Filing on behalf of the Lightning Piggy team. Lightning Piggy is a small ESP32-based hardware display wallet that uses NWC to show a user's balance, transactions, and receive QR on-device, read-only.
What works today
Primal NWC connections speak NIP-47 cleanly — get_balance, list_transactions, encrypted messaging via NIP-04 all work end-to-end with Lightning Piggy. We verified this on hardware against a Spark-backed Primal account: balance fetch, transaction list, and lud16 static-receive-code derivation all succeed.
What doesn't
get_balance returns the NWC connection's spend budget (whatever the user picked when creating the connection — e.g. 1000 sats), not the actual wallet balance. NIP-47's spec is consistent with this interpretation ("balance the connection has access to"), and it's the right call when the connection has spend permission — limiting visibility limits exfiltration risk if the secret leaks.
But it makes the connection unusable for read-only display devices, which is one of the primary use cases NWC enables. A user asks "how much is in my wallet?" and the device shows their NWC budget, not their balance. They get confused, or they have to set the budget unrealistically high to make balance display work, which compromises the security model the budget was meant to provide.
Ask
Allow creating a Primal NWC connection that:
- Has no spend permission (no
pay_invoice, pay_keysend, make_invoice, multi_pay_invoice)
- Therefore has no budget concept (nothing to budget — it can't spend)
- Returns the actual wallet balance from
get_balance
- Returns the actual transaction history from
list_transactions
UX-wise this might be a "Read-only" toggle in the NWC connection setup screen, or a separate "Display wallet" preset. The user opts into surfacing real balance to the connection's holder, in exchange for the connection being unable to move funds.
Why this matters for the ecosystem
Lightning Piggy isn't the only display wallet — anything that wants to show a Primal/Spark balance over NWC has the same problem (LNbits viewer apps, dashboard widgets, e-paper displays, etc.). A read-only connection mode would unlock the entire "monitor my Bitcoin balance on a small device" use case for Primal users.
Cashu wallets, LNbits, and Alby (with budget unset) already let read-only NWC clients see real balance. Primal/Spark is currently the outlier.
Workaround we recommend today
Set the NWC budget to something high (e.g. 1M sats), trust the device. Works but defeats the budget's security purpose.
Happy to discuss implementation tradeoffs or test against an early build if useful — we have a hardware test rig already exercising the existing NWC interface.
Filing on behalf of the Lightning Piggy team. Lightning Piggy is a small ESP32-based hardware display wallet that uses NWC to show a user's balance, transactions, and receive QR on-device, read-only.
What works today
Primal NWC connections speak NIP-47 cleanly —
get_balance,list_transactions, encrypted messaging via NIP-04 all work end-to-end with Lightning Piggy. We verified this on hardware against a Spark-backed Primal account: balance fetch, transaction list, andlud16static-receive-code derivation all succeed.What doesn't
get_balancereturns the NWC connection's spend budget (whatever the user picked when creating the connection — e.g. 1000 sats), not the actual wallet balance. NIP-47's spec is consistent with this interpretation ("balance the connection has access to"), and it's the right call when the connection has spend permission — limiting visibility limits exfiltration risk if the secret leaks.But it makes the connection unusable for read-only display devices, which is one of the primary use cases NWC enables. A user asks "how much is in my wallet?" and the device shows their NWC budget, not their balance. They get confused, or they have to set the budget unrealistically high to make balance display work, which compromises the security model the budget was meant to provide.
Ask
Allow creating a Primal NWC connection that:
pay_invoice,pay_keysend,make_invoice,multi_pay_invoice)get_balancelist_transactionsUX-wise this might be a "Read-only" toggle in the NWC connection setup screen, or a separate "Display wallet" preset. The user opts into surfacing real balance to the connection's holder, in exchange for the connection being unable to move funds.
Why this matters for the ecosystem
Lightning Piggy isn't the only display wallet — anything that wants to show a Primal/Spark balance over NWC has the same problem (LNbits viewer apps, dashboard widgets, e-paper displays, etc.). A read-only connection mode would unlock the entire "monitor my Bitcoin balance on a small device" use case for Primal users.
Cashu wallets, LNbits, and Alby (with budget unset) already let read-only NWC clients see real balance. Primal/Spark is currently the outlier.
Workaround we recommend today
Set the NWC budget to something high (e.g. 1M sats), trust the device. Works but defeats the budget's security purpose.
Happy to discuss implementation tradeoffs or test against an early build if useful — we have a hardware test rig already exercising the existing NWC interface.