Security
Macaroons
8 min
understanding macaroons macaroons are flexible, decentralized authorization credentials used for fine grained access control unlike traditional tokens, macaroons include embedded caveats that specify conditions under which they are valid this allows for detailed permissions macaroons can define precise access rights, such as time limits or specific resource access delegation and attenuation they support creating new macaroons with restricted permissions from an existing one, ideal for safely delegating access cryptographic security macaroons are signed and cryptographically secure, ensuring they can't be tampered with in lnd (lightning network daemon), macaroons manage permissions for accessing node services, providing secure and granular control over actions like creating invoices and making payments learn more about macaroons in lnd https //docs lightning engineering/lightning network tools/lnd/macaroons your voltage node macaroons you can find your pregenerated macaroons in your voltage dashboard on the 'macaroon bakery' page macaroon bakery page generating and revoking macaroons with lncli voltage surfaces macaroons via your node's dashboard but if you want more fine grained control you can access your node's full rpc interface through https //docs voltage cloud/lncli self host and generate or revoke macaroons generate a new macaroon to generate a new macaroon, you use the `lncli bakemacaroon` command you can specify the permissions (read, write, etc ) that you want the macaroon to have lncli rpcserver=yournodename m voltageapp io tlscertpath="" \ macaroonpath=/pathtothe/admin macaroon/ bakemacaroon \ permissions="invoice\ read" \ permissions="invoices\ write" this command will create a new macaroon with the specified permissions the permissions should be in the format service\\\ method for example, to create a macaroon that can read invoices and write invoices, you would use invoice\\\ read and invoices\\\ write here is an example of generating an administrative level macaroon lncli rpcserver=yournodename m voltageapp io 10009 tlscertpath="" \ macaroonpath=/path/to/admin macaroon bakemacaroon \ save to=anynameyouwant macaroon root key id \<enter a number> \ allow external permissions onchain\ read onchain\ write offchain\ read offchain\ write address\ read address\ write message\ read message\ write peers\ read peers\ write info\ read invoices\ read invoices\ write signer\ read signer\ write macaroon\ read macaroon\ write you can also add the ` timeout \<seconds>` flag to add automatic expiration to any macaroon you generate learn more about macaroon permissions https //docs lightning engineering/lightning network tools/lnd/macaroons revoke an existing macaroon to revoke an existing macaroon, you need the macaroon's id you can find the list of active macaroons and their ids using the listmacaroonids command 1 list all active macaroons to find the id of the macaroon you want to revoke lncli rpcserver=yournodename m voltageapp io tlscertpath="" \ macaroonpath=/pathtothe/admin macaroon/ listmacaroonids 2\ revoke the macaroon using its id with the revokemacaroon command lncli rpcserver=yournodename m voltageapp io tlscertpath="" \ macaroonpath=/pathtothe/admin macaroon/ revokemacaroon \ id=\<macaroon id>
