docs(auth): document intentional session-style NIP-98 model

Co-authored-by: userAdityaa <aditya.chaudhary1558@gmail.com>
Co-committed-by: userAdityaa <aditya.chaudhary1558@gmail.com>

backend/README.md

@@ -60,7 +60,13 @@ See [spec](spec) for more details
 
 ## API Routes
 
-All routes are NIP-98 protected.
+Most API routes are NIP-98 protected.
+
+Public exceptions:
+
+- `GET /plans`
+- `GET /plans/:id`
+- `POST /stripe/webhook` (validated with Stripe signatures instead)
 
 - `GET /identity` — get auth identity (`pubkey`, `is_admin`)
 - `GET /tenants` — list tenants (admin)
@@ -73,3 +79,13 @@ All routes are NIP-98 protected.
 - `PUT /relays/:id` — update relay (admin or relay tenant)
 - `POST /relays/:id/deactivate` — deactivate relay (admin or relay tenant)
 - `GET /invoices` — list invoices (`?tenant=<pubkey>` allowed for admin only)
+
+## API Auth Model
+
+Caravel intentionally uses a session-style variant of NIP-98 for client-to-backend API auth.
+
+- Frontend signs one kind `27235` event with `u = VITE_API_URL` and caches that header for about 10 minutes.
+- Backend verifies event kind, signature, and that `u` contains configured `HOST`.
+- Backend intentionally does not bind auth to exact request URL/method/query, and does not enforce payload hash, timestamp freshness window, or replay cache.
+- Goal: reduce repeated wallet signing prompts and avoid cookie-based sessions.
+- Tradeoff: this is weaker request-intent binding than strict NIP-98 semantics.

backend/migrations/0001_init.sql

@@ -12,7 +12,7 @@ CREATE TABLE IF NOT EXISTS tenant (
   nwc_url TEXT NOT NULL DEFAULT '',
   nwc_error TEXT,
   created_at INTEGER NOT NULL,
-  stripe_customer_id TEXT NOT NULL DEFAULT '',
+  stripe_customer_id TEXT NOT NULL,
   stripe_subscription_id TEXT,
   past_due_at INTEGER
 );

backend/spec/api.md

@@ -184,9 +184,11 @@ Notes:
 ## `extract_auth_pubkey(&self, headers: &HeaderMap) -> Result<String>`
 
 - Parses `Authorization` header
-- Validates event kind and signature using `nostr_sdk`
-- Validates event `u` against `HOST` (not the request path. Non-standard, but correct)
-- Does not validate `method` tag
+- Validates event kind (`27235`) and signature using `nostr_sdk`
+- Validates event `u` contains configured `HOST`
+- Intentionally does **not** enforce exact request URL/method/query matching
+- Intentionally does **not** validate `payload` tag/hash, `created_at` freshness window, or replay nonce/cache
+- This is a deliberate session-style tradeoff to reduce repeated signer prompts in the client
 - Returns pubkey if header all checks pass
 
 Refer to https://github.com/nostr-protocol/nips/blob/master/98.md for details. Use `nostr_sdk` functionality where possible.

backend/spec/infra.md

@@ -19,7 +19,7 @@ Members:
 
 ## `async fn handle_activity(&self, activity: &Activity)`
 
-- For `create_relay`, `update_relay`, or `deactivate_relay` activity, calls `sync_and_report`.
+- For `create_relay`, `update_relay`, `activate_relay`, or `deactivate_relay` activity, calls `sync_and_report`.
 - All other activity types are ignored (e.g. `fail_relay_sync`, `complete_relay_sync`).
 
 ## `async fn sync_and_report(&self, relay: &Relay, is_new: bool)`

backend/src/api.rs

@@ -12,7 +12,7 @@ use base64::Engine;
 use nostr_sdk::{Event, JsonUtil, Kind};
 use serde::{Deserialize, Serialize};
 
-use crate::billing::Billing;
+use crate::billing::{Billing, InvoiceLookupError};
 use crate::command::Command;
 use crate::models::{
     RELAY_STATUS_ACTIVE, RELAY_STATUS_DELINQUENT, RELAY_STATUS_INACTIVE, Relay, Tenant,
@@ -72,6 +72,11 @@ enum ApiError {
     Unauthorized(anyhow::Error),
     Forbidden(&'static str),
     NotFound(&'static str),
+    Client {
+        status: StatusCode,
+        code: &'static str,
+        message: &'static str,
+    },
     Internal(String),
 }
 
