Payment-verified delivery

Sell the file. Keep the key private.

BitUnlock is a hosted Nostr unlock service for digital stores. It verifies every required Lightning split, then sends the buyer their encrypted delivery—without asking each store to operate a bot.

No LLM required. Deterministic protocol logic, explicit payment proofs, private Nostr delivery.

One service, many stores

A small integration surface.

Your storefront owns its checkout experience. BitUnlock owns payment verification, order serialization, and idempotent private delivery.

01

Register the product

Send the signed product coordinate, encrypted delivery secret, fee cap, and seller authorization.

02

Present one payment plan

Receive an immutable quote containing explicit seller, platform, and BitUnlock payment legs.

03

Let BitUnlock deliver

After all legs settle, the service sends one idempotent NIP-44 unlock to the authenticated buyer.

Developer quickstart

Start with fake sats. Ship with a pinned identity.

The dedicated sandbox uses the same signed store API and payment-plan state machine as production, while bearer-only controls settle fake invoices and advance deterministic time.

A safe first integration

No wallet or payment secret is needed to exercise a complete storefront flow.

  • Create an isolated, expiring sandbox session
  • Use ordinary NIP-98 requests through the SDK
  • Settle or expire only your session's fake legs
  • Pin the production service npub before launch
  • Run the no-secret conformance probe in CI
import {
  createBitUnlockSandboxClient,
  createSandboxSession
} from "@bitunlock/sdk";

const endpoint = "https://sandbox.unlock.example";
const session = await createSandboxSession(endpoint);
const sandbox = createBitUnlockSandboxClient({
  endpoint,
  sessionId: session.sessionId,
  controlToken: session.token,
  signer: window.nostr.signEvent
});

// Use sandbox.client for normal signed v1 calls.
// The bearer token is sent only to control routes.

Staging status: the complete HTTP flow, isolated sandbox, packages, and conformance probe are implemented. Public-money launch still requires real-provider testing, Cloudflare resources, rate limits, and operational review.

Security model

Custody minimized. Boundaries explicit.

BitUnlock cannot make a delivered digital file uncopyable. Its job is narrower and testable: do not release the delivery secret until the authorized payment conditions are proven.

No personal or admin nsec in the Worker

Sellers and buyers authorize with NIP-98. Only a separate, rotatable service key is stored as a protected Cloudflare secret.

Restricted wallet permissions

Seller NWC credentials are AEAD-encrypted in D1; platform and service connections remain dedicated receive-only Worker secrets.

All legs or no unlock

Partial, expired, mismatched, or replayed payments cannot transition an order to fulfillment.

Private and idempotent delivery

Each buyer receives one persisted NIP-44 envelope per product, with repeat-safe retrieval and serialized order mutation.