chore: encrypt tenant NWC URL at rest and stop secret exposure in tenant APIs

backend/.env.template

@@ -28,5 +28,6 @@ LIVEKIT_API_SECRET=
 
 # Billing
 NWC_URL=                      # Nostr Wallet Connect URL for generating Lightning invoices
+ENCRYPTION_SECRET=            # Nostr secret key (hex or nsec) used to encrypt tenant NWC URLs at rest
 STRIPE_SECRET_KEY=            # Required Stripe API secret key (sk_...)
 STRIPE_WEBHOOK_SECRET=whsec_test_00000000000000000000000000  # Webhook signing secret (use real value in production)

backend/README.md

@@ -44,6 +44,7 @@ Environment variables:
 | `LIVEKIT_API_KEY`        | LiveKit API key sent to zooid                                           | _optional_                           |
 | `LIVEKIT_API_SECRET`     | LiveKit API secret sent to zooid                                        | _optional_                           |
 | `NWC_URL`                | Platform NWC URL used to generate BOLT11 invoices                       | _required for invoice generation_    |
+| `ENCRYPTION_SECRET`      | Nostr secret key (hex or nsec) used to encrypt tenant NWC URLs at rest  | _required_                           |
 | `STRIPE_SECRET_KEY`      | Stripe API secret key used for billing API operations                   | _required_                           |
 | `STRIPE_WEBHOOK_SECRET`  | Stripe webhook signing secret used to verify `Stripe-Signature` headers | _required_                           |
 | `ROBOT_SECRET`           | Robot Nostr secret key                                                  | _required_                           |

backend/spec/api.md

@@ -57,7 +57,7 @@ Notes:
 
 - Serves `GET /tenants`
 - Authorizes admin only
-- Return `data` is a list of tenant structs from `query.list_tenants`
+- Return `data` is a list of `TenantResponse` structs (contains `nwc_is_set: bool` instead of `nwc_url`)
 
 ## `async fn create_tenant(...) -> Response`
 
@@ -69,20 +69,21 @@ Notes:
 - On unique-constraint race (`pubkey-exists`), re-fetch and return the existing tenant
 - If Stripe customer creation fails, return `code=stripe-customer-create-failed`
 - Always returns `200` (create-or-get is uniform)
-- Return `data` is a single `Tenant` struct
+- Return `data` is a single `TenantResponse` struct (contains `nwc_is_set: bool` instead of `nwc_url`)
 
 ## `async fn get_tenant(...) -> Response`
 
 - Serves `GET /tenants/:pubkey`
 - Authorizes admin or matching tenant
-- Return `data` is a single tenant struct from `query.get_tenant`
+- Return `data` is a single `TenantResponse` struct (contains `nwc_is_set: bool` instead of `nwc_url`)
 
 ## `async fn update_tenant(...) -> Response`
 
 - Serves `PUT /tenants/:pubkey`
 - Authorizes admin or matching tenant
+- Accepts `nwc_url` in the request body; encrypts it before storage using `cipher::encrypt`
 - Updates tenant using `command.update_tenant`
-- Return `data` is the updated tenant struct
+- Return `data` is the updated `TenantResponse` struct (contains `nwc_is_set: bool` instead of `nwc_url`)
 
 ## `async fn list_tenant_relays(...) -> Response`
 

backend/spec/models.md

@@ -52,7 +52,7 @@ There are three plans available:
 Tenants are customers of the service, identified by a nostr `pubkey`. Public metadata like name etc are pulled from the nostr network. They also have associated billing information.
 
 - `pubkey` is the nostr public key identifying the tenant
-- `nwc_url` (private) a nostr wallet connect URL used for **paying** invoices generated by the system on the tenant's behalf
+- `nwc_url` (private) a nostr wallet connect URL used for **paying** invoices generated by the system on the tenant's behalf; stored encrypted at rest using NIP-44 via `ENCRYPTION_SECRET`; never serialized to API responses — tenant API endpoints expose `nwc_is_set: bool` instead
 - `nwc_error` (private) a string indicating the most recent NWC payment error, if any. Cleared on successful NWC payment.
 - `created_at` unix timestamp identifying tenant creation time
 - `stripe_customer_id` a string identifying the associated stripe customer

backend/src/api.rs

@@ -445,6 +445,31 @@ struct IdentityResponse {
     is_admin: bool,
 }
 
+#[derive(Serialize)]
+struct TenantResponse {
+    pubkey: String,
+    nwc_is_set: bool,
+    nwc_error: Option<String>,
+    created_at: i64,
+    stripe_customer_id: String,
+    stripe_subscription_id: Option<String>,
+    past_due_at: Option<i64>,
+}
+
+impl From<Tenant> for TenantResponse {
+    fn from(t: Tenant) -> Self {
+        TenantResponse {
+            nwc_is_set: !t.nwc_url.is_empty(),
+            pubkey: t.pubkey,
+            nwc_error: t.nwc_error,
+            created_at: t.created_at,
+            stripe_customer_id: t.stripe_customer_id,
+            stripe_subscription_id: t.stripe_subscription_id,
+            past_due_at: t.past_due_at,
+        }
+    }
+}
+
 #[derive(Deserialize)]
 struct CreateRelayRequest {
     tenant: String,
@@ -486,7 +511,13 @@ async fn list_tenants(
     state.api.require_admin(&pubkey)?;
 
