Back to Home

Security

Capability-based access control for the AI era

From Identity to Capabilities

Traditional APIs use identity-based access: "Prove who you are, then we decide what you can do."

SatGate uses capability-based access: "Present a cryptographic token that already encodes what you can do."

Identity-Based (OAuth/API Keys)

  • • Requires user databases & PII
  • • Credential stuffing risks
  • • Agents can't sign up

Capability-Based (L402)

  • ✓ No accounts required
  • ✓ Payment = Authorization
  • ✓ Perfect for agents

Non-Custodial Architecture

SatGate never holds, controls, or has access to your funds. Payments settle directly from payers to your Lightning node. We never touch your private keys.

Paid Capabilities (L402)

L402 creates a new security primitive: paid capabilities. Payment gates token issuance, and the token itself encodes permissions via macaroon caveats.

  • Edge Verification: Tokens verified cryptographically at the gateway—no user database lookup required
  • Least Privilege: Add caveats to constrain scope, time, and budget (e.g., "valid 5 mins", "max 10 calls")
  • Delegatable: Attenuate tokens before passing to sub-agents—permissions only shrink, never grow

Economic Abuse Friction

Spam becomes expensive and self-limiting. High-volume callers must continuously pay to continue. This complements (not replaces) your existing WAF/CDN for network-layer protection.

Zero Trust Access Control (PEP)

SatGate is a Zero Trust Policy Enforcement Point for paid and capability-based API access. It verifies every protected request and enforces scoped access via L402/macaroons—no network trust assumptions.

How SatGate maps to Zero Trust concepts

  • Policy Enforcement Point (PEP): The gateway sits in front of services and enforces access decisions on every request (deny-by-default for protected routes).
  • Continuous Authorization: Rather than trusting a network zone or long-lived credential, SatGate validates an L402 token on each request before proxying.
  • Least Privilege: Macaroon caveats enable fine-grained restriction (route, method, TTL, budget), reducing blast radius and enabling safe delegation.
  • Reduced Trust Dependencies: Authorization is cryptographic, not reliant on a centralized user database. Optional state can be used for metering/quotas without requiring PII.

What SatGate is (and isn't)

  • ✓ Zero Trust PEP for API access (request-level verification + least privilege)
  • ✓ Complements existing security stack (WAF/CDN, rate limiting, SIEM)
  • ⚠ Not a full Zero Trust program (identity governance, device posture, microsegmentation)

Open Source Transparency

All SatGate code is open source under the MIT License. You can audit every line, fork it, and run your own infrastructure. No black boxes.

View Source on GitHub →

Best Practices

  • Keep your LNC pairing phrase secure—treat it like a password
  • Use environment variables for sensitive configuration
  • Deploy behind a CDN/WAF (Cloudflare, AWS Shield) for network-layer protection
  • Set appropriate macaroon expiration times in your aperture.yaml
  • Monitor your Lightning node for unusual activity

Responsible Disclosure

Found a security vulnerability? We appreciate responsible disclosure. Please report security issues privately before public disclosure.

Email: contact@satgate.io

What SatGate Protects Against

ThreatProtection
API scraping✓ Economic cost per request
Bot abuse✓ Payment required = economic friction
Credential theft✓ Tokens can have short expiration
Chargebacks✓ Lightning payments are final
Network DDoS (volumetric)⚠ Use CDN/WAF (Cloudflare, etc.)