Add Cashu blind signature access tokens (NIP-XX draft)

Implements privacy-preserving bearer tokens for relay access control using
Cashu-style blind signatures. Tokens prove whitelist membership without
linking issuance to usage.

Features:
- BDHKE crypto primitives (HashToCurve, Blind, Sign, Unblind, Verify)
- Keyset management with weekly rotation
- Token format with kind permissions and scope isolation
- Generic issuer/verifier with pluggable authorization
- HTTP endpoints: POST /cashu/mint, GET /cashu/keysets, GET /cashu/info
- ACL adapter bridging ORLY's access control to Cashu AuthzChecker
- Stateless revocation via ACL re-check on each token use
- Two-token rotation for seamless renewal (max 2 weeks after blacklist)

Configuration:
- ORLY_CASHU_ENABLED: Enable Cashu tokens
- ORLY_CASHU_TOKEN_TTL: Token validity (default: 1 week)
- ORLY_CASHU_SCOPES: Allowed scopes (relay, nip46, blossom, api)
- ORLY_CASHU_REAUTHORIZE: Re-check ACL on each verification

Files:
- pkg/cashu/bdhke/: Core blind signature cryptography
- pkg/cashu/keyset/: Keyset management and rotation
- pkg/cashu/token/: Token format with kind permissions
- pkg/cashu/issuer/: Token issuance with authorization
- pkg/cashu/verifier/: Token verification with middleware
- pkg/interfaces/cashu/: AuthzChecker, KeysetStore interfaces
- pkg/bunker/acl_adapter.go: ORLY ACL integration
- app/handle-cashu.go: HTTP endpoints
- docs/NIP-XX-CASHU-ACCESS-TOKENS.md: Full specification

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

pkg/cashu/verifier/middleware.go

@@ -0,0 +1,138 @@
+package verifier
+
+import (
+	"context"
+	"net/http"
+
+	"next.orly.dev/pkg/cashu/token"
+)
+
+// ContextKey is the type for context keys.
+type ContextKey string
+
+const (
+	// TokenContextKey is the context key for the verified token.
+	TokenContextKey ContextKey = "cashu_token"
+
+	// PubkeyContextKey is the context key for the user's pubkey.
+	PubkeyContextKey ContextKey = "cashu_pubkey"
+)
+
+// TokenFromContext extracts the verified token from the request context.
+func TokenFromContext(ctx context.Context) *token.Token {
+	if tok, ok := ctx.Value(TokenContextKey).(*token.Token); ok {
+		return tok
+	}
+	return nil
+}
+
+// PubkeyFromContext extracts the user's pubkey from the request context.
+func PubkeyFromContext(ctx context.Context) []byte {
+	if pubkey, ok := ctx.Value(PubkeyContextKey).([]byte); ok {
+		return pubkey
+	}
+	return nil
+}
+
+// Middleware creates an HTTP middleware that verifies Cashu tokens.
+func Middleware(v *Verifier, requiredScope string) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			tok, err := v.VerifyRequest(r.Context(), r, requiredScope)
+			if err != nil {
+				writeError(w, err)
+				return
+			}
+
+			// Add token and pubkey to context
+			ctx := context.WithValue(r.Context(), TokenContextKey, tok)
+			ctx = context.WithValue(ctx, PubkeyContextKey, tok.Pubkey)
+
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}
+
+// MiddlewareForKind creates middleware that also checks kind permission.
+func MiddlewareForKind(v *Verifier, requiredScope string, kind int) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			tok, err := v.VerifyRequestForKind(r.Context(), r, requiredScope, kind)
+			if err != nil {
+				writeError(w, err)
+				return
+			}
+
+			ctx := context.WithValue(r.Context(), TokenContextKey, tok)
+			ctx = context.WithValue(ctx, PubkeyContextKey, tok.Pubkey)
+
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}
+
+// OptionalMiddleware creates middleware that verifies tokens if present,
+// but allows requests without tokens to proceed.
+func OptionalMiddleware(v *Verifier, requiredScope string) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			tok, err := v.VerifyRequest(r.Context(), r, requiredScope)
+			if err == nil {
+				// Token present and valid - add to context
+				ctx := context.WithValue(r.Context(), TokenContextKey, tok)
+				ctx = context.WithValue(ctx, PubkeyContextKey, tok.Pubkey)
+				r = r.WithContext(ctx)
+			} else if err != ErrMissingToken {
+				// Token present but invalid - reject
+				writeError(w, err)
+				return
+			}
+			// No token or valid token - proceed
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+// writeError writes an appropriate HTTP error response.
+func writeError(w http.ResponseWriter, err error) {
+	switch err {
+	case ErrMissingToken:
+		http.Error(w, "Missing token", http.StatusUnauthorized)
+	case ErrTokenExpired:
+		http.Error(w, "Token expired", http.StatusGone)
+	case ErrUnknownKeyset:
+		http.Error(w, "Unknown keyset", http.StatusMisdirectedRequest)
+	case ErrInvalidSignature:
+		http.Error(w, "Invalid signature", http.StatusUnauthorized)
+	case ErrScopeMismatch:
+		http.Error(w, "Scope mismatch", http.StatusForbidden)
+	case ErrKindNotPermitted:
+		http.Error(w, "Kind not permitted", http.StatusForbidden)
+	case ErrAccessRevoked:
+		http.Error(w, "Access revoked", http.StatusForbidden)
+	default:
+		http.Error(w, err.Error(), http.StatusUnauthorized)
+	}
+}
+
+// RequireToken is a helper that extracts and verifies a token inline.
+// Returns the token or writes an error response and returns nil.
+func RequireToken(v *Verifier, w http.ResponseWriter, r *http.Request, requiredScope string) *token.Token {
+	tok, err := v.VerifyRequest(r.Context(), r, requiredScope)
+	if err != nil {
+		writeError(w, err)
+		return nil
+	}
+	return tok
+}
+
+// RequireKind is a helper that also checks kind permission inline.
+func RequireKind(v *Verifier, w http.ResponseWriter, r *http.Request, requiredScope string, kind int) *token.Token {
+	tok, err := v.VerifyRequestForKind(r.Context(), r, requiredScope, kind)
+	if err != nil {
+		writeError(w, err)
+		return nil
+	}
+	return tok
+}

