Deploy sparkbtcbot-proxy

You are an expert in deploying and managing the sparkbtcbot-proxy — a serverless middleware that wraps the Spark Bitcoin L2 SDK behind authenticated REST endpoints on Vercel.

What This Proxy Does

Gives AI agents scoped wallet access without exposing the mnemonic:

• Role-based token auth (admin for full access, invoice for read + create invoices only)
• Token management via API — create, list, revoke without redeploying
• Per-transaction and daily spending caps
• Activity logging to Redis
• Lazy detection of paid Lightning invoices

What You Need

Ask the user for these upfront:

• Vercel API token (from https://vercel.com/account/tokens) and team ID (from dashboard URL or vercel teams ls)
• Upstash account email and API key (from https://console.upstash.com/account/api) — OR existing UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN if they already have a database
• BIP39 mnemonic for the Spark wallet (or generate one in step 3)
• Node.js 20+

Generated during setup (don't ask for these):

• UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN — created by the Upstash management API in step 2
• API_AUTH_TOKEN — generated in step 4

Step-by-Step Deployment

1. Clone and install

git clone https://github.com/echennells/sparkbtcbot-proxy.git
cd sparkbtcbot-proxy
npm install

2. Create Upstash Redis

If the user already has UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN, skip to step 3.

Otherwise, create a database via the Upstash API. The user needs their Upstash email and API key from https://console.upstash.com/account/api:

curl -X POST "https://api.upstash.com/v2/redis/database" \
  -u "UPSTASH_EMAIL:UPSTASH_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "sparkbtcbot-proxy", "region": "global", "primary_region": "us-east-1"}'

Note: Regional database creation is deprecated. You must use "region": "global" with a "primary_region" field. The Upstash docs may not reflect this yet.

The response includes rest_url and rest_token — save these for step 5.

3. Generate a wallet mnemonic (if needed)

SparkWallet.initialize() returns { mnemonic, wallet } when called without a mnemonic. One-liner:

node -e "import('@buildonspark/spark-sdk').then(({SparkWallet}) => SparkWallet.initialize({mnemonicOrSeed: null, options: {network: 'MAINNET'}}).then(r => { console.log(r.mnemonic); r.wallet.cleanupConnections() }))"

Save the 12-word mnemonic securely — it controls all funds in the wallet. There is no getMnemonic() method; you can only retrieve the mnemonic at initialization time.

Or use any BIP39 mnemonic generator. 12 or 24 words.

4. Generate an API auth token

openssl rand -base64 30

5. Deploy to Vercel

First, create the project and get its ID:

curl -s -X POST "https://api.vercel.com/v10/projects?teamId=<TEAM_ID>" \
  -H "Authorization: Bearer <VERCEL_TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"name": "sparkbtcbot-proxy", "framework": "nextjs"}'

The response includes id (the project ID) — save it for the next steps.

Then set environment variables via the API. All 7 are required:

Important: Do NOT use vercel env add with heredoc/<<< input — it appends newlines that break the Spark SDK. Use the REST API:

curl -X POST "https://api.vercel.com/v10/projects/<PROJECT_ID>/env?teamId=<TEAM_ID>" \
  -H "Authorization: Bearer <VERCEL_TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"type":"encrypted","key":"SPARK_MNEMONIC","value":"your mnemonic here","target":["production","preview","development"]}'

Repeat for each env var (use "type":"plain" for non-sensitive values like SPARK_NETWORK).

Then deploy using environment variables for reliable non-interactive deployment:

npm install -g vercel

VERCEL_ORG_ID=<TEAM_ID> VERCEL_PROJECT_ID=<PROJECT_ID> \
  vercel deploy --prod --yes --token <VERCEL_TOKEN>

Troubleshooting:

• ERESOLVE npm errors: Install vercel globally with npm install -g vercel instead of using npx
• "Project was deleted" errors: Remove stale config with rm -rf .vercel/ and retry
• "missing_scope" errors: Use the VERCEL_ORG_ID and VERCEL_PROJECT_ID env vars as shown above

6. Test

curl -H "Authorization: Bearer <your-token>" https://<your-deployment>.vercel.app/api/balance

Should return {"success":true,"data":{"balance":"0","tokenBalances":{}}}.

7. Create scoped tokens (optional)

Use the admin token to create limited tokens for agents:

curl -X POST -H "Authorization: Bearer <admin-token>" \
  -H "Content-Type: application/json" \
  -d '{"role": "invoice", "label": "my-agent"}' \
  https://<your-deployment>.vercel.app/api/tokens

The response includes the full token string — save it, it's only shown once. See the Token Roles section below for details.

