Greenlight

Apps25 min readBlockstream's non-custodial Lightning-as-a-service layer for app-owned signers and cloud-hosted Core Lightning nodes

Greenlight

Greenlight matters to Nostr because it can be the Lightning backend behind wallets, apps, commerce flows and NWC-capable products that want node-backed payments without asking every user or developer to operate a full node stack.

Greenlight is managed CLN with user-side signing

Greenlight is easiest to understand as a split Lightning node model. Blockstream runs and schedules the Core Lightning node infrastructure, while the user-side client or signer keeps the private material that authorizes spending. The product page presents it as a personal Core Lightning node without the technical fuss. That sentence is useful only if you keep both halves: personal node behavior on one side, managed infrastructure on the other.

This is not the same as a custodial Lightning wallet. In the Greenlight model, the service is designed so the operator can manage node hosting, backups, watchtower-like responsibilities and availability without simply holding the keys that move user funds. The signer remains the security boundary. If a payment or channel action requires a signature, the signer must decide whether to authorize it.

It is also not the same as running CLN yourself. With self-hosted CLN, the operator owns the process, machine, database, plugin directory, backups and networking. With Greenlight, much of that operational burden moves to Blockstream's service. The reader should therefore judge it as an infrastructure dependency with a non-custodial signing design, not as a magic wallet that removes all Lightning responsibility.

Why Greenlight appears in Nostr payment maps

Nostr apps need money paths that do not force every social client, marketplace or media tool to become a Lightning node company. Greenlight can provide the backend shape: a node exists for the user or app, the keys remain with the signer, and the application can integrate Lightning without directly hosting all node infrastructure. That is why it belongs beside Breez SDK, CLN, LND, LDK, Phoenixd and other backend entries.

The Nostr relationship is mostly indirect. Greenlight does not make a timeline, profile client or relay browser. It matters when a wallet or app built on top of it exposes wallet actions to Nostr clients, often through Nostr Wallet Connect or through another payment interface that a Nostr product can call. If the app can create invoices, pay invoices or receive zaps, the end user may never see Greenlight, but Greenlight may still be the backend carrying the Lightning state.

This distinction protects the reader from overclaiming. A Greenlight-backed product is not automatically a NWC product. A NWC product is not automatically Greenlight-backed. The useful question is: what is the wallet engine behind the Nostr app, and which service signs, stores, routes and authorizes payment activity?

The project is still active

The public repository `Blockstream/greenlight` showed current activity when checked on June 13, 2026. GitHub API data reported 142 stars, 48 forks, 24 open issues, MIT licensing, creation in June 2021, a June 10, 2026 update and a June 10, 2026 push. Recent commits included signer and signerproxy work, including async conversion, dependency updates, invoice prefix handling and backup documentation.

The latest GitHub release from the API was `gl-sdk-v0.4.0`, published on May 21, 2026. The release notes state that `gl-sdk v0.4.0` was published to crates.io. The crates.io API showed `gl-sdk` at version `0.4.0`, with the description `High-level SDK for Greenlight with UniFFI language bindings` and repository link back to Blockstream's Greenlight repository.

That matters because older Greenlight references can look frozen if you only read launch-era blog posts. The service launched publicly years ago, but the repository and SDK line were still moving in 2026. For an app builder, that is good news and a reminder: check the release you are actually integrating, not only the press release that introduced the architecture.

The architecture has four moving parts

The Greenlight overview names the important concepts: nodes, authentication, signer and scheduler. Greenlight provisions and manages Core Lightning nodes on behalf of users, and those nodes expose the gRPC interface defined by CLN's gRPC proto. The goal is to interact with the node as if it were a local Core Lightning node, while the service handles scheduling and operation.

Authentication is built around mTLS identities. The docs say all communication channels are authenticated and encrypted with mutual TLS, and that each client receives a private key and matching certificate. Developer identities can register or recover Greenlight nodes, while device identities authenticate applications to a single node. Device private keys are generated locally and stay on the user's device.

The signer is the sensitive component. It manages private information, proves node ownership during registration and recovery, and processes signature requests from the node. The scheduler tracks where nodes are running and starts them on demand. This structure is why Greenlight can feel like a managed service without matching the risk profile of a simple custodial account.

