From f61a71b6fceddbe457db04097a799d9a2fb28902 Mon Sep 17 00:00:00 2001 From: Francisco Calderon Date: Thu, 12 Apr 2018 21:25:52 -0300 Subject: [PATCH] docs/macaroons: add reference to invoice.macaroon --- docs/macaroons.md | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/docs/macaroons.md b/docs/macaroons.md index eed5026f..eb5bc507 100644 --- a/docs/macaroons.md +++ b/docs/macaroons.md @@ -49,19 +49,22 @@ user must remember several things: person receiving it cannot remove the caveat. This is used in `lnd` in an interesting way. By default, when `lnd` starts, it -creates two files which contain macaroons: a file called `admin.macaroon`, -which contains a macaroon with no caveats, and a file called -`readonly.macaroon`, which is the *same* macaroon but with an additional caveat -that permits only methods that don't change the state of `lnd`. +creates three files which contain macaroons: a file called `admin.macaroon`, +which contains a macaroon with no caveats, a file called `readonly.macaroon`, +which is the *same* macaroon but with an additional caveat, that permits only +methods that don't change the state of `lnd`, and `invoice.macaroon`, which +only has access to invoice related methods. ## How macaroons are used by `lnd` and `lncli`. -On startup, `lnd` checks to see if the `admin.macaroon` and `readonly.macaroon` -files exist. If they *both* don't exist, `lnd` updates its database with a new -macaroon ID, generates the `admin.macaroon` file with that ID, and generates -the `readonly.macaroon` file with the same ID but an additional caveat which -restricts the caller to using only read-only methods. This means a few -important things: +On startup, `lnd` checks to see if the `admin.macaroon`, `readonly.macaroon` +and `invoice.macaroon` files exist. If they don't exist, `lnd` updates its +database with a new macaroon ID, generates the three files `admin.macaroon`, +`readonly.macaroon` and `invoice.macaroon`, all with the same ID. The +`readonly.macaroon` file has an additional caveat which restricts the caller +to using only read-only methods and the `invoice.macaroon` also has an +additional caveat which restricts the caller to using only invoice related +methods. This means a few important things: * You can delete the `admin.macaroon` and be left with only the `readonly.macaroon`, which can sometimes be useful (for example, if you want @@ -69,10 +72,10 @@ important things: change its state). * If you delete the data directory which contains the `macaroons.db` file, this - invalidates the `admin.macaroon` and `readonly.macaroon` files. Invalid - macaroon files give you errors like `cannot get macaroon: root key with id 0 - doesn't exist` or `verification failed: signature mismatch after caveat - verification`. + invalidates the `admin.macaroon`, `readonly.macaroon` and `invoice.macaroon` + files. Invalid macaroon files give you errors like `cannot get macaroon: root + key with id 0 doesn't exist` or `verification failed: signature mismatch + after caveat verification`. You can also run `lnd` with the `--no-macaroons` option, which skips the creation of the macaroon files and all macaroon checks within the RPC server.