pkg/cashu/verifier/verifier.go

@@ -0,0 +1,186 @@
+// Package verifier implements Cashu token verification with optional re-authorization.
+package verifier
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+
+	"github.com/decred/dcrd/dcrec/secp256k1/v4"
+
+	"next.orly.dev/pkg/cashu/bdhke"
+	"next.orly.dev/pkg/cashu/keyset"
+	"next.orly.dev/pkg/cashu/token"
+	cashuiface "next.orly.dev/pkg/interfaces/cashu"
+)
+
+// Errors.
+var (
+	ErrTokenExpired      = errors.New("verifier: token expired")
+	ErrUnknownKeyset     = errors.New("verifier: unknown keyset")
+	ErrInvalidSignature  = errors.New("verifier: invalid signature")
+	ErrScopeMismatch     = errors.New("verifier: scope mismatch")
+	ErrKindNotPermitted  = errors.New("verifier: kind not permitted")
+	ErrAccessRevoked     = errors.New("verifier: access revoked")
+	ErrMissingToken      = errors.New("verifier: missing token")
+)
+
+// Config holds verifier configuration.
+type Config struct {
+	// Reauthorize enables re-checking authorization on each verification.
+	// This provides "stateless revocation" at the cost of an extra check.
+	Reauthorize bool
+}
+
+// DefaultConfig returns sensible default configuration.
+func DefaultConfig() Config {
+	return Config{
+		Reauthorize: true, // Enable stateless revocation by default
+	}
+}
+
+// Verifier validates Cashu tokens and checks permissions.
+type Verifier struct {
+	keysets        *keyset.Manager
+	authz          cashuiface.AuthzChecker
+	claimValidator cashuiface.ClaimValidator
+	config         Config
+}
+
+// New creates a new verifier.
+func New(keysets *keyset.Manager, authz cashuiface.AuthzChecker, config Config) *Verifier {
+	return &Verifier{
+		keysets: keysets,
+		authz:   authz,
+		config:  config,
+	}
+}
+
+// SetClaimValidator sets an optional claim validator.
+func (v *Verifier) SetClaimValidator(cv cashuiface.ClaimValidator) {
+	v.claimValidator = cv
+}
+
+// Verify validates a token's cryptographic signature and checks expiry.
+func (v *Verifier) Verify(ctx context.Context, tok *token.Token, remoteAddr string) error {
+	// Basic validation
+	if err := tok.Validate(); err != nil {
+		return err
+	}
+
+	// Check expiry
+	if tok.IsExpired() {
+		return ErrTokenExpired
+	}
+
+	// Find keyset
+	ks := v.keysets.FindByID(tok.KeysetID)
+	if ks == nil {
+		return fmt.Errorf("%w: %s", ErrUnknownKeyset, tok.KeysetID)
+	}
+
+	// Verify signature
+	valid, err := v.verifySignature(tok, ks)
+	if err != nil {
+		return fmt.Errorf("verifier: signature check failed: %w", err)
+	}
+	if !valid {
+		return ErrInvalidSignature
+	}
+
+	// Re-check authorization if enabled
+	if v.config.Reauthorize && v.authz != nil {
+		if err := v.authz.CheckAuthorization(ctx, tok.Pubkey, tok.Scope, remoteAddr); err != nil {
