L402 — Lightning HTTP 402 Protocol
L402 is the Bitcoin-native counterpart to x402: same HTTP 402 surface, but settled off-chain on Lightning instead of on-chain via stablecoins. Useful when you need true micropayments (sub-cent), instant finality without facilitators, and Bitcoin economics. Powers paid LLM access (e.g. Fewsats), paid storage gateways, and a small but real ecosystem of metered Lightning APIs.
What It Defines
Authentication and payment protocol that combines HTTP 402, macaroons (a bearer token format with attenuable caveats), and the Lightning Network. The server returns 402 with a `WWW-Authenticate: L402 macaroon="…", invoice="lnbc…"` header. The client pays the BOLT-11 Lightning invoice off-chain, obtains the payment preimage, and replays the request with `Authorization: L402 <macaroon>:<preimage>`. The server validates the macaroon's caveats and that the preimage matches the invoice's payment hash. Originally announced as LSAT (Lightning Service Authentication Token) in 2019 and renamed L402 in 2023. Lightning Labs ships Aperture as a reverse-proxy reference implementation.
Canonical (Normative)
Convenient (Practical)
Related References
Authors of the L402 (Lightning HTTP 402) protocol — formerly called LSAT (Lightning Service Authentication Token). L402 combines HTTP 402, macaroon-based authorization tokens, and Lightning Network invoices to gate API access behind off-chain Bitcoin micropayments. Lightning Labs also maintains the LND implementation and contributes to the BOLT specifications.
Related Specs
If you're returning 402 — or shopping for a way to monetize an API or MCP server — the spec hands you the code and nothing else. The meaning lives entirely in whatever protocol you layer above it: x402 (stablecoins, X-PAYMENT header), L402 (Lightning, WWW-Authenticate macaroon+invoice), or your own. Knowing that 402 itself is a blank canvas is the difference between shipping an interoperable agent-payable endpoint and a 402 response no client can negotiate against.
This is the core contract of every web API, browser request, and server response. You can't design or debug HTTP without knowing this.
x402 is the leading candidate for the agent-economy payment rail: it lets an AI agent (or any HTTP client) pay for an API call inline, with no API key, no signup, and no human-in-the-loop. If you're building agentic apps, paid MCP servers, per-request data products, or anything where "charge for this request without a session" matters, x402 is the standard to know — supported by Coinbase, Cloudflare, Vercel AI Gateway, and a growing facilitator ecosystem.