LND Macaroon Permissions — Custom Access for RTL, ThunderHub, Apps

Macaroons are LND's authentication tokens. Using admin.macaroon everywhere is a security risk. Here's how to create custom-scoped macaroons.

Understand macaroon types

# Default macaroons in ~/.lnd/data/chain/bitcoin/mainnet/
ls -la ~/.lnd/data/chain/bitcoin/mainnet/*.macaroon

# admin.macaroon   — full access (never share)
# invoice.macaroon — create/lookup invoices only
# readonly.macaroon — read-only access
# chainnotifier.macaroon — chain events only

Create a read-only macaroon

lncli bakemacaroon \
  info:read \
  chain:read \
  invoices:read \
  peers:read \
  --save_to ~/readonly_custom.macaroon

# Verify what permissions it has
lncli printmacaroon --macaroon_file ~/readonly_custom.macaroon

Create invoice-only macaroon (for payment pages)

lncli bakemacaroon \
  invoices:write \
  invoices:read \
  --save_to ~/invoice_only.macaroon

# This allows creating/checking invoices but nothing else
# Safe to use in web apps or give to merchants

Create macaroon for RTL / ThunderHub

# RTL needs broader access — but not full admin
lncli bakemacaroon \
  info:read \
  invoices:read \
  invoices:write \
  peers:read \
  peers:write \
  onchain:read \
  offchain:read \
  offchain:write \
  --save_to ~/rtl_custom.macaroon

# Convert to hex for config files
xxd -p ~/rtl_custom.macaroon | tr -d '\n'

Revoke a compromised macaroon

# LND doesn't support individual revocation
# Nuclear option: delete all macaroons, restart LND
rm ~/.lnd/data/chain/bitcoin/mainnet/*.macaroon
sudo systemctl restart lnd
# LND regenerates fresh macaroons on startup
# Then re-bake any custom ones you need

Need security/macaroon help? $9

I set up proper macaroon permissions for RTL, ThunderHub, and custom apps. USDT TRC-20.

→ Service page