ACINQ / phoenixd

https://phoenix.acinq.co/server
Apache License 2.0
117 stars 15 forks source link

Enhancement: Different HTTP API key for receiving and spending ops #74

Closed thepatchworkapp closed 4 months ago

thepatchworkapp commented 4 months ago

Hey Team,

I'd like to generate invoices on my website with phoenixd running on a remote machine. To do this currently, I'd have to store the API key on my web server. If the web server was ever compromised, an attacker would have the API key which gives full control over phoenixd.

Could we get separate API keys for spending from the wallet?

In the proposed setup, the web server could use a read-only API key to generate an invoice from phoenixd. In the event of a compromise, an attacker couldn't spend any funds.

What do you think?