@@ -81,11 +86,36 @@ impl IntoResponse for ApiError {
             Self::Unauthorized(e) => err(StatusCode::UNAUTHORIZED, "unauthorized", &e.to_string()),
             Self::Forbidden(message) => err(StatusCode::FORBIDDEN, "forbidden", message),
             Self::NotFound(message) => err(StatusCode::NOT_FOUND, "not-found", message),
+            Self::Client {
+                status,
+                code,
+                message,
+            } => err(status, code, message),
             Self::Internal(message) => err(StatusCode::INTERNAL_SERVER_ERROR, "internal", &message),
         }
     }
 }
 
+fn map_invoice_lookup_error(error: InvoiceLookupError) -> ApiError {
+    match error {
+        InvoiceLookupError::StripeClient { status } => {
+            let status = StatusCode::from_u16(status.as_u16()).unwrap_or(StatusCode::BAD_REQUEST);
+            match status {
+                StatusCode::NOT_FOUND => ApiError::NotFound("invoice not found"),
+                StatusCode::UNAUTHORIZED | StatusCode::FORBIDDEN => {
+                    ApiError::Forbidden("invoice access denied")
+                }
+                _ => ApiError::Client {
+                    status,
+                    code: "invoice-request-rejected",
+                    message: "invoice request rejected",
+                },
+            }
+        }
+        InvoiceLookupError::Internal(error) => ApiError::Internal(error.to_string()),
+    }
+}
+
 impl Api {
     pub fn new(query: Query, command: Command, billing: Billing) -> Self {
         let host = std::env::var("HOST").unwrap_or_else(|_| "127.0.0.1".to_string());
@@ -179,6 +209,9 @@ impl Api {
             return Err(ApiError::Unauthorized(anyhow!("missing u tag")));
         };
 
+        // Intentional session-style variant of NIP-98 for Caravel API auth.
+        // We validate signer identity plus host affinity, and do not bind to exact
+        // request URL/method or maintain replay state here.
         if !self.host.is_empty() && !got_u.contains(&self.host) {
             return Err(ApiError::Unauthorized(anyhow!(
                 "authorization host mismatch"
@@ -370,32 +403,50 @@ async fn get_identity(
     let pubkey = state.api.extract_auth_pubkey(&headers)?;
     let is_admin = state.api.admins.iter().any(|a| a == &pubkey);
 
-    // Only create if tenant doesn't exist yet
-    if let Ok(None) = state.api.query.get_tenant(&pubkey).await {
-        // TODO: Call Stripe API to create a new customer
-        let stripe_customer_id = String::new();
+    // Ensure tenant exists.
+    match state.api.query.get_tenant(&pubkey).await {
+        Ok(Some(_)) => {}
+        Ok(None) => {
+            let stripe_customer_id = match state.api.billing.stripe_create_customer(&pubkey).await {
+                Ok(id) => id,
+                Err(e) => {
+                    return Ok(err(
+                        StatusCode::INTERNAL_SERVER_ERROR,
+                        "stripe-customer-create-failed",
+                        &e.to_string(),
+                    ));
+                }
+            };
 
-        let tenant = Tenant {
-            pubkey: pubkey.clone(),
-            nwc_url: String::new(),
-            nwc_error: None,
-            created_at: now_ts(),
-            stripe_customer_id,
-            stripe_subscription_id: None,
-            past_due_at: None,
-        };
+            let tenant = Tenant {
+                pubkey: pubkey.clone(),
+                nwc_url: String::new(),
+                nwc_error: None,
+                created_at: now_ts(),
+                stripe_customer_id,
+                stripe_subscription_id: None,
+                past_due_at: None,
+            };
 
-        match state.api.command.create_tenant(&tenant).await {
-            Ok(()) => {}
-            Err(e) if matches!(map_unique_error(&e), Some("pubkey-exists")) => {}
-            Err(e) => {
-                return Ok(err(
-                    StatusCode::INTERNAL_SERVER_ERROR,
-                    "internal",
-                    &e.to_string(),
-                ));
-            }
-        };
+            match state.api.command.create_tenant(&tenant).await {
+                Ok(()) => {}
+                Err(e) if matches!(map_unique_error(&e), Some("pubkey-exists")) => {}
+                Err(e) => {
+                    return Ok(err(
+                        StatusCode::INTERNAL_SERVER_ERROR,
+                        "internal",
+                        &e.to_string(),
+                    ));
+                }
+            };
+        }
+        Err(e) => {
+            return Ok(err(
+                StatusCode::INTERNAL_SERVER_ERROR,
+                "internal",
+                &e.to_string(),
+            ));
+        }
     }
 
