This page speaks to mcp.loopxxi.com from your browser. You'll see the raw HTTP 402 challenge, the BOLT11 invoice, and — once you pay it with any Lightning wallet and paste the preimage — the paid result served back. No accounts, no keys, no server-side JS. View source; it's ~230 lines.
Hit GET https://mcp.loopxxi.com/l402/btc_price with no auth. The server should answer 402 Payment Required.
Copy the BOLT11 into Phoenix / Zeus / Wallet of Satoshi / LNbits / Alby / etc. It's a real invoice, expiring in minutes.
After paying, your wallet returns a preimage — a 64-char hex string. Paste it below.
Authorization: L402 <token>:<preimage>The server verifies the preimage against the invoice hash statelessly — no session, no database. Same request, one header. That's the whole L402 flow.
The 402 body carries the sats price, the invoice, and a compact token of the form <paymentHash>:<tool>:<expiry>:<hmac>. The token binds the paid tool to a specific invoice hash and expiry, signed with a server-only HMAC.
The retry header is Authorization: L402 <token>:<preimage>. Split on the last colon — the preimage is a colon-free 64-char hex, but the token itself contains three colons.
Statelessness. The server hashes the preimage with SHA-256 and compares against the payment hash embedded in the token; if the token HMAC verifies and the hash matches, the call is served. No user table, no session, no key rotation.
Pricing on this endpoint: btc_price is 10 sats — well below one US cent. Other tools on the server (btc_send_decision, lightning_address_resolve, tx_decode_explain, optimal_send_window) sit in the 10–25 sat range.
MCP transport: the same paywall protects the streamable-HTTP MCP endpoint at /mcp. Agents wired to mcp.loopxxi.com/mcp get the exact same 402 → pay → retry loop on every tools/call.
Alt rail: if you'd rather pay by card once, credit keys at api.loopxxi.com/ai-credits use the same underlying sats accounting via Authorization: Bearer loop_<key>.