The signer is the real security boundary

The security docs make the signer central. They describe a model where an attacker may gain access to node infrastructure but not the client or signer. The goal is to prevent access to funds by checking authorization both at the node level and the signer level. This is the heart of Greenlight's non-custodial claim: the hosted node should not be enough to spend funds without the signer.

Greenlight's docs also acknowledge a subtle authority issue. The Greenlight team controls the mTLS certificate hierarchy and could create a bogus client certificate, so the signer cannot rely only on that hierarchy. Instead, the signer uses its own authorization checks. The docs describe runes and client identities as part of how the signer verifies whether a client is allowed to perform an operation.

For Nostr builders, that means the payment safety story lives below the app interface. A Nostr app may ask for a payment through NWC. A wallet layer may forward that request to a Greenlight-backed node. The signer still needs to understand whether the requested operation is authorized. If the app UI says the user controls funds, the implementation must preserve that control all the way down to signer policy.

Greenlight is cloud convenience with dependency risk

The convenience is real. A developer does not need to run a full fleet of Lightning nodes, watchtowers, Bitcoin backends and backup systems from scratch. Blockstream's launch materials described Greenlight as a way to offload the complexities of operating Lightning nodes while keeping keys in the user's control. Breez SDK Greenlight materials describe on-demand nodes, built-in LSP support, on-chain interoperability, LNURL functionality and real-time state backup.

The dependency is also real. If Blockstream's service is unavailable, if developer certificates fail, if a scheduler cannot locate or start a node, if an API changes, if an LSP path breaks, or if the app's signer cannot communicate, the user's payment experience can fail. That is not custody risk in the simple hosted-wallet sense, but it is operational reliance.

This matters for Nostr because social payments are expected to feel instant. A failed zap can look like a client bug, a relay problem, a wallet problem or a Greenlight service problem. The reader should not care about the logo first. The reader should care whether the app exposes enough status, logs and retry behavior to know which layer failed.

Breez SDK Greenlight is related, not identical

Breez SDK Greenlight is one of the most visible Greenlight integrations. Its documentation describes a cloud-based Lightning integration using Blockstream's Greenlight nodes on demand, with a signer inside the integrating app and each end user having an individual node hosted on Greenlight infrastructure. It also lists built-in LSP, watchtower, LNURL, multi-app, multi-device and real-time backup features.

That does not make Greenlight the same thing as Breez SDK. Greenlight is the node service and SDK infrastructure from Blockstream. Breez SDK Greenlight is a developer payment stack that uses Greenlight under the Breez SDK umbrella. The current Breez product line has moved attention toward Spark and Liquid, while the Greenlight branch still has its own repository and release history.

The GitHub API for `breez/breez-sdk-greenlight` showed a June 12, 2026 push and latest release `0.8.0` from May 20, 2025. That is a different cadence from `Blockstream/greenlight` itself. If a Nostr wallet says it uses Breez and Greenlight, ask which repository, SDK version and payment path it actually uses.

NWC needs another layer of permission design

Greenlight by itself is not NIP-47. Nostr Wallet Connect is a protocol for app-to-wallet requests over Nostr relays. A Greenlight-backed wallet can participate when an application or wallet service exposes NWC on top of it. In that arrangement, NWC permissions sit above the Greenlight signer and node model.

This layering is useful but easy to misunderstand. The Nostr app should not receive broad Greenlight credentials. It should receive a scoped wallet connection that can do only what the user intended. The wallet service then talks to Greenlight or the signer as needed. If the NWC layer is broad and the signer layer is broad, a friendly social app may gain too much practical payment authority.

The clean design is narrow at every layer. The Nostr app gets a limited connection. The wallet service maps only supported methods. The signer verifies authorization. The Greenlight node does the Lightning work. Logs show enough to diagnose failure without leaking secrets. Anything else turns a powerful architecture into a blurry permission stack.

A practical example is a zap client. It may only need to pay invoices up to a small limit and read enough response state to show success. It does not need developer credentials, node recovery authority or broad signer access. Keeping those layers separate is how Greenlight can help Nostr without becoming an invisible super-permission behind every payment button.

