SatGate Logo

SatGate™ Gateway vs Aperture

Enterprise-grade API protection and payments for the Agent Economy

SatGate™ Gateway Documentation

Executive Summary

Aperture (Lightning Labs)

Focus: L402 payments only

Target: Developers, hobbyists

Status: Community maintained, limited updates

Lightning: LND only

SatGate Gateway

Focus: Protection + Payments ("Protect & Pay")

Target: Enterprise, AI/Agent platforms

Status: Active development

Lightning: Phoenixd, LND, CLN, Alby, LNbits, Strike

Feature Comparison

Feature Aperture SatGate Gateway
L402 Lightning Payments
Capability Tokens (no payment)
Chargeback/Showback Mode
Fiat402 (JWT receipts)
Multi-tenant Isolation
Token Governance (ban/lineage)
Admin Dashboard UI
SCIM 2.0 Provisioning
GitOps Signed Configs
Audit Logging (WORM)
Budget Management
Rate Limiting Basic Per-route, Redis HA
mTLS to Upstreams
Circuit Breaker
Prometheus Metrics Basic Full observability
Helm Chart Community Official
Client SDKs Go only Go, Node.js, Python
Supply Chain Security Cosign, SBOM, attestations

Architecture Comparison

🟠 Aperture

┌─────────────────────────────────┐
│          APERTURE               │
├─────────────────────────────────┤
│  ┌──────────────┐               │
│  │   L402 Proxy │               │
│  │  (pay only)  │               │
│  └──────────────┘               │
│         │                       │
│  ┌──────┴──────┐                │
│  │  LND only   │                │
│  │  (coupled)  │                │
│  └─────────────┘                │
└─────────────────────────────────┘

🟢 SatGate Gateway

┌─────────────────────────────────┐
│       SATGATE GATEWAY           │
├─────────────────────────────────┤
│  Protection │ Payments │ Gov    │
│  (Capability)│(L402/Fiat)│(Audit)│
├─────────────────────────────────┤
│  Pluggable Lightning Providers  │
│  Phoenixd│LND│CLN│Alby│Strike   │
├─────────────────────────────────┤
│  Enterprise Infrastructure      │
│  Postgres│Redis│Prometheus│SCIM │
└─────────────────────────────────┘

Key Benefits of SatGate Gateway

🛡️ Protection by Default

  • Start with capability tokens (API security)
  • No procurement friction - payments optional
  • Add monetization when business model proven
  • Aperture forces payment decision upfront

🔐 Enterprise Security

  • Tamper-evident audit logs with hash chains
  • Token ban/revocation capabilities
  • Token lineage tracking for compliance
  • SCIM 2.0 user provisioning
  • Signed config enforcement via GitOps
  • WORM export for regulatory compliance

💰 Flexible Payment Modes

  • Capability: Free but authenticated
  • Chargeback: Metered, billed internally
  • L402: Pay-per-request with Lightning
  • Fiat402: JWT receipts, enterprise billing
  • Per-route payment policy configuration

🏢 Multi-Tenant Design

  • Full tenant isolation out of the box
  • Per-tenant budgets and quotas
  • Trusted proxy header enforcement
  • Aperture: Single tenant only

⚙️ Operational Excellence

  • Full Admin Dashboard UI
  • Config generator (YAML, Helm, Env)
  • Preflight enterprise readiness checks
  • One-click support bundle diagnostics
  • Documented backup/restore runbooks

⚡ Lightning Flexibility

  • Phoenixd (recommended for simplicity)
  • LND (full node)
  • Core Lightning (CLN)
  • Alby (custodial)
  • LNbits, Strike, and more

When to Use Each

Use Case Recommended
Simple hobby project with LND Either
Quick L402 demo Either
Enterprise API monetization SatGate Gateway
Multi-tenant SaaS platform SatGate Gateway
AI Agent authentication SatGate Gateway
FinOps / chargeback tracking SatGate Gateway
Compliance requirements (SOC2, audit) SatGate Gateway
Production deployment with SLAs SatGate Gateway

Migration from Aperture

Drop-in Compatible Configuration

Aperture config:
services:
  - name: myapi
    price: 100
SatGate Gateway equivalent:
routes:
  - name: myapi
    match:
      pathPrefix: /
    upstream: http://myapi:8080
    policy:
      kind: l402
      priceSats: 100
💡 Wire Compatibility: SatGate maintains L402 wire compatibility—existing macaroon clients work unchanged. You can migrate incrementally, route by route.

Configuration Examples

Flexible Per-Route Policies

routes:
  # Free tier - authenticated but no payment
  - name: free-api
    match: { pathPrefix: /api/v1/free }
    upstream: http://api:8080
    policy:
      kind: capability
      scopes: [api:read]

  # Internal chargeback - metered for FinOps
  - name: internal-api
    match: { pathPrefix: /api/v1/internal }
    upstream: http://api:8080
    policy:
      kind: pay
      pay:
        mode: chargeback
        price: 10
        unit: credits
        costCenterHeader: X-Cost-Center
        enforceBudget: true

  # Premium - pay with Lightning
  - name: premium-api
    match: { pathPrefix: /api/v1/premium }
    upstream: http://api:8080
    policy:
      kind: pay
      pay:
        mode: l402
        price: 100
        unit: sats