now bind to the invoiced amount, preventing underpayment exploits
  • Subscription enforcement β€” active Stripe subscription required for all authenticated API operations
  • Error sanitization β€” internal exception details, stack traces, and infrastructure information no longer leak in API responses
  • API key hashing β€” merchant API keys stored as one-way hashes for improved credential security
  • Webhook replay protection β€” timestamp validation rejects stale webhook deliveries

High priority fixes:

  • Rate limiting on authentication, invoice creation, and webhook endpoints
  • Idempotency keys on all OpenNode charge creation calls to prevent duplicate invoices
  • Request size limits on all endpoints accepting request bodies
  • Input validation on all merchant-supplied URLs (scheme, length, format)
  • Correlation ID propagation via X-Correlation-Id header for end-to-end request tracing
  • Webhook delivery queue hardening with dead-letter handling and bounded retries
  • L402 macaroon expiry enforcement and nonce replay protection
  • Proxy target URL allowlist validation against merchant-registered domains
  • Merchant-scoped database query enforcement across all repository methods
  • Stripe webhook signature verification on all subscription lifecycle events
  • OpenNode API key validation on merchant registration
  • Secure cache headers on all API responses
  • Admin endpoint authentication audit and header validation

API Improvements (10 Medium Priority)​

  • OpenAPI annotations on all endpoints with response type documentation
  • Cancellation token propagation through all async controller actions and service methods
  • DTO validation attributes on all request models (required fields, range constraints, URL format)
  • Structured logging with Serilog semantic properties across all services
  • Consistent error response format using ProblemDetails (RFC 9457)
  • Health check endpoint expanded with dependency status (database, OpenNode, Stripe)
  • Webhook delivery status tracking with queryable history per merchant
  • Rate-limited (429) responses include a retryAfter hint (seconds) in the JSON error body
  • Request/response logging middleware with PII redaction
  • Graceful shutdown handling for in-flight webhook deliveries and background jobs

Code Quality (5 Low Priority)​

  • Dead code removal across controllers, services, and middleware
  • Consistent async/await patterns β€” eliminated fire-and-forget calls
  • Nullable reference type annotations on all public API surfaces
  • Standardized exception hierarchy with domain-specific exception types
  • Code style enforcement via .editorconfig and analyzer rules

Test Coverage​

  • 244 new tests added (407 to 651 total)
  • Security-focused tests: SSRF blocking, signature verification, replay protection, rate limiting
  • Integration tests for full webhook delivery pipeline
  • L402 protocol tests covering challenge, payment, and verification flows
  • Subscription enforcement tests across all plan tiers
  • Edge case coverage for concurrent requests, timeout handling, and malformed input

MCP Server​

v1.12.13 β€” Destination-Bound Confirmation Codes (June 2026)​

Security release β€” update both packages.

  • Confirmation codes are now bound to the payment destination, in addition to the amount and tool: the BOLT11 invoice (pay_invoice, pay_l402_challenge), the resource URL (access_l402_resource), the on-chain address (send_onchain), and the settlement endpoint (settle_agent_service, Python).
  • Closes an anti-redirect hole: previously a prompt-injected agent could obtain a code for a benign payment, then re-call the same tool at the same amount with a different destination. Destination mismatch now rejects without consuming the code, so the legitimate retry still works.
  • Applies to both the .NET and Python packages.

v1.12.12 β€” Python Funds-Safety Parity (June 2026)​

Brings the Python package in line with the .NET out-of-band confirmation that shipped in v1.12.10.

  • Out-of-band confirmation now in Python too. Above-threshold payments (pay_invoice, access_l402_resource, pay_l402_challenge) print the confirmation code to the server console/stderr only β€” never in a tool result β€” so a prompt-injected agent can't read its own code and self-approve. Before this release the Python package still accepted an agent-supplied confirmation flag.
  • send_onchain always confirms and fails closed in Python (parity with .NET): no budget service, or any budget-check error, refuses the send.
  • Confirmation parameter unified across both packages β€” .NET uses confirmationNonce, Python uses confirmation_nonce (same concept, each language's casing).
  • The legacy in-process budget manager now fails closed above the auto-approve floor instead of allowing a self-confirm.

v1.12.11 β€” Python Packaging Fix (June 2026)​

  • secp256k1 is now an optional dependency. pip install lightning-enable-mcp works on every platform, including Windows, with no build toolchain.
  • Nostr Wallet Connect (NWC) wallets need the optional extra: pip install lightning-enable-mcp[nwc]. Using an NWC wallet without it raises a clear error telling you to install it. Other wallet types (LND, Strike, OpenNode) don't need the extra.
  • The .NET package is unaffected β€” it uses managed crypto.

v1.12.10 β€” Funds-Safety Hardening (June 2026)​

Hardens the agent payment path so a prompt-injected agent can't approve its own large payments.