Authentication is not a detail

Greenlight's docs emphasize identities, certificates and mutual TLS because the service has to separate developer authority, device authority and node authority. Developer identities are used for actions such as registration and recovery. Device identities are used by applications to authenticate to single Greenlight nodes. The private key for the device identity is generated locally and does not leave the device.

For a normal user, that may sound invisible. For a builder, it is the whole access model. If identities are misplaced, over-shared, logged or bundled into the wrong app context, the non-custodial architecture can be weakened. If recovery paths are unclear, a lost phone or broken app install may become a support incident rather than a simple login reset.

A Nostr app that uses a Greenlight-backed wallet should treat certificates and connection URLs like payment credentials. They should not be pasted into support chats, screenshots or analytics events. They should not be reused across unrelated apps without a reason. They should have a revocation or replacement path the user can understand.

Backups have to include signer state

The signer backup documentation is unusually important. It says Greenlight signers can keep a local copy of VLS signer state for disaster recovery, but backups are opt-in and disabled by default. Those backups can be converted into CLN `recoverchannel` input if the Greenlight node is lost. That is not an optional footnote for serious payment use.

The docs describe backup strategies such as new-channel snapshots and periodic snapshots. They also warn that CLN recovery should be a last resort when the Greenlight node is lost, because running recovery in parallel with an active Greenlight node risks funds. Missing signer-state entries can make channels incomplete. These are operational facts, not marketing details.

For Nostr readers, the lesson is simple: a Greenlight-backed wallet can feel lightweight, but it still depends on Lightning channel state. Before meaningful balances, check whether signer backups are enabled, where they are stored, how they are inspected, how incomplete channels are reported and who can perform recovery. A social payment wallet still needs a recovery plan.

Testing is built into the developer story

Greenlight's testing documentation is a good sign because it acknowledges that production service calls are not the right way to test every app change. The `gl-testing` framework gives developers a local mock of Greenlight services, based on pyln-testing, with the ability to construct Lightning networks, start Greenlight-style nodes, create invoices and run repeatable tests.

The testing docs are candid about complexity. They mention Docker, protocol buffers, Rust, Python packages and Core Lightning versions. This is not a toy SDK where the only test is whether a button turns green. It is payment infrastructure, and the test harness reflects that. A builder should use that harness before letting a Nostr app request wallet actions from real users.

For product teams, the most useful tests are end-to-end. Register a client. Start a node. Create an invoice. Pay it. Simulate service delay. Restart the signer. Break the relay if NWC is involved. Rotate credentials. Try recovery. Confirm that the app shows understandable errors. Greenlight can hide node operation from end users, but builders still need to test the hidden machinery.

Greenlight changes who operates the node

Self-hosted CLN asks the operator to care about the node process, machine, firewall, Bitcoin backend, database, channels and plugins. Greenlight moves much of that to Blockstream. That can be exactly what an app developer needs. A wallet can offer self-custodial Lightning behavior without building a complete node-hosting business.

The tradeoff is that the service operator becomes part of the payment path. Blockstream may not hold the spending keys, but it still operates infrastructure that affects uptime, scheduling, node state, logs and service policy. The user or app must trust that the service will be available and that the signer model is implemented correctly. That is a different trust shape from both custodial wallets and fully self-hosted nodes.

The right reader question is not whether Greenlight is good or bad. It is whether this trust shape matches the use case. For a small embedded wallet, the convenience may be worth it. For a high-value merchant or a privacy-critical service, fully self-hosted CLN or another architecture may fit better. Greenlight gives a middle path, and middle paths need precise language.

Privacy depends on app behavior

Greenlight's non-custodial model does not automatically make every integration private. The service can still observe infrastructure-level metadata. The application can still collect usage data. A NWC relay can still observe request timing. A Lightning payment can still reveal invoice, routing or channel-related information. The signer protects spending authority; it does not erase every metadata path.

This matters in Nostr because social payment metadata can become social graph metadata. If a client zaps posts through a Greenlight-backed wallet, the app may know which events triggered payments. The relay may see wallet-connect timing. The backend may see node activity. The recipient may see payment receipts. The design should minimize unnecessary correlation rather than pretending it is impossible.

A careful app separates identity, wallet and analytics as much as possible. It avoids logging full connection strings. It uses scoped wallet permissions. It gives users control over relays where NWC is present. It explains whether the wallet is Greenlight-backed, hosted somewhere else or fully local. The privacy story improves when the user can see the boundary.

