Buda Lightning Invoice follows a server-side credential model: theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/nicosaporiti/buda-lightning-invoice/llms.txt
Use this file to discover all available pages before exploring further.
BUDA_API_KEY and BUDA_API_SECRET required to call the Buda.com API live exclusively in server environment variables and are never included in any HTTP response. The public-facing HTTP endpoints require no authentication from consumers — any client that can reach the server can create invoices and check payment status — so the attack surface is limited to malformed inputs and API abuse rather than credential leakage. All request inputs are validated by express-validator before they are allowed to reach any controller or business logic, so invalid payloads are rejected immediately at the route layer.
Credential security
API credentials are read from environment variables at call time inside each helper:buda-promise/buda.js) uses these credentials to sign every outbound private request with HMAC-SHA384. Three custom headers are attached to authenticated calls:
| Header | Purpose |
|---|---|
X-SBTC-APIKEY | Identifies the account. |
X-SBTC-NONCE | A monotonically increasing timestamp (milliseconds). Prevents replay attacks — Buda rejects requests whose nonce is not greater than the last accepted nonce. |
X-SBTC-SIGNATURE | The HMAC-SHA384 signature of method + path + base64(body) + nonce, keyed by BUDA_API_SECRET. |
Never expose
BUDA_API_KEY or BUDA_API_SECRET in a frontend application. These variables must live only in server environment variables or a secrets vault. The .env file is included in .gitignore and must never be committed to version control.Input validation
All user-supplied inputs are validated withexpress-validator at the route layer, before any controller or helper is invoked. The fieldsValidation middleware reads the result of all check() calls and, if any fail, immediately returns 400 with a structured error body — the controller is never reached.
The validation rules for each endpoint are:
| Endpoint | Field | Rules |
|---|---|---|
POST /newinvoice | amount | Required, numeric, integer ≥ 1 |
POST /newinvoice | msg | Required, string, min length 1 |
POST /status | invoice | Required, non-empty string |
GET /callback | amount | Required, numeric, integer ≥ 1000 (millisatoshis) |
errors object is keyed by field name, making it straightforward for frontend clients to map error messages to specific form fields.
CORS configuration
CORS is enabled globally for all origins using the defaultcors() middleware:
cors package, when called with no arguments, sets Access-Control-Allow-Origin: * and allows the standard HTTP methods.
If you control all frontend clients and want to restrict access to known domains, replace the default configuration in index.js:
Known limitations
Best practices
- Always use HTTPS in production. When deployed to Fly.io, set
force_https = trueinfly.tomlto ensure all traffic is redirected from HTTP to HTTPS. This protects the request body and query parameters from interception. - Store secrets in a vault. Use
fly secrets setto storeBUDA_API_KEY,BUDA_API_SECRET, andDOMAINon Fly.io. Never hard-code credentials inindex.jsor any application file, and never commit a.envfile to version control. - Set
DOMAINcorrectly. TheDOMAINenvironment variable is used to build thecallbackURL returned byGET /.well-known/lnurlp/:username. If this is wrong or missing, Lightning Address callbacks will point to the wrong host and invoice creation from a wallet will fail. Set it to your deployment’s public hostname (e.g.,budaln.fly.dev). - Rotate API keys periodically. Buda.com allows generating new API key/secret pairs from the account dashboard. Rotate credentials regularly and update the secrets in your deployment environment.
- Monitor for Buda API errors. The controllers catch all errors thrown by helpers and return them as
400witherror.message. Add logging (e.g.,console.error) or a monitoring integration to surface these failures, since a Buda error is otherwise invisible in production.