PaymentsYieldComplianceMagmaSpaceAPI GuideDeep DivesResources

LND API

Pull a node's macaroons from the Rails API and call LND or Litd directly over gRPC/REST for low-level operations not surfaced through the Rails GraphQL.

For workflows Rails doesn't expose directly (custom channel queries, forwarding-event streaming, signing messages, generating BOLT11 invoices), you can talk to the underlying Lightning daemon. Rails returns the macaroons and sockets your node already trusts, scoped to the same permissions Rails uses internally.

This is read-mostly access. Spend-related permissions are intentionally not granted to the Rails macaroon (see Permissions).

Get sockets and credentials

The GetDeployedNodeMacaroons query returns connection details and the macaroon list for a node. Macaroons are only returned to the master account on the team.

query DeployedNodeCredentials($nodeId: String!) {
  node {
    deployed_node(node_id: $nodeId) {
      id
      state
      node_type
      taproot_assets_enabled
      sockets {
        lnd  { id rest grpc }
        litd { id rest grpc }
      }
      credentials {
        list {
          id
          encryption_type
          macaroon
          permissions
          is_admin
          macaroon_type
          location
        }
      }
    }
  }
}
curl -X POST https://rails.amboss.tech/graphql \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $AMBOSS_DASHBOARD_TOKEN" \
  -d '{
    "query": "query($nodeId: String!) { node { deployed_node(node_id: $nodeId) { sockets { lnd { rest grpc } litd { rest grpc } } credentials { list { macaroon permissions is_admin macaroon_type } } } } }",
    "variables": { "nodeId": "<NODE_ID>" }
  }'
const { node } = await client.request(GET_CREDENTIALS, {
  nodeId: process.env.NODE_ID,
});

const { sockets, credentials } = node.deployed_node;
const adminMacaroon = credentials.list.find((m) => m.is_admin)?.macaroon;

Field reference

sockets

FieldDescription
lnd.restREST URL for the LND node (e.g. https://node.example:8080).
lnd.grpcgRPC host (e.g. node.example:10009).
litd.restREST URL for Litd (terminal-only operations).
litd.grpcgRPC host for Litd.

For Fully Managed nodes the sockets point at the Voltage-hosted endpoint. For Third Party Hosted, they're the values you submitted via node.connect.

credentials.list[]

FieldDescription
macaroonHex-encoded macaroon ready to drop into Grpc-Metadata-macaroon / --macaroon.
permissionsFlat list of entity:action strings the macaroon grants (offchain:read, onchain:read, etc.).
is_adminWhether this macaroon has admin-equivalent scope.
macaroon_typeADMIN, READ_ONLY, INVOICE, ROUTING, etc.
locationWhether the macaroon targets LND or LITD.
encryption_typeSERVER for Rails-issued macaroons, CLIENT for ones we received from a third-party node.

Calling LND directly

Lightning Network Daemon docs live at lightning.engineering/api-docs/api/lnd/. The macaroon and sockets above plug into any LND client.

REST example

curl --cacert tls.cert \
  --header "Grpc-Metadata-macaroon: $(echo -n $LND_MACAROON_HEX)" \
  https://node.example:8080/v1/getinfo

gRPC example (Node.js)

import { lnrpcDescriptor, loadPackageDefinition } from "@grpc/grpc-js";
import { credentials, Metadata } from "@grpc/grpc-js";

const tls = credentials.createSsl(/* node TLS cert */);
const macaroonCreds = credentials.createFromMetadataGenerator((_, cb) => {
  const md = new Metadata();
  md.add("macaroon", process.env.LND_MACAROON_HEX);
  cb(null, md);
});

const creds = credentials.combineChannelCredentials(tls, macaroonCreds);
const lnd = new lnrpc.Lightning("node.example:10009", creds);

lnd.getInfo({}, (err, info) => console.log(info.alias));

For Litd, swap the gRPC service for litrpc and target the Litd-specific RPC (Pool, Loop, Taproot Assets).

TLS certificates

  • Fully Managed nodes: TLS is auto-managed; clients should verify against the public CA chain when using REST URLs.
  • Third Party Hosted nodes: you submitted tls_cert (or null, indicating public cert) on node.connect. Use the same cert client-side.

The cert is not echoed back in credentials. Store it alongside the macaroon at connection time.

Permissions cheatsheet

The Rails management macaroon grants:

  • offchain:read, onchain:read, info:read, peers:read, invoices:read
  • offchain:write (for channel open/close), peers:write
  • Routing policy update (offchain:write scoped)
  • Invoice creation

It does not grant on-chain spend or arbitrary invoice payment. If you need those for your own integration, generate a separate admin macaroon on the daemon and keep it client-side - do not upload it to Rails.

Backups

deployed_node.backup returns the latest static channel backup (SCB), useful for disaster recovery:

query Backup($nodeId: String!) {
  node {
    deployed_node(node_id: $nodeId) {
      backup { id latest created_at size }
    }
  }
}

latest is the binary SCB encoded as base64. Decode it before passing to lncli restorechanbackup or the corresponding REST endpoint.

Liquidity API

GraphQL reference for Rails Yield earnings and balances — funds, balance and revenue charts, transaction history, stats, and per-asset balances under user.liquidity_provider.

Integrate Rails Yield

End-to-end developer walkthrough — deploy a Rails Yield node, monitor balances and revenue, and initiate withdrawals using the GraphQL API.

On this page

Get sockets and credentialsField referencesocketscredentials.list[]Calling LND directlyREST examplegRPC example (Node.js)TLS certificatesPermissions cheatsheetBackups