Service plans and access should be checked

Launch-era Greenlight materials described a developer console, self-service certificates and free-plan limits for on-demand nodes. Product access and pricing can change over time, so a current builder should check the Developer Console and Blockstream's live product page before committing an app. This is especially important if the app expects thousands of users or merchant-grade uptime.

A service-backed Lightning wallet can fail for business reasons as well as technical reasons. API access can be rate-limited. Plan limits can be reached. Certificates can expire or be mismanaged. A region or network can have availability issues. Support expectations can differ between hobby, beta and commercial use. None of that contradicts Greenlight's architecture; it is part of using any managed infrastructure.

For a Nostr product, plan limits should be part of launch readiness. If a creator app, marketplace or bot suddenly attracts users, does the Greenlight-backed wallet path scale? Are node activations fast enough? Is liquidity available? Is there a support contact? Can the app degrade gracefully if new nodes cannot be registered? Those questions should be answered before a public campaign.

Liquidity and LSP behavior still matter

Greenlight can reduce the operational burden of running a Lightning node, but it cannot repeal the economics of Lightning. Payments still need channel capacity, route reliability, inbound and outbound liquidity and fee handling. Breez SDK Greenlight materials mention a built-in Lightning Service Provider and channel automation because those pieces are needed to make an end-user wallet feel ready without asking the user to manually negotiate channels.

A Nostr app builder should not treat that as a decorative feature. If a social client or marketplace wants instant payments, it needs a plan for receiving liquidity, sending liquidity, channel opening, channel closing, failure retries and fees. The user may never see the LSP, but the user will feel it when a zap is delayed, an invoice cannot be paid or a first receive flow needs liquidity before it can work.

The right product language is specific. Does the integration use an LSP? Who provides it? Are channel fees visible? Are minimums and maximums shown before the payment attempt? Does the app tell users when a payment fails because of liquidity rather than because the recipient did something wrong? Greenlight can make the node easier to run, but a good wallet still has to explain liquidity when it affects the user.

The Developer Console is part of the deployment

The docs point developers to the Greenlight Developer Console for obtaining a developer identity. That identity is not just a signup artifact; it is part of how the application registers and recovers nodes. If a team builds a Nostr payment app on Greenlight, the console account, certificates, service plan and recovery process become production dependencies.

This changes team operations. Someone must know where developer credentials are stored, who can rotate them, how certificates are replaced, what happens when an employee leaves and how a staging environment differs from production. Payment infrastructure fails in ordinary administrative ways as often as in cryptographic ways. A lost certificate, expired credential or confused console account can break onboarding just as surely as a code bug.

For readers evaluating an app, this is the quiet business-risk layer. A tiny open-source client may be fine for experimentation, but if it runs user wallets through a developer account, the operator's discipline matters. Ask whether the app has a maintenance path, a way to contact operators, a public release process and a documented recovery story. Greenlight gives a developer platform; the app team still has to operate it responsibly.

Non-custodial needs precise wording

Greenlight is often described as non-custodial because the user-side signer controls the keys needed to spend. That is a meaningful distinction from a custodial Lightning balance. It lowers the risk that the service operator can simply sweep user funds. It also lowers the liability for app developers who do not want to hold user money.

The phrase should not be stretched past what it says. Non-custodial does not mean no service dependency, no metadata, no availability risk, no fee risk, no recovery risk or no trusted software. Blockstream operates important infrastructure. The app chooses signer behavior. The user or device stores sensitive material. The service and app still have to coordinate correctly for the wallet to work.

A reader should prefer products that say this plainly. The best Greenlight-backed wallet copy would say: your signing keys stay on your side; the Lightning node is hosted and operated through Greenlight; the app uses Greenlight APIs and certificates; payments still depend on service availability, liquidity and backup behavior. That is not weaker marketing. It is the kind of honesty that lets a user choose knowingly.

Product examples show the intended lane

Greenlight has appeared in several product contexts. Blockstream's own materials connect it to app developers who want Lightning integration. Breez SDK Greenlight used it as the managed node layer for an embedded wallet SDK. BTCPay Server's Breez plugin documentation frames Breez SDK and Greenlight as a way to enable Lightning for stores without hosting all infrastructure directly. Blockstream Green has also been discussed in connection with Greenlight-powered Lightning features.