     match state.api.query.list_tenants().await {
-        Ok(tenants) => Ok(ok(StatusCode::OK, tenants)),
+        Ok(tenants) => Ok(ok(
+            StatusCode::OK,
+            tenants
+                .into_iter()
+                .map(TenantResponse::from)
+                .collect::<Vec<_>>(),
+        )),
         Err(e) => Ok(err(
             StatusCode::INTERNAL_SERVER_ERROR,
             "internal",
@@ -515,7 +546,7 @@ async fn create_tenant(
     let pubkey = state.api.extract_auth_pubkey(&headers)?;
 
     match state.api.query.get_tenant(&pubkey).await {
-        Ok(Some(t)) => Ok(ok(StatusCode::OK, t)),
+        Ok(Some(t)) => Ok(ok(StatusCode::OK, TenantResponse::from(t))),
         Ok(None) => {
             let stripe_customer_id = match state.api.billing.stripe_create_customer(&pubkey).await {
                 Ok(id) => id,
@@ -539,10 +570,10 @@ async fn create_tenant(
             };
 
             match state.api.command.create_tenant(&tenant).await {
-                Ok(()) => Ok(ok(StatusCode::OK, tenant)),
+                Ok(()) => Ok(ok(StatusCode::OK, TenantResponse::from(tenant))),
                 Err(e) if matches!(map_unique_error(&e), Some("pubkey-exists")) => {
                     match state.api.query.get_tenant(&pubkey).await {
-                        Ok(Some(t)) => Ok(ok(StatusCode::OK, t)),
+                        Ok(Some(t)) => Ok(ok(StatusCode::OK, TenantResponse::from(t))),
                         Ok(None) => Ok(err(
                             StatusCode::INTERNAL_SERVER_ERROR,
                             "internal",
@@ -585,7 +616,7 @@ async fn get_tenant(
     let auth = state.api.extract_auth_pubkey(&headers)?;
     state.api.require_admin_or_tenant(&auth, &pubkey)?;
     let tenant = state.api.get_tenant_or_404(&pubkey).await?;
-    Ok(ok(StatusCode::OK, tenant))
+    Ok(ok(StatusCode::OK, TenantResponse::from(tenant)))
 }
 
 async fn list_relays(
@@ -1103,7 +1134,12 @@ async fn update_tenant(
 
     let nwc_previously_empty = tenant.nwc_url.is_empty();
     if let Some(nwc_url) = payload.nwc_url {
-        tenant.nwc_url = nwc_url;
+        if nwc_url.is_empty() {
+            tenant.nwc_url = String::new();
+        } else {
+            tenant.nwc_url =
+                crate::cipher::encrypt(&nwc_url).map_err(|e| ApiError::Internal(e.to_string()))?;
+        }
     }
 
     match state.api.command.update_tenant(&tenant).await {
@@ -1122,7 +1158,7 @@ async fn update_tenant(
                     }
                 });
             }
-            Ok(ok(StatusCode::OK, tenant))
+            Ok(ok(StatusCode::OK, TenantResponse::from(tenant)))
         }
         Err(e) => Ok(err(
             StatusCode::INTERNAL_SERVER_ERROR,

backend/src/billing.rs

@@ -422,13 +422,14 @@ impl Billing {
 
         // 1. NWC auto-pay: if the tenant has a nwc_url
         if !tenant.nwc_url.is_empty() {
+            let plain_nwc_url = crate::cipher::decrypt(&tenant.nwc_url)?;
             match self
                 .nwc_pay_invoice(
                     invoice_id,
                     &tenant.pubkey,
                     amount_due,
                     currency,
-                    &tenant.nwc_url,
+                    &plain_nwc_url,
                 )
                 .await?
             {
@@ -857,6 +858,8 @@ impl Billing {
             return Ok(());
         }
 
+        let plain_nwc_url = crate::cipher::decrypt(&tenant.nwc_url)?;
+
         let invoices = self
             .stripe_list_invoices(&tenant.stripe_customer_id)
             .await?;
@@ -878,7 +881,7 @@ impl Billing {
                     &tenant.pubkey,
                     amount_due,
                     currency,
-                    &tenant.nwc_url,
+                    &plain_nwc_url,
                 )
                 .await?
             {

backend/src/cipher.rs

@@ -0,0 +1,28 @@
+use anyhow::{Result, anyhow};
+use nostr_sdk::prelude::*;
+
+pub fn encrypt(plaintext: &str) -> Result<String> {
+    let keys = load_key()?;
+    nip44::encrypt(
+        keys.secret_key(),
+        &keys.public_key(),
+        plaintext,
+        nip44::Version::V2,
+    )
+    .map_err(|e| anyhow!("encryption failed: {e}"))
+}
+
+pub fn decrypt(ciphertext: &str) -> Result<String> {
+    let keys = load_key()?;
+    nip44::decrypt(keys.secret_key(), &keys.public_key(), ciphertext)
+        .map_err(|e| anyhow!("decryption failed: {e}"))
+}
+
+fn load_key() -> Result<Keys> {
+    let secret = std::env::var("ENCRYPTION_SECRET")
+        .map_err(|_| anyhow!("missing ENCRYPTION_SECRET environment variable"))?;
+    if secret.trim().is_empty() {
+        return Err(anyhow!("ENCRYPTION_SECRET is empty"));
+    }
+    Keys::parse(&secret).map_err(|e| anyhow!("invalid ENCRYPTION_SECRET: {e}"))
+}

backend/src/lib.rs

@@ -1,5 +1,6 @@
 pub mod api;
 pub mod billing;
+pub mod cipher;
 pub mod command;
 pub mod infra;
 pub mod models;

backend/src/main.rs

@@ -1,5 +1,6 @@
 mod api;
 mod billing;
+mod cipher;
 mod command;
 mod infra;
 mod models;