API Routes

Token Roles

There are two token roles:

The API_AUTH_TOKEN env var is a hardcoded admin fallback — it always works even if Redis is down or tokens get wiped. Use it to bootstrap: create scoped tokens via the API, then hand those out to agents.

Managing tokens

Create an invoice-only token for a merchant bot:

curl -X POST -H "Authorization: Bearer <admin-token>" \
  -H "Content-Type: application/json" \
  -d '{"role": "invoice", "label": "merchant-bot"}' \
  https://<deployment>/api/tokens

List all tokens (shows prefixes, labels, roles — not full token strings):

curl -H "Authorization: Bearer <admin-token>" https://<deployment>/api/tokens

Revoke a token:

curl -X DELETE -H "Authorization: Bearer <admin-token>" \
  -H "Content-Type: application/json" \
  -d '{"token": "<full-token-string>"}' \
  https://<deployment>/api/tokens

Tokens are stored in Redis (hash spark:tokens). They survive redeploys but not Redis flushes.

L402 Paywall Support

The proxy can pay L402 Lightning paywalls automatically. Send a URL, and the proxy will:

1. Fetch the URL
2. If 402 returned, parse the invoice and macaroon
3. Pay the Lightning invoice
4. Retry the request with the L402 Authorization header
5. Return the protected content

Basic usage

curl -X POST -H "Authorization: Bearer <admin-token>" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://lightningfaucet.com/api/l402/joke"}' \
  https://<deployment>/api/l402

Handling pending payments (important for agents)

Lightning payments via Spark are asynchronous. The proxy polls for up to ~7.5 seconds, but if the preimage isn't available in time, it returns a pending status:

{
  "success": true,
  "data": {
    "status": "pending",
    "pendingId": "a1b2c3d4e5f6...",
    "message": "Payment sent but preimage not yet available. Poll GET /api/l402/status?id=<pendingId> to complete.",
    "priceSats": 21
  }
}

Your agent MUST handle this case. The payment has already been sent — if you don't poll for completion, you lose the sats without getting the content.

Retry loop (pseudocode):

response = POST /api/l402 { url: "..." }

if response.data.status == "pending":
    pendingId = response.data.pendingId
    for attempt in 1..10:
        sleep(3 seconds)
        status = GET /api/l402/status?id={pendingId}
        if status.data.status != "pending":
            return status.data  # Success or failure
    # Give up after ~30 seconds
    raise "L402 payment timed out"
else:
    return response.data  # Immediate success

Key points:

• Token caching: Paid L402 tokens are cached per-domain (up to 24 hours). Subsequent requests to the same domain reuse the cached token without paying again. If the token expires, the proxy pays for a new one automatically.
• Pending records expire after 1 hour
• The /api/l402/status endpoint polls Spark for up to 5 seconds per call
• If the payment failed on Spark's side, status will return an error
• Once complete, the pending record is deleted from Redis
• The proxy automatically retries the final fetch up to 3 times (200ms delay) if the response is empty — some servers don't return content immediately after payment

Common Operations

Rotate the admin fallback token

1. Generate a new token: openssl rand -base64 30
2. Update API_AUTH_TOKEN in Vercel env vars (via dashboard or API)
3. Redeploy:
   bashCopy

   VERCEL_ORG_ID=<TEAM_ID> VERCEL_PROJECT_ID=<PROJECT_ID> \
     vercel deploy --prod --yes --token <VERCEL_TOKEN>
   

4. Update any agents using the old token

Redis-stored tokens are not affected by this — they continue working.

Adjust spending limits

Update MAX_TRANSACTION_SATS and DAILY_BUDGET_SATS in Vercel env vars and redeploy:

VERCEL_ORG_ID=<TEAM_ID> VERCEL_PROJECT_ID=<PROJECT_ID> \
  vercel deploy --prod --yes --token <VERCEL_TOKEN>

Budget resets daily at midnight UTC.

Check logs

curl -H "Authorization: Bearer <token>" https://<deployment>/api/logs?limit=20

Architecture

• Vercel serverless functions — each request spins up, initializes the Spark SDK (~1.5s), handles the request, and shuts down. No always-on process, no billing when idle.
• Upstash Redis — stores daily spend counters, activity logs, pending invoice tracking, and API tokens. Accessed over HTTP REST (no persistent connection needed). Free tier is limited to 1 database.
• Spark SDK — @buildonspark/spark-sdk connects to Spark Signing Operators via gRPC over HTTP/2. Pure JavaScript, no native addons.
• Lazy invoice check — on every request, the middleware checks Redis for pending invoices and compares against recent wallet transfers. Expired invoices are cleaned up, paid ones are logged. Max 5 checks per request, wrapped in try/catch so failures never affect the main request.