These examples share a pattern. The end product wants Lightning payments, but the product team does not want every user to run a home node. Greenlight supplies a personal node architecture with managed operation. The app supplies user experience, signer handling and business logic. That is a strong fit for Nostr because many Nostr products are small teams that want payments but cannot build the entire backend themselves.

The examples also show why the integration details matter. A merchant plugin, a mobile wallet and a Nostr client have different failure surfaces. A merchant needs settlement clarity. A mobile wallet needs recovery and device migration. A Nostr client needs permission scoping, relay handling and zap UX. Greenlight is a backend option for all of them, but each product has to make a different promise to its users.

What to verify before using Greenlight

First verify the source. Read the current Blockstream product page, the Greenlight docs, the repository, the latest release and the package or crate version used by your app. Confirm whether the integration uses `Blockstream/greenlight` directly, Breez SDK Greenlight, Blockstream Green, BTCPay's Breez plugin or another wrapper. Similar labels can hide different operational paths.

Then verify the money path with tiny amounts. Register a node, start it, create an invoice, pay it, receive into it, restart the app, rotate or recover a device identity if possible, inspect signer logs and confirm backup behavior. If NWC is involved, create a limited connection, test one method at a time, revoke it and check that the app loses access.

Finally verify failure behavior. Disconnect the signer. Break network access. Delay the scheduler path. Use a stale certificate. Try an expired invoice. Simulate a relay outage if the Nostr layer is part of the wallet flow. The app should tell the user what happened without exposing secrets. Greenlight removes a lot of node operation from the user; it does not remove the need for honest failure states.

Who Greenlight fits best

Greenlight fits app builders who want self-custodial Lightning behavior without becoming full-time node operators. It fits wallets, merchant tools, community apps and Nostr products where each user should have a node-backed payment path but the app team does not want to run one monolithic custodial balance sheet. It also fits experiments that need Core Lightning semantics but simpler provisioning.

It is less suited to readers who want total independence from managed infrastructure. Greenlight keeps keys on the user side, but node hosting, scheduling and parts of operations remain service-backed. If your requirement is to control every process and database yourself, self-hosted CLN is the cleaner fit. If your requirement is the simplest possible wallet with no operational thinking, a hosted wallet may be easier, though it changes custody.

The reader takeaway is that Greenlight is a serious middle layer. It can make Lightning more usable for Nostr apps by moving node operation out of the app team's way while keeping spending authority away from the service operator. That strength depends on careful signer handling, clear app permissions, tested backups and transparent language about what Blockstream operates and what the user controls.

Sources worth opening

Read Blockstream's Greenlight product page, the Greenlight docs, the repository, release data and the Breez SDK Greenlight materials together. Greenlight is infrastructure, so the useful reading path is architecture, authentication, signer custody, backup, service dependency, testing and how a Nostr app delegates wallet access.

• Blockstream Greenlight product page
• Blockstream Lightning product page
• Blockstream Greenlight launch post
• Blockstream Greenlight developer preview post
• Blockstream Greenlight press release
• Early Greenlight architecture post
• Breez and Greenlight integration post
• Greenlight documentation overview
• Greenlight security documentation
• Greenlight signer backups documentation
• Greenlight client libraries documentation
• Greenlight testing documentation
• Blockstream/greenlight GitHub repository
• Blockstream/greenlight GitHub API metadata
• Blockstream/greenlight releases
• Greenlight gl-sdk v0.4.0 release
• gl-sdk crate
• Greenlight changelog
• Breez SDK Greenlight documentation
• breez/breez-sdk-greenlight repository
• Breez SDK Greenlight release 0.8.0
• BTCPay Server Breez plugin documentation
• Core Lightning website
• Core Lightning documentation
• ElementsProject/lightning repository
• Core Lightning gRPC documentation
• NIP-47 Nostr Wallet Connect
• nwc.dev
• Awesome NWC
• Blockstream Green wallet site
• Greenlight glossary reference
• No Bullshit Bitcoin Greenlight v0.2 note
• Blockworks Greenlight coverage
• Lightning BOLTs repository
• Bitcoin Core
• Greenlight Developer Console