Register the product
Send the signed product coordinate, encrypted delivery secret, fee cap, and seller authorization.
Payment-verified delivery
BitUnlock is a hosted Nostr unlock service for digital stores. It verifies every required Lightning split, then sends the buyer their encrypted delivery—without asking each store to operate a bot.
No LLM required. Deterministic protocol logic, explicit payment proofs, private Nostr delivery.
One service, many stores
Your storefront owns its checkout experience. BitUnlock owns payment verification, order serialization, and idempotent private delivery.
Send the signed product coordinate, encrypted delivery secret, fee cap, and seller authorization.
Receive an immutable quote containing explicit seller, platform, and BitUnlock payment legs.
After all legs settle, the service sends one idempotent NIP-44 unlock to the authenticated buyer.
Developer quickstart
The dedicated sandbox uses the same signed store API and payment-plan state machine as production, while bearer-only controls settle fake invoices and advance deterministic time.
No wallet or payment secret is needed to exercise a complete storefront flow.
import {
createBitUnlockSandboxClient,
createSandboxSession
} from "@bitunlock/sdk";
const endpoint = "https://sandbox.unlock.example";
const session = await createSandboxSession(endpoint);
const sandbox = createBitUnlockSandboxClient({
endpoint,
sessionId: session.sessionId,
controlToken: session.token,
signer: window.nostr.signEvent
});
// Use sandbox.client for normal signed v1 calls.
// The bearer token is sent only to control routes.import { createBitUnlockClient } from "@bitunlock/sdk";
const client = createBitUnlockClient({
endpoint: "https://unlock.example",
expectedServicePubkey: "<64-hex-service-pubkey>",
signer: window.nostr.signEvent
});
const { document } = await client.discoverPolicy();
console.log(document.policyVersion);
// Reuse idempotency keys only for exact retries.
// Render and pay every leg returned by createQuote().npm run conformance -- \
--endpoint https://unlock.example \
--service-pubkey <64-hex-service-pubkey>
# Verifies signed policy and the pinned identity.
# Checks headers, OpenAPI, security contact,
# and fail-closed NIP-98 authorization.
# No nsec, NWC URI, or payment secret is accepted.Staging status: the complete HTTP flow, isolated sandbox, packages, and conformance probe are implemented. Public-money launch still requires real-provider testing, Cloudflare resources, rate limits, and operational review.
Security model
BitUnlock cannot make a delivered digital file uncopyable. Its job is narrower and testable: do not release the delivery secret until the authorized payment conditions are proven.
Sellers and buyers authorize with NIP-98. Only a separate, rotatable service key is stored as a protected Cloudflare secret.
Seller NWC credentials are AEAD-encrypted in D1; platform and service connections remain dedicated receive-only Worker secrets.
Partial, expired, mismatched, or replayed payments cannot transition an order to fulfillment.
Each buyer receives one persisted NIP-44 envelope per product, with repeat-safe retrieval and serialized order mutation.