+			return fmt.Errorf("%w: %v", ErrAccessRevoked, err)
+		}
+	}
+
+	return nil
+}
+
+// VerifyForScope verifies a token and checks that it has the required scope.
+func (v *Verifier) VerifyForScope(ctx context.Context, tok *token.Token, requiredScope string, remoteAddr string) error {
+	if err := v.Verify(ctx, tok, remoteAddr); err != nil {
+		return err
+	}
+
+	if !tok.MatchesScope(requiredScope) {
+		return fmt.Errorf("%w: expected %s, got %s", ErrScopeMismatch, requiredScope, tok.Scope)
+	}
+
+	return nil
+}
+
+// VerifyForKind verifies a token and checks that the specified kind is permitted.
+func (v *Verifier) VerifyForKind(ctx context.Context, tok *token.Token, kind int, remoteAddr string) error {
+	if err := v.Verify(ctx, tok, remoteAddr); err != nil {
+		return err
+	}
+
+	if !tok.IsKindPermitted(kind) {
+		return fmt.Errorf("%w: kind %d", ErrKindNotPermitted, kind)
+	}
+
+	return nil
+}
+
+// verifySignature checks the BDHKE signature.
+func (v *Verifier) verifySignature(tok *token.Token, ks *keyset.Keyset) (bool, error) {
+	// Parse signature as curve point
+	C, err := secp256k1.ParsePubKey(tok.Signature)
+	if err != nil {
+		return false, fmt.Errorf("invalid signature format: %w", err)
+	}
+
+	// Verify: C == k * HashToCurve(secret)
+	return bdhke.Verify(tok.Secret, C, ks.PrivateKey)
+}
+
+// ExtractFromRequest extracts and parses a token from an HTTP request.
+// Checks headers in order: X-Cashu-Token, Authorization (Cashu scheme).
+func (v *Verifier) ExtractFromRequest(r *http.Request) (*token.Token, error) {
+	// Try X-Cashu-Token header first
+	if header := r.Header.Get("X-Cashu-Token"); header != "" {
+		return token.ParseFromHeader(header)
+	}
+
+	// Try Authorization header
+	if header := r.Header.Get("Authorization"); header != "" {
+		return token.ParseFromHeader(header)
+	}
+
+	return nil, ErrMissingToken
+}
+
+// VerifyRequest extracts, parses, and verifies a token from an HTTP request.
+func (v *Verifier) VerifyRequest(ctx context.Context, r *http.Request, requiredScope string) (*token.Token, error) {
+	tok, err := v.ExtractFromRequest(r)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := v.VerifyForScope(ctx, tok, requiredScope, r.RemoteAddr); err != nil {
+		return nil, err
+	}
+
+	return tok, nil
+}
+
+// VerifyRequestForKind extracts, parses, and verifies a token for a specific kind.
+func (v *Verifier) VerifyRequestForKind(ctx context.Context, r *http.Request, requiredScope string, kind int) (*token.Token, error) {
+	tok, err := v.ExtractFromRequest(r)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := v.VerifyForScope(ctx, tok, requiredScope, r.RemoteAddr); err != nil {
+		return nil, err
+	}
+
+	if !tok.IsKindPermitted(kind) {
+		return nil, fmt.Errorf("%w: kind %d", ErrKindNotPermitted, kind)
+	}
+
+	return tok, nil
+}