     Ok(ok(StatusCode::OK, IdentityResponse { pubkey, is_admin }))
@@ -790,7 +841,7 @@ async fn get_invoice(
         .billing
         .get_invoice_with_tenant(&id)
         .await
-        .map_err(|e| ApiError::Internal(e.to_string()))?;
+        .map_err(map_invoice_lookup_error)?;
     state.api.require_admin_or_tenant(&auth, &tenant.pubkey)?;
 
     Ok(ok(StatusCode::OK, invoice))
@@ -807,7 +858,7 @@ async fn get_invoice_bolt11(
         .billing
         .get_invoice_with_tenant(&id)
         .await
-        .map_err(|e| ApiError::Internal(e.to_string()))?;
+        .map_err(map_invoice_lookup_error)?;
     state.api.require_admin_or_tenant(&auth, &tenant.pubkey)?;
 
     let status = invoice["status"].as_str().unwrap_or_default();

backend/src/billing.rs

@@ -18,6 +18,41 @@ const STRIPE_API: &str = "https://api.stripe.com/v1";
 const COINBASE_SPOT_API: &str = "https://api.coinbase.com/v2/prices";
 const WEBHOOK_TOLERANCE_SECS: i64 = 300;
 
+#[derive(Debug)]
+pub enum InvoiceLookupError {
+    StripeClient { status: reqwest::StatusCode },
+    Internal(anyhow::Error),
+}
+
+impl std::fmt::Display for InvoiceLookupError {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Self::StripeClient { status } => {
+                write!(
+                    f,
+                    "stripe invoice lookup failed with status {}",
+                    status.as_u16()
+                )
+            }
+            Self::Internal(error) => write!(f, "{error}"),
+        }
+    }
+}
+
+impl std::error::Error for InvoiceLookupError {}
+
+impl From<anyhow::Error> for InvoiceLookupError {
+    fn from(value: anyhow::Error) -> Self {
+        Self::Internal(value)
+    }
+}
+
+impl From<reqwest::Error> for InvoiceLookupError {
+    fn from(value: reqwest::Error) -> Self {
+        Self::Internal(value.into())
+    }
+}
+
 #[derive(serde::Deserialize)]
 struct StripeEvent {
     #[serde(rename = "type")]
@@ -56,6 +91,9 @@ impl Billing {
     pub fn new(query: Query, command: Command, robot: Robot) -> Self {
         let nwc_url = std::env::var("NWC_URL").unwrap_or_default();
         let stripe_secret_key = std::env::var("STRIPE_SECRET_KEY").unwrap_or_default();
+        if stripe_secret_key.trim().is_empty() {
+            panic!("missing STRIPE_SECRET_KEY environment variable");
+        }
         let stripe_webhook_secret = std::env::var("STRIPE_WEBHOOK_SECRET").unwrap_or_default();
         let btc_quote_api_base =
             std::env::var("BTC_PRICE_API_BASE").unwrap_or_else(|_| COINBASE_SPOT_API.to_string());
@@ -459,19 +497,48 @@ impl Billing {
     pub async fn get_invoice_with_tenant(
         &self,
         invoice_id: &str,
-    ) -> Result<(serde_json::Value, crate::models::Tenant)> {
+    ) -> std::result::Result<(serde_json::Value, crate::models::Tenant), InvoiceLookupError> {
         let invoice = self.stripe_get_invoice(invoice_id).await?;
         let customer_id = invoice["customer"]
             .as_str()
-            .ok_or_else(|| anyhow!("invoice missing customer"))?;
+            .ok_or_else(|| InvoiceLookupError::Internal(anyhow!("invoice missing customer")))?;
         let tenant = self
             .query
             .get_tenant_by_stripe_customer_id(customer_id)
             .await?
-            .ok_or_else(|| anyhow!("tenant not found for customer"))?;
+            .ok_or_else(|| {
+                InvoiceLookupError::Internal(anyhow!("tenant not found for customer"))
+            })?;
         Ok((invoice, tenant))
     }
 