  • Out-of-band confirmation (.NET in this release; Python parity in v1.12.12). When a payment exceeds the auto-approve threshold, the server prints a confirmation code to its console / stderr β€” visible to the human operator and never returned in a tool result. The agent must ask the human for the code, then re-call the original payment tool with its confirmation-nonce parameter (confirmationNonce in .NET, confirmation_nonce in Python) to proceed. (The separate confirm_payment tool only verifies a code β€” it does not execute the payment.) Applies to pay_invoice, access_l402_resource, and pay_l402_challenge. This assumes the AI runtime can't read the server's stderr/logs; for agents that share a shell/host with the server, run it where the agent can't read its stderr.
  • send_onchain always requires confirmation (on-chain payments are irreversible), even for small amounts, and fails closed if the budget service is unavailable.
  • Confirmation codes are bound to the exact amount AND tool they approved β€” no cross-tool or cross-amount reuse.
  • configure_budget added to the .NET server (previously Python-only) and is tighten-only in both packages: an agent can lower its per-request / per-session caps at runtime but can never raise them above the operator's ~/.lightning-enable/config.json limits.
  • Budget checks fail closed if the BTC price feed is unavailable (3 price sources, no stale fallback).
  • The NWC response preimage is no longer logged.

v1.12.2 β€” Critical: Payment Confirmation Fix (April 2026)​

Severity: Critical β€” affects all .NET MCP clients since v1.6.0

Problem: When a client reports MCP elicitation capability (as Claude Code does) but elicitation doesn't actually work, the payment confirmation flow returned "Payment cancelled by user" with no nonce and no recovery path. Any payment above the auto-approve threshold was permanently blocked.

Fix: Always fall back to nonce-based confirmation when elicitation fails, regardless of reported client capabilities. Affected tools: pay_invoice, access_l402_resource, pay_l402_challenge.

Update immediately:

# .NET global tool
dotnet tool update -g LightningEnable.Mcp

Affected versions: v1.6.0 through v1.12.1 (all deprecated on NuGet). Python package was never affected.


v1.11.2 β€” Version Bump (March 2026)​

  • Version bump for CI pipeline alignment; no functional changes

v1.11.1 β€” L402 HTTP Client Fix (March 2026)​

  • Fixed gzip decompression issue in the L402 HTTP client by sending Accept-Encoding: identity, preventing decompression errors on some servers

v1.11.0 β€” NIP-44 v2 Outgoing Encryption (March 2026)​

  • NWC outgoing requests now encrypted with NIP-44 v2 (Alby Hub compatibility)
  • NIP-47 encryption tag support for improved NWC interoperability

v1.10.1 β€” Docker Image Update (March 2026)​

  • Updated Docker base image; no functional changes

v1.10.0 β€” NIP-44 v2 Incoming Decryption (March 2026)​

  • Auto-detects NIP-04 vs NIP-44 v2 encryption on incoming NWC responses
  • No configuration required β€” works transparently with all supported NWC wallets

v1.9.0 β€” Producer Tools (March 2026)​

  • create_l402_challenge β€” AI agents can now sell services: create a Lightning invoice + macaroon to present to other agents or users as a 402 challenge
  • verify_l402_payment β€” Verify an L402 token (macaroon + preimage) to confirm payment before granting access
  • Both tools require an Agentic Commerce subscription (from $99/mo)

v1.8.0 β€” LND Wallet Support (February 2026)​

  • Added LND REST API wallet backend for self-hosted nodes
  • Configure with LND_REST_HOST and LND_MACAROON_HEX env vars
  • Full L402 preimage support via LND

v1.7.0 β€” discover_api Tool (February 2026)​

  • discover_api β€” Search the L402 API registry by keyword/category, or fetch a specific API's manifest from a URL
  • Budget-aware annotations show how many calls you can afford at the current BTC price

v1.6.0 β€” License Removed, All Consumer Tools Free (February 2026)​

  • License requirement removed β€” all 15 consumer tools are now free, no Lightning payment or subscription required
  • Added confirm_payment tool for explicit payment confirmation before execution
  • The 6,000-sat license purchase from v1.5.0 is no longer needed; existing licenses are ignored

v1.5.2 β€” Version Display Fix (February 2026)​

  • Assembly version now matches package version for accurate startup display
  • Includes all v1.5.1 fixes below

v1.5.1 β€” Critical Bug Fix (February 2026)​

Severity: Critical β€” affects all payment confirmations

Problem: The confirm_payment tool was consuming the payment nonce before pay_invoice could use it. This caused every confirmed payment to fail with:

Invalid, expired, or already-used confirmation nonce

Root Cause: Both confirm_payment and pay_invoice called ValidateAndConsumeConfirmation(), which removes the nonce from memory. Since confirm_payment runs first (to get user approval), it consumed the nonce, leaving nothing for pay_invoice to validate against.

Fix: confirm_payment now uses a read-only ValidateConfirmation() method that checks the nonce without consuming it. Only pay_invoice consumes the nonce.

Update immediately:

# .NET global tool
dotnet tool update -g LightningEnable.Mcp

Affected versions: v1.5.0


v1.5.0 β€” Multi-Wallet Support​

  • Added Strike wallet backend with preimage support
  • Added LND REST wallet backend
  • Added Nostr Wallet Connect (NWC) wallet backend
  • Configurable wallet priority via WALLET_PRIORITY env var or config file
  • Config file support at ~/.lightning-enable/config.json
  • L402 license purchase via Lightning payment (6,000 sats, valid forever)
  • Budget controls with dual USD/sats limits

v1.4.0 β€” L402 Auto-Pay​

  • access_l402_resource tool for automatic L402 payment
  • pay_l402_challenge tool for manual L402 payment
  • Budget enforcement with per-request and per-session limits
  • Payment history tracking

v1.3.0 β€” Initial Release​

  • pay_invoice β€” Pay any Lightning invoice
  • check_wallet_balance β€” Check wallet balance
  • get_payment_history β€” View payment history
  • get_budget_status β€” View budget limits
  • OpenNode wallet backend