LND Macaroon Permissions — Which Macaroon to Use for Each Task
ClawLND uses macaroons for authentication. Different macaroons grant different permissions. Here's a practical guide.
The 3 default macaroons
# Location: ~/.lnd/data/chain/bitcoin/mainnet/ ls -la ~/.lnd/data/chain/bitcoin/mainnet/*.macaroon # admin.macaroon - Full access (read + write + send payments) # invoice.macaroon - Create and lookup invoices only # readonly.macaroon - Read-only: listchannels, getinfo, etc. # Check what permissions a macaroon has lncli printmacaroon --macaroon_file ~/.lnd/data/chain/bitcoin/mainnet/admin.macaroon
Bake a custom macaroon
# Create a macaroon that can only create invoices + read lncli bakemacaroon --save_to=invoice_only.macaroon \ invoices:write \ invoices:read \ info:read # Create read-only macaroon for monitoring lncli bakemacaroon --save_to=monitor.macaroon \ info:read \ offchain:read \ onchain:read \ peers:read # Create macaroon limited to specific IP lncli bakemacaroon --ip_address=192.168.1.50 \ --save_to=restricted.macaroon \ info:read offchain:read
Use macaroon in API calls
# Base64 encode for REST API
MACARROON=$(base64 -w0 ~/.lnd/data/chain/bitcoin/mainnet/admin.macaroon)
curl -s --cacert ~/.lnd/tls.cert \
-H "Grpc-Metadata-macaroon: $MACAROON" \
https://localhost:8080/v1/getinfo | python3 -m json.tool
# Python gRPC example
import codecs, grpc, lnd_pb2 as ln, lnd_pb2_grpc as lnrpc
with open('/root/.lnd/data/chain/bitcoin/mainnet/admin.macaroon','rb') as f:
macaroon = codecs.encode(f.read(), 'hex')
metadata = [('macaroon', macaroon)]
response = stub.GetInfo(ln.GetInfoRequest(), metadata=metadata)Revoke a compromised macaroon
# Macaroons can't be individually revoked in LND (by design) # To invalidate all macaroons: delete and regenerate rm ~/.lnd/data/chain/bitcoin/mainnet/*.macaroon sudo systemctl restart lnd # LND generates fresh macaroons on startup
Need macaroon or auth help? $9
I set up custom macaroons for RTL, ThunderHub, Ride The Lightning, and API integrations. USDT TRC-20.