+    pub async fn stripe_create_customer(&self, tenant_pubkey: &str) -> Result<String> {
+        let short_pubkey: String = tenant_pubkey.chars().take(12).collect();
+        let display_name = format!("Caravel tenant {short_pubkey}");
+
+        let resp = self
+            .http
+            .post(format!("{STRIPE_API}/customers"))
+            .bearer_auth(&self.stripe_secret_key)
+            .form(&[
+                ("name", display_name.as_str()),
+                ("metadata[tenant_pubkey]", tenant_pubkey),
+            ])
+            .send()
+            .await?;
+
+        let body: serde_json::Value = resp.error_for_status()?.json().await?;
+        let customer_id = body["id"]
+            .as_str()
+            .ok_or_else(|| anyhow!("missing customer id"))?;
+
+        if !customer_id.starts_with("cus_") {
+            return Err(anyhow!("unexpected customer id format"));
+        }
+
+        Ok(customer_id.to_string())
+    }
+
     pub async fn stripe_list_invoices(&self, customer_id: &str) -> Result<serde_json::Value> {
         let resp = self
             .http
@@ -485,7 +552,10 @@ impl Billing {
         Ok(body["data"].clone())
     }
 
-    pub async fn stripe_get_invoice(&self, invoice_id: &str) -> Result<serde_json::Value> {
+    pub async fn stripe_get_invoice(
+        &self,
+        invoice_id: &str,
+    ) -> std::result::Result<serde_json::Value, InvoiceLookupError> {
         let resp = self
             .http
             .get(format!("{STRIPE_API}/invoices/{invoice_id}"))
@@ -493,6 +563,12 @@ impl Billing {
             .send()
             .await?;
 
+        if resp.status().is_client_error() {
+            return Err(InvoiceLookupError::StripeClient {
+                status: resp.status(),
+            });
+        }
+
         let body: serde_json::Value = resp.error_for_status()?.json().await?;
         Ok(body)
     }
@@ -871,4 +947,107 @@ mod tests {
             &unknown_status_paid
         ));
     }
+
+    use super::*;
+    use sqlx::SqlitePool;
+    use sqlx::sqlite::{SqliteConnectOptions, SqlitePoolOptions};
+    use std::str::FromStr;
+    use std::sync::{Mutex, OnceLock};
+
+    fn env_lock() -> &'static Mutex<()> {
+        static LOCK: OnceLock<Mutex<()>> = OnceLock::new();
+        LOCK.get_or_init(|| Mutex::new(()))
+    }
+
+    #[allow(unused_unsafe)]
+    fn set_stripe_secret_key(value: Option<&str>) {
+        match value {
+            Some(v) => unsafe { std::env::set_var("STRIPE_SECRET_KEY", v) },
+            None => unsafe { std::env::remove_var("STRIPE_SECRET_KEY") },
+        }
+    }
+
+    struct StripeSecretKeyGuard {
+        previous: Option<String>,
+    }
+
+    impl StripeSecretKeyGuard {
+        fn set(value: Option<&str>) -> Self {
+            let previous = std::env::var("STRIPE_SECRET_KEY").ok();
+            set_stripe_secret_key(value);
+            Self { previous }
+        }
+    }
+
+    impl Drop for StripeSecretKeyGuard {
+        fn drop(&mut self) {
+            set_stripe_secret_key(self.previous.as_deref());
+        }
+    }
+
+    async fn test_pool() -> SqlitePool {
+        let connect_options = SqliteConnectOptions::from_str("sqlite::memory:")
+            .expect("valid sqlite memory url")
+            .create_if_missing(true);
+
+        let pool = SqlitePoolOptions::new()
+            .max_connections(1)
+            .connect_with(connect_options)
+            .await
+            .expect("connect sqlite memory db");
+
+        sqlx::migrate!("./migrations")
+            .run(&pool)
+            .await
+            .expect("run migrations");
+
+        pool
+    }
+
+    #[tokio::test]
+    async fn billing_new_panics_without_stripe_secret_key() {
+        let _lock = env_lock().lock().expect("acquire env lock");
+        let _env = StripeSecretKeyGuard::set(None);
+
+        let pool = test_pool().await;
+        let query = Query::new(pool.clone());
+        let command = Command::new(pool);
+        let robot = Robot::test_stub();
+
+        let result = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
+            Billing::new(query, command, robot)
+        }));
+
+        let panic_payload = match result {
+            Ok(_) => panic!("constructor should panic when STRIPE_SECRET_KEY is missing"),
+            Err(payload) => payload,
+        };
+        let panic_msg = if let Some(msg) = panic_payload.downcast_ref::<&str>() {
+            (*msg).to_string()
+        } else if let Some(msg) = panic_payload.downcast_ref::<String>() {
+            msg.clone()
+        } else {
+            String::new()
+        };
+
+        assert!(
+            panic_msg.contains("missing STRIPE_SECRET_KEY environment variable"),
+            "unexpected panic: {panic_msg}"
+        );
+    }
+
+    #[tokio::test]
+    async fn billing_new_accepts_non_empty_stripe_secret_key() {
+        let _lock = env_lock().lock().expect("acquire env lock");
+        let _env = StripeSecretKeyGuard::set(Some("sk_test_dummy"));
+
+        let pool = test_pool().await;
+        let billing = Billing::new(
+            Query::new(pool.clone()),
+            Command::new(pool),
+            Robot::test_stub(),
+        );
+
+        assert_eq!(billing.stripe_secret_key, "sk_test_dummy");
+    }
 }

