ArxMint: Sovereign Payment Network Specification

Verify your mint is who it says it is

Verify keyset IDs against mint pubkeys. Prevent NUT-13 deterministic secret collisions — critical for agent wallets.

Honest reporting of what's available on each backend

Honest per-backend SP availability. SP for Fedimint peg-outs requires a federation module (server-side).

Agents get the minimum access they need, nothing more

WATCH_ONLY → PAY_ONLY → ADMIN tiers. Agents default to WATCH_ONLY. Never give agents admin macaroons.

Agent processes never hold signing keys

Signer config and fail-closed validation are shipped. Full isolated signer transport remains to be finalized.

Pay for services with ecash, not just Lightning

Dual L402 + Cashu flows are implemented; strict production enforcement and deeper testing are still being hardened.

Auto-pick the cheapest, most private way to pay

Auto-select ecash → Lightning → Ark → on-chain based on amount and privacy score.

Real numbers showing community health

Merchant count, active spenders, spend velocity, grant-ready export.

Step-by-step setup for any local business

Multi-step form, QR codes, POS guidance, directory listings.

Generate limited-permission keys for different roles

Generate scoped credentials: pay-only, invoice-only, read-only, agent-commerce.

Temporary wallets that clean up after themselves

In-memory, auto-expire, scoped. No persistent secrets.

Guided federation setup, no DevOps required

Fedimint G-Bot API for guided federation bootstrap with Docker fallback.

Sign in with your Nostr identity — no passwords, no database

NIP-07 browser extension auth (Alby, nos2x). Session persists via localStorage. NIP-98 HTTP auth utilities for future API protection.

Latest security and performance improvements

Generator paths target "Lighthouse" v0.10.0; root local compose still needs full parity.

High-privacy off-chain spending layer

SovereignArkClient interface exists with stub-mode behavior pending full upstream integration.

Production-grade mint with real database and monitoring

CDK generation path exists; default local stack still uses Nutshell for quick start.

Spread trust across multiple ecash providers

Manager and swap scaffolding are in place; operational hardening and broader coverage continue.

Scan or tap to pay, just like a credit card

cashu:// URI format for merchant QR codes and payment requests.

Receive Bitcoin without reusing addresses

Scanner/indexer/key-delegation scaffolding is implemented with remaining protocol-level hardening.

Real-time health dashboards for community operators

Prometheus/Grafana generation is implemented; deployment parity across all compose paths is ongoing.

Ecash automatically converts to Lightning when needed

Bridge flow is implemented with placeholder preimage handling pending final production wiring.

Rules for who runs the shared vault and how

Selection criteria, rotation policy, incident response, quorum management.

Smart contracts for ecash — escrow, subscriptions, automated payments

Conditional tokens: escrow, subscriptions, proof-of-service.

Cryptographic proof that agent wallets are honest

Audit-log + ZK reissuance for stateless agent wallets.

Sign transactions with your hardware device

SP descriptor support and PSBT spending for hardware signing devices.

Multi-mint atomic swaps and proof verification

P2BK, background proof state verification, multi-mint atomic swaps.

Tap your card to pay at any merchant

Tap-to-pay for merchants using Numo NFC cards.

Real businesses, real customers, real sats changing hands

Directory is live, checkout prototypes are live, and the NUC testnet stack is running. Next: first real testnet payment, ops verification, and merchant activation flow.

Funding to scale from pilot to production

FBCE, OpenSats, and Fedi application templates and workflow support.

Transparent progress tracking for funders

Export monthly/quarterly KPI snapshots and reporting artifacts.

Step-by-step guide for any community to copy this

Open-source "BCE in a box" playbook generated from pilot configuration.

Connect Longmont to other cities on the same rails

Expand pilot model into multi-city commerce via multi-mint and Lightning bridge routes.

Your node, your keys — programmatic access with sandbox mode

L402 macaroon-based auth tokens generated on the merchant's own node. Scoped permissions (read/invoice/pay/admin), key rotation, rate limits. Non-custodial by design.

Get notified instantly when a customer pays — on your own infrastructure

Webhook engine runs on the merchant's node, watching their own LND/Cashu for invoice settlements. HMAC-SHA256 signed payloads, exponential backoff retry, delivery logs.

A payment link on your own domain — no code required

Prototype is live at /pay/[merchant-id] using /api/checkout, but it is still centralized, Lightning-only, poll-based, and demo-capable. Next step: merchant-local invoices, Cashu QR, and real-time updates.

Know exactly when your customer paid

Prototype status polling already exists for checkout sessions. Next step: merchant-local /api/v1/payments, deterministic state model, and SSE status_changed events.

Add payments to any website in 10 lines of code

@arxmint/js and @arxmint/react — connects to the merchant's own endpoint, not a central server. PayButton, CheckoutForm, QRPayment components.

name@pay.merchant.com — scan and pay at any register

Lightning Address and LNURL-pay served from the merchant's own domain. Static QR codes for POS. NFC tag provisioning via Numo. No intermediary.

See every payment, manage your node, track your revenue

Self-hosted dashboard with payments, analytics, auth token management, webhook config, node status. No data leaves the merchant's infrastructure.

Three questions, fifteen minutes — your payment node is live

/create already presents the merchant-first beta wizard shell. Next step: turn it into a real merchant init/export/provision path instead of a coming-soon funnel.

Customers find you — searchable by category and location

Live now at /merchants with 2 public merchants, 13 admin-only pipeline merchants, signup form, checkout links, and badge CTA. Next step: search, activation workflow, referral attribution, and cleaner public/live semantics.

No double charges, no duplicate records, hardened for the open internet

Idempotency-Key header on all payment endpoints. Structured error codes. Caddy auto-HTTPS, CSP headers, rate limiting, firewall rules generated by setup wizard.

Updates, backups, and disaster recovery — handled automatically

Three sub-systems: (a) Appliance update engine — signed stack BOMs with auto-rollback on failed health checks, canary rings for staged rollout. (b) Zero-knowledge encrypted backups — LND SCB event-driven on every channel change, Cashu mint DB encrypted with seed-derived key, automated restore rehearsal. (c) One-click restore — fresh host + seed phrase = full recovery.

One-click install from your home node app store

Package the merchant stack for Umbrel and StartOS app stores. Umbrel is the fastest target — Docker Compose maps directly to its packaging format. Checkout endpoints public via App Proxy, admin behind Umbrel auth. StartOS as secondary with richer ops UX.

Manage your node from your phone — the VPS is invisible

React Native app as remote control for the merchant's VPS node. POS terminal, QR generation, daily sales, push notifications on invoice settlement. Wallet unlock via push notification (non-custodial — secret goes to node, never ArxMint). Near-term: PWA dashboard (5.7) covers 80%. Lite mode: LDK on mobile via Breez SDK for pop-up shops — no VPS needed.