pkg/cashu/verifier/verifier_test.go

@@ -0,0 +1,396 @@
+package verifier
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/decred/dcrd/dcrec/secp256k1/v4"
+
+	"next.orly.dev/pkg/cashu/bdhke"
+	"next.orly.dev/pkg/cashu/issuer"
+	"next.orly.dev/pkg/cashu/keyset"
+	"next.orly.dev/pkg/cashu/token"
+	cashuiface "next.orly.dev/pkg/interfaces/cashu"
+)
+
+func setupVerifier() (*Verifier, *issuer.Issuer, *keyset.Manager) {
+	store := keyset.NewMemoryStore()
+	manager := keyset.NewManager(store, keyset.DefaultActiveWindow, keyset.DefaultVerifyWindow)
+	manager.Init()
+
+	issuerConfig := issuer.DefaultConfig()
+	iss := issuer.New(manager, cashuiface.AllowAllChecker{}, issuerConfig)
+
+	verifierConfig := DefaultConfig()
+	ver := New(manager, cashuiface.AllowAllChecker{}, verifierConfig)
+
+	return ver, iss, manager
+}
+
+func issueTestToken(iss *issuer.Issuer, scope string, kinds []int) (*token.Token, error) {
+	secret, err := bdhke.GenerateSecret()
+	if err != nil {
+		return nil, err
+	}
+
+	blindResult, err := bdhke.Blind(secret)
+	if err != nil {
+		return nil, err
+	}
+
+	pubkey := make([]byte, 32)
+	for i := range pubkey {
+		pubkey[i] = byte(i)
+	}
+
+	req := &issuer.IssueRequest{
+		BlindedMessage: blindResult.B.SerializeCompressed(),
+		Pubkey:         pubkey,
+		Scope:          scope,
+		Kinds:          kinds,
+	}
+
+	resp, err := iss.Issue(context.Background(), req, "127.0.0.1")
+	if err != nil {
+		return nil, err
+	}
+
+	return issuer.BuildToken(resp, secret, blindResult.R, pubkey, scope, kinds, nil)
+}
+
+func TestVerifySuccess(t *testing.T) {
+	ver, iss, _ := setupVerifier()
+
+	tok, err := issueTestToken(iss, token.ScopeRelay, []int{1, 2, 3})
+	if err != nil {
+		t.Fatalf("issueTestToken failed: %v", err)
+	}
+
+	err = ver.Verify(context.Background(), tok, "127.0.0.1")
+	if err != nil {
+		t.Errorf("Verify failed: %v", err)
+	}
+}
+
+func TestVerifyExpired(t *testing.T) {
+	ver, iss, _ := setupVerifier()
+
+	tok, err := issueTestToken(iss, token.ScopeRelay, []int{1})
+	if err != nil {
+		t.Fatalf("issueTestToken failed: %v", err)
+	}
+
+	// Expire the token
+	tok.Expiry = time.Now().Add(-time.Hour).Unix()
+
+	err = ver.Verify(context.Background(), tok, "127.0.0.1")
+	if err == nil {
+		t.Error("Verify should fail for expired token")
+	}
+}
+
+func TestVerifyInvalidSignature(t *testing.T) {
+	ver, iss, _ := setupVerifier()
+
+	tok, err := issueTestToken(iss, token.ScopeRelay, []int{1})
+	if err != nil {
+		t.Fatalf("issueTestToken failed: %v", err)
+	}
+
+	// Corrupt the signature
+	tok.Signature[10] ^= 0xFF
+
+	err = ver.Verify(context.Background(), tok, "127.0.0.1")
+	if err == nil {
+		t.Error("Verify should fail for invalid signature")
+	}
+}
+
+func TestVerifyUnknownKeyset(t *testing.T) {
+	ver, iss, _ := setupVerifier()
+
+	tok, err := issueTestToken(iss, token.ScopeRelay, []int{1})
+	if err != nil {
+		t.Fatalf("issueTestToken failed: %v", err)
+	}
+
+	// Change keyset ID
+	tok.KeysetID = "00000000000000"
+
+	err = ver.Verify(context.Background(), tok, "127.0.0.1")
+	if err == nil {
+		t.Error("Verify should fail for unknown keyset")
+	}
+}
+
+func TestVerifyForScope(t *testing.T) {
+	ver, iss, _ := setupVerifier()
+
+	tok, err := issueTestToken(iss, token.ScopeNIP46, []int{24133})
+	if err != nil {
+		t.Fatalf("issueTestToken failed: %v", err)
+	}
+
+	// Should pass for correct scope
+	err = ver.VerifyForScope(context.Background(), tok, token.ScopeNIP46, "127.0.0.1")
+	if err != nil {
+		t.Errorf("VerifyForScope failed for correct scope: %v", err)
+	}
+
+	// Should fail for wrong scope
+	err = ver.VerifyForScope(context.Background(), tok, token.ScopeRelay, "127.0.0.1")
+	if err == nil {
+		t.Error("VerifyForScope should fail for wrong scope")
+	}
+}
+