backend/src/command.rs

@@ -66,6 +66,10 @@ impl Command {
     }
 
     pub async fn create_tenant(&self, tenant: &Tenant) -> Result<()> {
+        if tenant.stripe_customer_id.trim().is_empty() {
+            anyhow::bail!("stripe_customer_id is required");
+        }
+
         let mut tx = self.pool.begin().await?;
 
         sqlx::query(
@@ -327,3 +331,56 @@ impl Command {
         Ok(())
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use sqlx::SqlitePool;
+    use sqlx::sqlite::{SqliteConnectOptions, SqlitePoolOptions};
+    use std::str::FromStr;
+
+    async fn test_pool() -> SqlitePool {
+        let connect_options = SqliteConnectOptions::from_str("sqlite::memory:")
+            .expect("valid sqlite memory url")
+            .create_if_missing(true);
+
+        let pool = SqlitePoolOptions::new()
+            .max_connections(1)
+            .connect_with(connect_options)
+            .await
+            .expect("connect sqlite memory db");
+
+        sqlx::migrate!("./migrations")
+            .run(&pool)
+            .await
+            .expect("run migrations");
+
+        pool
+    }
+
+    #[tokio::test]
+    async fn create_tenant_rejects_empty_stripe_customer_id() {
+        let pool = test_pool().await;
+        let command = Command::new(pool);
+
+        let tenant = Tenant {
+            pubkey: "tenant_pubkey".to_string(),
+            nwc_url: String::new(),
+            nwc_error: None,
+            created_at: 0,
+            stripe_customer_id: "   ".to_string(),
+            stripe_subscription_id: None,
+            past_due_at: None,
+        };
+
+        let err = command
+            .create_tenant(&tenant)
+            .await
+            .expect_err("empty customer id must be rejected");
+
+        assert!(
+            err.to_string().contains("stripe_customer_id is required"),
+            "unexpected error: {err}"
+        );
+    }
+}

backend/src/infra.rs

@@ -56,10 +56,7 @@ impl Infra {
     }
 
     async fn handle_activity(&self, activity: &Activity) -> Result<()> {
-        let needs_sync = matches!(
-            activity.activity_type.as_str(),
-            "create_relay" | "update_relay" | "deactivate_relay"
-        );
+        let needs_sync = should_sync_relay_activity(activity.activity_type.as_str());
 
         if needs_sync {
             let Some(relay) = self.query.get_relay(&activity.resource_id).await? else {
@@ -93,7 +90,9 @@ impl Infra {
     async fn nip98_auth(&self, url: &str, method: HttpMethod) -> Result<String> {
         let keys = Keys::parse(&self.api_secret)?;
         let server_url = Url::parse(url)?;
-        let auth = HttpData::new(server_url, method).to_authorization(&keys).await?;
+        let auth = HttpData::new(server_url, method)
+            .to_authorization(&keys)
+            .await?;
         Ok(auth)
     }
 
