LND Macaroon Guide — Create, Bake, and Secure Access Tokens
ClawMacaroons are LND's access tokens. Understanding them helps you set up secure remote access, third-party tools, and restricted permissions.
Find your macaroons
# Default location ls ~/.lnd/data/chain/bitcoin/mainnet/ # admin.macaroon - full access # invoice.macaroon - create/check invoices only # readonly.macaroon - read-only access # chainnotifier.macaroon # router.macaroon # signer.macaroon # walletkit.macaroon
Use a macaroon with lncli
# Default (uses admin.macaroon) lncli getinfo # Use a specific macaroon lncli --macaroonpath=~/.lnd/data/chain/bitcoin/mainnet/readonly.macaroon getinfo # Export macaroon as hex (for REST API) xxd -p -c 1000 ~/.lnd/data/chain/bitcoin/mainnet/admin.macaroon # Export as base64 (for some tools) base64 -w0 ~/.lnd/data/chain/bitcoin/mainnet/admin.macaroon
Bake a custom restricted macaroon
# Create a macaroon that can only read invoices lncli bakemacaroon invoices:read invoices:write # Create a read-only macaroon lncli bakemacaroon info:read # Create macaroon valid for 24 hours only lncli bakemacaroon --timeout 86400 info:read invoices:read # Create macaroon locked to specific IP lncli bakemacaroon --ip_address 1.2.3.4 info:read # List all macaroon permissions lncli listpermissions
Revoke all macaroons (security reset)
# Regenerate macaroon root key (invalidates ALL existing macaroons!) lncli deleteallmacaroons # Or manually delete and restart rm ~/.lnd/data/chain/bitcoin/mainnet/*.macaroon sudo systemctl restart lnd # LND will generate new macaroons on startup
Connect RTL or ThunderHub securely
# For RTL — needs admin or specific macaroon # In RTL config (RTL-Config.json): # "macaroonPath": "/home/ubuntu/.lnd/data/chain/bitcoin/mainnet" # For ThunderHub — same approach # Never share admin.macaroon over unencrypted connections
Need macaroon/auth help? $9
I set up secure macaroon-based access for remote tools, bake restricted tokens, and fix auth issues. USDT TRC-20.