lightning-mcp-server
Web & Frontend Development
v1.0.0
BenignBuild and configure the MCP server for Lightning Node Connect (LNC)
826 downloads826 installsby @roasbeef
Setup & Installation
Install command
clawhub install roasbeef/lightning-mcp-serverIf the CLI is not installed:
Install command
npx clawhub@latest install roasbeef/lightning-mcp-serverOr install with OpenClaw CLI:
Install command
openclaw skills install roasbeef/lightning-mcp-serveror paste the repo link into your assistant's chat
Install command
https://github.com/openclaw/skills/tree/main/skills/roasbeef/lightning-mcp-serverWhat This Skill Does
MCP server that connects AI assistants to Lightning Network nodes via Lightning Node Connect (LNC). Uses encrypted WebSocket tunnels through a mailbox relay, requiring only a 10-word pairing phrase from Lightning Terminal, no TLS certificates or macaroons. Read-only by default, exposing 18 tools for querying node state, channels, payments, invoices, peers, and on-chain data.
Access a remote lnd node without exposing TLS certificates, macaroons, or open gRPC ports; the mailbox relay handles all connectivity using only an in-memory pairing phrase.
When to Use It
- Check Lightning node channel balances and capacity mid-conversation
- Decode a BOLT11 invoice to verify amount and recipient before paying
- Review payment history and track a specific payment by hash
- Inspect peer connections and sample Lightning Network topology
- Estimate on-chain fees for different confirmation targets
View original SKILL.md file
# MCP LNC Server
Build and configure the MCP server that connects AI assistants to Lightning
nodes via **Lightning Node Connect (LNC)**. LNC uses encrypted WebSocket tunnels
through a mailbox relay, so the agent never needs direct gRPC access, TLS
certificates, or macaroons — just a 10-word pairing phrase from Lightning
Terminal.
The MCP server is **read-only by default** — it exposes 18 tools for querying
node state but cannot send payments or modify channels.
## Quick Start
```bash
# 1. Build the MCP server binary
skills/lightning-mcp-server/scripts/install.sh
# 2. Configure environment (mailbox server, dev mode, etc.)
skills/lightning-mcp-server/scripts/configure.sh
# 3. Add to Claude Code as an MCP server
skills/lightning-mcp-server/scripts/setup-claude-config.sh
```
Then restart Claude Code. The `lnc_connect` tool will be available to connect
to any lnd node using a pairing phrase.
## How It Works
```
Claude Code <--stdio--> lightning-mcp-server <--LNC WebSocket--> Mailbox <--> lnd
```
1. Claude Code launches `lightning-mcp-server` as a subprocess (stdio transport)
2. Agent calls `lnc_connect` with a pairing phrase and password
3. Server generates an ephemeral ECDSA keypair and opens an encrypted WebSocket
tunnel through the mailbox relay
4. Once connected, the agent can call any of the 18 read-only tools
5. `lnc_disconnect` closes the tunnel
No keys, certs, or macaroons are stored on disk — the pairing phrase is the
only credential, and it's handled in-memory only.
## Installation
```bash
# Build from source (requires Go 1.24+)
skills/lightning-mcp-server/scripts/install.sh
# Verify
lightning-mcp-server -version
```
The install script builds from the `lightning-mcp-server/` directory in this repo.
## Configuration
```bash
# Generate .env with defaults
skills/lightning-mcp-server/scripts/configure.sh
# Production (mainnet via Lightning Terminal)
skills/lightning-mcp-server/scripts/configure.sh --production
# Development (local regtest)
skills/lightning-mcp-server/scripts/configure.sh --dev --mailbox aperture:11110
```
Configuration is stored in `lightning-mcp-server/.env`. Key settings:
| Variable | Default | Description |
|----------|---------|-------------|
| `LNC_MAILBOX_SERVER` | `mailbox.terminal.lightning.today:443` | Mailbox relay server |
| `LNC_DEV_MODE` | `false` | Enable development mode |
| `LNC_INSECURE` | `false` | Skip TLS verification (dev only) |
| `LNC_CONNECT_TIMEOUT` | `30` | Connection timeout in seconds |
## Claude Code Integration
### Option 1: `claude mcp add` (recommended)
Register the MCP server with a single command — no build step required:
```bash
# Zero-install via npx (downloads pre-built binary)
claude mcp add --transport stdio lnc -- npx -y @lightninglabs/lightning-mcp-server
# With environment variables for production
claude mcp add --transport stdio \
--env LNC_MAILBOX_SERVER=mailbox.terminal.lightning.today:443 \
lnc -- npx -y @lightninglabs/lightning-mcp-server
# For development/regtest
claude mcp add --transport stdio \
--env LNC_MAILBOX_SERVER=localhost:11110 \
--env LNC_DEV_MODE=true \
--env LNC_INSECURE=true \
lnc -- npx -y @lightninglabs/lightning-mcp-server
```
Scope options: `--scope local` (default, just you), `--scope project` (shared
via `.mcp.json`), `--scope user` (all your projects).
### Option 2: Setup script (from source)
```bash
# Add lightning-mcp-server to Claude Code's MCP config
skills/lightning-mcp-server/scripts/setup-claude-config.sh
# Project-level config (current project only)
skills/lightning-mcp-server/scripts/setup-claude-config.sh --scope project
# Global config (all projects)
skills/lightning-mcp-server/scripts/setup-claude-config.sh --scope global
```
This adds the server to Claude Code's `.mcp.json` (project) or
`~/.claude.json` (global) configuration. After restarting Claude Code, the
LNC tools will be available.