@@ -150,11 +149,21 @@ impl Infra {
         let response = if is_new {
             let url = format!("{}/relay/{}", base, relay.id);
             let auth = self.nip98_auth(&url, HttpMethod::POST).await?;
-            client.post(&url).header("Authorization", auth).json(&body).send().await?
+            client
+                .post(&url)
+                .header("Authorization", auth)
+                .json(&body)
+                .send()
+                .await?
         } else {
             let url = format!("{}/relay/{}", base, relay.id);
             let auth = self.nip98_auth(&url, HttpMethod::PUT).await?;
-            client.put(&url).header("Authorization", auth).json(&body).send().await?
+            client
+                .put(&url)
+                .header("Authorization", auth)
+                .json(&body)
+                .send()
+                .await?
         };
 
         if !response.status().is_success() {
@@ -165,3 +174,10 @@ impl Infra {
         Ok(())
     }
 }
+
+fn should_sync_relay_activity(activity_type: &str) -> bool {
+    matches!(
+        activity_type,
+        "create_relay" | "update_relay" | "activate_relay" | "deactivate_relay"
+    )
+}

backend/src/robot.rs

@@ -254,3 +254,23 @@ async fn set_cached(
         },
     );
 }
+
+#[cfg(test)]
+impl Robot {
+    pub fn test_stub() -> Self {
+        let keys = Keys::generate();
+        let client = Client::new(keys);
+
+        Self {
+            secret: String::new(),
+            name: String::new(),
+            description: String::new(),
+            picture: String::new(),
+            outbox_client: client.clone(),
+            indexer_client: client.clone(),
+            messaging_client: client,
+            outbox_cache: std::sync::Arc::new(Mutex::new(HashMap::new())),
+            dm_cache: std::sync::Arc::new(Mutex::new(HashMap::new())),
+        }
+    }
+}

frontend/README.md

@@ -51,8 +51,11 @@ npm run preview
 
 ## Authentication
 
-- Tenant requests use NIP-98 tokens derived from the logged-in user
-- Admin routes require a pubkey listed in `PLATFORM_ADMIN_PUBKEYS` on the backend
+- Tenant requests use an intentional session-style variant of NIP-98:
+  - The client signs one kind `27235` event with `u = VITE_API_URL`.
+  - The resulting `Authorization` header is cached for about 10 minutes to avoid repeated signer prompts.
+  - The backend validates signer identity + host affinity rather than exact URL/method binding per request.
+- Admin routes require a pubkey listed in `ADMINS` on the backend.
 
 ## Routes
 

frontend/src/components/PaymentDialog.tsx

@@ -6,6 +6,7 @@ import { getInvoice, getInvoiceBolt11 } from "@/lib/api"
 import { tenantNeedsPaymentSetup } from "@/lib/hooks"
 
 type PayStatus = "idle" | "loading" | "success" | "error"
+type Bolt11Status = "idle" | "loading" | "ready" | "error"
 
 type PaymentInvoice = {
   id: string
@@ -21,20 +22,34 @@ type PaymentDialogProps = {
 export default function PaymentDialog(props: PaymentDialogProps) {
   const [bolt11, setBolt11] = createSignal("")
   const [qrDataUrl, setQrDataUrl] = createSignal("")
+  const [bolt11Status, setBolt11Status] = createSignal<Bolt11Status>("idle")
+  const [bolt11Error, setBolt11Error] = createSignal("")
   const [payStatus, setPayStatus] = createSignal<PayStatus>("idle")
   const [payError, setPayError] = createSignal("")
   const [showSetup, setShowSetup] = createSignal(false)
   const [showPaymentSetup, setShowPaymentSetup] = createSignal(false)
 
-  createEffect(async () => {
-    if (!props.open || !props.invoice.id) return
+  async function loadBolt11() {
+    if (!props.invoice.id) return
+    setBolt11Status("loading")
+    setBolt11Error("")
+    setBolt11("")
+    setQrDataUrl("")
+
     try {
       const { bolt11: invoice } = await getInvoiceBolt11(props.invoice.id)
       setBolt11(invoice)
       setQrDataUrl(await QRCode.toDataURL(invoice, { width: 256, margin: 2 }))
-    } catch {
-      // bolt11 generation may fail
+      setBolt11Status("ready")
+    } catch (e) {
+      setBolt11Status("error")
+      setBolt11Error(e instanceof Error ? e.message : "Failed to generate Lightning invoice")
     }
+  }
+
+  createEffect(() => {
+    if (!props.open || !props.invoice.id) return
+    void loadBolt11()
   })
 
