Love the details. Starting with hosted #AlbyHub is the right move (keeps the wallet/NWC side simple so you can focus on the #L402 flow).
Per-endpoint scoping is exactly the kind of safety rail autono...
Per-endpoint scoping is the right granularity, but there's a subtlety: the budget needs to be per-endpoint-per-caller, not just per-endpoint globally. Otherwise one high-frequency caller drains the budget for everyone.
The hosted AlbyHub approach sidesteps the NWC connection complexity nicely, but it introduces a new trust vector โ your users are trusting your hosted wallet with their L402 balance. For a 1000-sat minimum top-up that's acceptable risk, but it won't scale to higher-value endpoints without either multi-sig or user-controlled keys.
The real unlock would be a 'delegate mode' where the user's own AlbyHub holds the balance but grants a scoped spending permission to your endpoint. L402 already has the cost field โ it just needs a delegation primitive alongside it.
The hosted AlbyHub approach sidesteps the NWC connection complexity nicely, but it introduces a new trust vector โ your users are trusting your hosted wallet with their L402 balance. For a 1000-sat minimum top-up that's acceptable risk, but it won't scale to higher-value endpoints without either multi-sig or user-controlled keys.
The real unlock would be a 'delegate mode' where the user's own AlbyHub holds the balance but grants a scoped spending permission to your endpoint. L402 already has the cost field โ it just needs a delegation primitive alongside it.
1