### Option 3: Manual configuration
Add to `.mcp.json` in your project root:
```json
{
"mcpServers": {
"lnc": {
"command": "npx",
"args": ["-y", "@lightninglabs/lightning-mcp-server"],
"env": {
"LNC_MAILBOX_SERVER": "mailbox.terminal.lightning.today:443"
}
}
}
}
```
Or with a locally built binary:
```json
{
"mcpServers": {
"lnc": {
"command": "lightning-mcp-server",
"env": {
"LNC_MAILBOX_SERVER": "mailbox.terminal.lightning.today:443"
}
}
}
}
```
Or run via Docker:
```json
{
"mcpServers": {
"lnc": {
"command": "docker",
"args": [
"run", "--rm", "-i", "--network", "host",
"--env", "LNC_MAILBOX_SERVER",
"--env", "LNC_DEV_MODE",
"--env", "LNC_INSECURE",
"lightning-mcp-server"
]
}
}
}
```
## Available Tools (18)
### Connection
| Tool | Description |
|------|-------------|
| `lnc_connect` | Connect to lnd via LNC pairing phrase |
| `lnc_disconnect` | Close active LNC connection |
### Node
| Tool | Description |
|------|-------------|
| `lnc_get_info` | Node alias, version, sync status, block height |
| `lnc_get_balance` | Wallet balance (on-chain) and channel balance |
### Channels
| Tool | Description |
|------|-------------|
| `lnc_list_channels` | Active/inactive channels with capacity, balances |
| `lnc_pending_channels` | Channels being opened or closed |
### Invoices
| Tool | Description |
|------|-------------|
| `lnc_decode_invoice` | Decode a BOLT11 invoice |
| `lnc_list_invoices` | List invoices with pagination |
| `lnc_lookup_invoice` | Look up invoice by payment hash |
### Payments
| Tool | Description |
|------|-------------|
| `lnc_list_payments` | Payment history with pagination |
| `lnc_track_payment` | Track specific payment by hash |
### Peers & Network
| Tool | Description |
|------|-------------|
| `lnc_list_peers` | Connected peers with stats |
| `lnc_describe_graph` | Lightning Network topology sample |
| `lnc_get_node_info` | Detailed info about a specific node |
### On-Chain
| Tool | Description |
|------|-------------|
| `lnc_list_unspent` | UTXOs with confirmations |
| `lnc_get_transactions` | On-chain transaction history |
| `lnc_estimate_fee` | Fee estimates for confirmation targets |
## Security Model
- **No stored credentials:** Pairing phrase is handled in-memory only. Ephemeral
ECDSA keypairs are generated per session.
- **Read-only:** No payment, channel, or state-changing operations are exposed.
The agent can observe but not modify.
- **Encrypted tunnels:** All traffic is encrypted end-to-end through the mailbox
relay. The mailbox cannot read the traffic.
- **No direct access:** The agent machine never connects directly to the lnd
node's gRPC port — all traffic goes through the mailbox.
### Comparison with Direct gRPC Access
| | MCP LNC Server | Direct lncli/gRPC |
|---|---|---|
| **Credential** | Pairing phrase (in-memory) | TLS cert + macaroon (on disk) |
| **Network** | WebSocket via mailbox relay | Direct TCP to gRPC port |
| **Firewall** | No inbound ports needed | Port 10009 must be reachable |
| **Permissions** | Read-only (hardcoded) | Depends on macaroon scope |
| **Setup** | Pairing phrase from Lightning Terminal | Export cert + macaroon files |
## Prerequisites
- **Go 1.24+** for building from source
- **Lightning Terminal (litd)** on the target node for generating pairing phrases
- **Claude Code** for MCP integration
## Troubleshooting
### "pairing phrase must be exactly 10 words"
The pairing phrase is generated by Lightning Terminal. It must be exactly 10
space-separated words.
### "connection timeout"
Check that the mailbox server is reachable. For production, ensure
`mailbox.terminal.lightning.today:443` is not blocked by a firewall.
### "TLS handshake failure"
If using a local regtest setup, enable dev mode and insecure mode:
```bash
skills/lightning-mcp-server/scripts/configure.sh --dev --insecure
```
### Tools not appearing in Claude Code
Restart Claude Code after running `setup-claude-config.sh`. Check that
`lightning-mcp-server` is on your `$PATH`:
```bash
which lightning-mcp-server
```
Example Workflow
Here's how your AI assistant might use this skill in practice.
INPUT
User asks: Check Lightning node channel balances and capacity mid-conversation
AGENT
- 1Check Lightning node channel balances and capacity mid-conversation
- 2Decode a BOLT11 invoice to verify amount and recipient before paying
- 3Review payment history and track a specific payment by hash
- 4Inspect peer connections and sample Lightning Network topology
- 5Estimate on-chain fees for different confirmation targets
OUTPUT
Build and configure the MCP server for Lightning Node Connect (LNC)
Security Audits
VirusTotalBenign
OpenClawBenign
View full reportThese signals reflect official OpenClaw status values. A Suspicious status means the skill should be used with extra caution.