New VLS v0.14.0 released : enhanced policy controls Learn more →
Apache Licensed & Open Source

Secure Lightning funds without taking custody

The VLS SDK keeps keys off-node and validates every Lightning action before signing, the only solution that does both. If your node is compromised, your funds stay safe.

Holding keys ≠ non-custodial. If their node can direct your signer (blind signing), that's shared custody. VLS is truly non-custodial.
Integrate VLS Get Integration Help

See VLS in action

250,000 sats
1k 500k
Use arrow keys for fine adjustment

Validation Results

VLS

Validates everything

Blind Signer

No validation checks

Difference: VLS validates every transaction is safe before signing, while a blind signer blindly approves everything, even risky requests that could drain funds.

Trusted by Lightning leaders

"VLS allowed Greenlight to be developed at breakneck speed, without the risk. It is the fundamental building block, and central to the non-custodial nature of Greenlight."

The Problem

Lightning has a security problem

Hot wallets are vulnerable

One breach can drain all funds. Keys stored on nodes create single points of failure.

Blind signing multiplies risk

Separates keys but signs any request. Still approves unsafe operations. Double the risk. Still custodial.

Custodial burden slows growth

Custodial obligations can slow iteration and limit market entry.

The Solution

VLS fixes this

Enterprise-grade security

Keys remain strictly off-node, can be secured on hardened devices and paired with customizable security policies.

Smart validation

Validate every operation before signing. Stay secure even if node is compromised.

Truly non-custodial

Users retain control. Reduce custodial risk and regulatory overhead.

From zero to validated signing

Choose your stack and follow three simple steps

2

Run quickstart

Local test environment with signer connection

Get Started
3

See validation

Confirm policy checks run and unsafe requests are blocked

Policy Examples

How VLS Compares

See the difference in security and custody models

Comparison of Lightning wallet security models. VLS is recommended for its superior security and non-custodial architecture.
Feature Recommended VLS Hot Wallet User Holds Keys
(aka Blind Signing)*
Keys Off-Node
Transaction Validation
Policy Enforcement
Non-Custodial Mix
Safe if Node is Compromised
Regulatory Compliance Low Burden High Burden High Burden
Security Enterprise Grade Weak Weakest

* Regulatory exposure varies by jurisdiction; consult counsel. Blind signing: User holds keys but doesn't validate transactions, blindly approving all requests from the provider's node, including potential theft of funds. This is how many wallets marketed as “non‑custodial” operate today.

Built for Every Lightning Use Case

Whether you're securing your own funds or building for customers

Secure Your Own Funds

While Maintaining Custody

Secure your Lightning funds with enterprise-grade security. Keep keys in a separate environment while maintaining full self-custody.

  • Skip years of security development and ship products faster
  • Grow channel balances from thousands to millions, without worrying about security
  • Custom policy rules, role-based approvals and audit trails tailored to your risk tolerance

Secure Customer Funds

Without Taking Custody

Build truly non-custodial Lightning wallets and services where only users can control their funds. Reduce your regulatory burden and increase user trust.

  • Avoid regulatory compliance headaches by never holding custody of user funds
  • Win institutional clients by showing their funds are safe
  • Enter jurisdictions with strict custody regulations faster

What's New

Recent VLS releases & improvements

v0.14.0

Dauntless Durga

Integrates lnrod into main workspace, adds BOLT12 signing support, improves monitoring, and upgrades dependencies for security and performance.

Release notes
v0.13.0

Celestial Citadel

Adds SimplePolicy config, LDK phase-2 support, and key handling fixes.

Release notes
v0.12.0

Benevolent Basilisk

Introduces LSS support, trusted oracle validation, and HSMD v6.

Release notes

View all releases

Common questions

What is VLS?

VLS (Validating Lightning Signer) keeps Lightning private keys off the node and validates every request before signing. If a node is compromised or misbehaves, VLS refuses the signature. Result: non‑custodial control, hot‑wallet speed and enterprise-grade security.

Related: Overview
What is blind signing (and why is it risky)?

Blind signing is when a signer produces signatures without validating what it signs. Separating keys from the node helps only if the signer enforces protocol and policy. Without validation, you get shared custody (the node can trick the signer)and two failure paths (node or signer).

Is a VLS setup truly non‑custodial?

Yes. Under the standard definition: only the user who holds keys with VLS can move funds. The node may propose updates, but the validating signer enforces policy and approves or rejects. A compromised node alone cannot move funds.

Which Lightning stacks are supported?

VLS ships reference integrations for CLN and LDK. LND and Eclair are not yet supported.

Related: Start with CLN + VLS, Start with LDK + VLS, Docker local sandbox
What's included in the VLS SDK?

Validating signer with policy engine, vlsd daemon/Docker, UTXO oracle (txood), Lightning Storage Server, and CLN/LDK integrations. Licensed Apache‑2.0 and open for audit.

Related: Source (GitLab)
How does VLS help growth?

Fewer custody incidents and less custom security code frees up time to ship features. Non‑custodial options powered by VLS attract users who won't deposit funds in custodial solutions. See Greenlight's case study.

See More

Ship non-custodial Lightning that can't be rugged

Join industry leaders who trust VLS to protect Lightning funds.

Apache-licensed & open source
Keys stay in your environment
Run locally (Docker or bare metal)
Audit anytime
Start CLN Integration Start LDK Integration Get Integration Help