   function copyBolt11() {
@@ -62,6 +77,8 @@ export default function PaymentDialog(props: PaymentDialogProps) {
   function handleClose() {
     setPayStatus("idle")
     setPayError("")
+    setBolt11Status("idle")
+    setBolt11Error("")
     setBolt11("")
     setQrDataUrl("")
     setShowSetup(false)
@@ -104,33 +121,46 @@ export default function PaymentDialog(props: PaymentDialogProps) {
           when={payStatus() === "success"}
           fallback={
             <div class="w-full space-y-3">
-              <Show
-                when={qrDataUrl()}
-                fallback={<div class="flex items-center justify-center py-12 text-sm text-gray-400">Generating invoice...</div>}
-              >
-                <img src={qrDataUrl()} alt="Lightning invoice QR code" class="mx-auto rounded-lg" />
+              <Show when={bolt11Status() === "idle" || bolt11Status() === "loading"}>
+                <div class="flex items-center justify-center py-12 text-sm text-gray-400">Generating invoice...</div>
               </Show>
-              <Show when={bolt11()}>
-                <div class="flex rounded-lg border border-gray-300">
-                  <input
-                    type="text"
-                    readOnly
-                    value={bolt11()}
-                    class="min-w-0 flex-1 rounded-l-lg border-0 px-3 py-2 text-xs text-gray-500 bg-transparent focus:outline-none"
-                  />
+              <Show when={bolt11Status() === "error"}>
+                <div class="rounded-lg border border-red-200 bg-red-50 p-4">
+                  <p class="text-sm font-medium text-red-700">Unable to generate invoice</p>
+                  <p class="mt-1 text-xs text-red-600 wrap-break-word">{bolt11Error()}</p>
                   <button
                     type="button"
-                    class="flex items-center px-3 text-gray-400 hover:text-gray-700"
-                    onClick={copyBolt11}
-                    title="Copy invoice"
+                    onClick={() => void loadBolt11()}
+                    class="mt-3 inline-flex items-center rounded-lg bg-red-600 px-3 py-1.5 text-sm font-medium text-white hover:bg-red-700"
                   >
-                    <svg class="w-4 h-4" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
-                      <rect x="9" y="9" width="13" height="13" rx="2" />
-                      <path d="M5 15H4a2 2 0 01-2-2V4a2 2 0 012-2h9a2 2 0 012 2v1" />
-                    </svg>
+                    Retry
                   </button>
                 </div>
               </Show>
+              <Show when={bolt11Status() === "ready"}>
+                <img src={qrDataUrl()} alt="Lightning invoice QR code" class="mx-auto rounded-lg" />
+                <Show when={bolt11()}>
+                  <div class="flex rounded-lg border border-gray-300">
+                    <input
+                      type="text"
+                      readOnly
+                      value={bolt11()}
+                      class="min-w-0 flex-1 rounded-l-lg border-0 px-3 py-2 text-xs text-gray-500 bg-transparent focus:outline-none"
+                    />
+                    <button
+                      type="button"
+                      class="flex items-center px-3 text-gray-400 hover:text-gray-700"
+                      onClick={copyBolt11}
+                      title="Copy invoice"
+                    >
+                      <svg class="w-4 h-4" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+                        <rect x="9" y="9" width="13" height="13" rx="2" />
+                        <path d="M5 15H4a2 2 0 01-2-2V4a2 2 0 012-2h9a2 2 0 012 2v1" />
+                      </svg>
+                    </button>
+                  </div>
+                </Show>
+              </Show>
             </div>
           }
         >
@@ -188,7 +218,7 @@ export default function PaymentDialog(props: PaymentDialogProps) {
           <button
             type="button"
             onClick={checkPayment}
-            disabled={payStatus() === "loading"}
+            disabled={payStatus() === "loading" || bolt11Status() !== "ready"}
             class="py-2 px-4 bg-blue-600 text-white text-sm font-medium rounded-lg hover:bg-blue-700 disabled:opacity-50 transition-colors"
           >
             {payStatus() === "loading" ? "Checking..." : "Complete Payment"}

frontend/src/lib/api.ts

@@ -145,6 +145,8 @@ export async function makeAuth(): Promise<string | undefined> {
     kind: 27235,
     content: "",
     created_at: Math.floor(now / 1000),
+    // Intentional session-style auth: sign the API base URL once, then reuse
+    // the header briefly to avoid prompting the signer on every request.
     tags: [["u", API_URL]],
   })