+func TestVerifyForKind(t *testing.T) {
+	ver, iss, _ := setupVerifier()
+
+	tok, err := issueTestToken(iss, token.ScopeRelay, []int{1, 2, 3})
+	if err != nil {
+		t.Fatalf("issueTestToken failed: %v", err)
+	}
+
+	// Should pass for permitted kind
+	err = ver.VerifyForKind(context.Background(), tok, 1, "127.0.0.1")
+	if err != nil {
+		t.Errorf("VerifyForKind failed for permitted kind: %v", err)
+	}
+
+	// Should fail for non-permitted kind
+	err = ver.VerifyForKind(context.Background(), tok, 100, "127.0.0.1")
+	if err == nil {
+		t.Error("VerifyForKind should fail for non-permitted kind")
+	}
+}
+
+func TestVerifyReauthorization(t *testing.T) {
+	store := keyset.NewMemoryStore()
+	manager := keyset.NewManager(store, keyset.DefaultActiveWindow, keyset.DefaultVerifyWindow)
+	manager.Init()
+
+	iss := issuer.New(manager, cashuiface.AllowAllChecker{}, issuer.DefaultConfig())
+
+	// Create verifier that denies authorization
+	config := DefaultConfig()
+	config.Reauthorize = true
+	ver := New(manager, cashuiface.DenyAllChecker{}, config)
+
+	tok, err := issueTestToken(iss, token.ScopeRelay, []int{1})
+	if err != nil {
+		t.Fatalf("issueTestToken failed: %v", err)
+	}
+
+	// Should fail due to reauthorization check
+	err = ver.Verify(context.Background(), tok, "127.0.0.1")
+	if err == nil {
+		t.Error("Verify should fail when reauthorization fails")
+	}
+}
+
+func TestExtractFromRequest(t *testing.T) {
+	ver, iss, _ := setupVerifier()
+
+	tok, err := issueTestToken(iss, token.ScopeRelay, []int{1})
+	if err != nil {
+		t.Fatalf("issueTestToken failed: %v", err)
+	}
+
+	encoded, _ := tok.Encode()
+
+	tests := []struct {
+		name   string
+		header string
+		value  string
+	}{
+		{"X-Cashu-Token", "X-Cashu-Token", encoded},
+		{"Authorization Cashu", "Authorization", "Cashu " + encoded},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := httptest.NewRequest("GET", "/", nil)
+			req.Header.Set(tt.header, tt.value)
+
+			extracted, err := ver.ExtractFromRequest(req)
+			if err != nil {
+				t.Fatalf("ExtractFromRequest failed: %v", err)
+			}
+
+			if extracted.KeysetID != tok.KeysetID {
+				t.Errorf("KeysetID mismatch: %s != %s", extracted.KeysetID, tok.KeysetID)
+			}
+		})
+	}
+}
+
+func TestExtractFromRequestMissing(t *testing.T) {
+	ver, _, _ := setupVerifier()
+
+	req := httptest.NewRequest("GET", "/", nil)
+
+	_, err := ver.ExtractFromRequest(req)
+	if err != ErrMissingToken {
+		t.Errorf("Expected ErrMissingToken, got %v", err)
+	}
+}
+
+func TestVerifyRequest(t *testing.T) {
+	ver, iss, _ := setupVerifier()
+
+	tok, err := issueTestToken(iss, token.ScopeRelay, []int{1})
+	if err != nil {
+		t.Fatalf("issueTestToken failed: %v", err)
+	}
+
+	encoded, _ := tok.Encode()
+
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("X-Cashu-Token", encoded)
+
+	verified, err := ver.VerifyRequest(context.Background(), req, token.ScopeRelay)
+	if err != nil {
+		t.Fatalf("VerifyRequest failed: %v", err)
+	}
+
+	if verified.KeysetID != tok.KeysetID {
+		t.Error("VerifyRequest returned wrong token")
+	}
+}
+
+func TestMiddleware(t *testing.T) {
+	ver, iss, _ := setupVerifier()
+
+	tok, err := issueTestToken(iss, token.ScopeRelay, []int{1})
+	if err != nil {
+		t.Fatalf("issueTestToken failed: %v", err)
+	}
+
+	encoded, _ := tok.Encode()
+
+	// Handler that checks context
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctxTok := TokenFromContext(r.Context())
+		if ctxTok == nil {
+			t.Error("Token not in context")
+		}
+		pubkey := PubkeyFromContext(r.Context())
+		if pubkey == nil {
+			t.Error("Pubkey not in context")
+		}
+		w.WriteHeader(http.StatusOK)
+	})
+
+	wrapped := Middleware(ver, token.ScopeRelay)(handler)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("X-Cashu-Token", encoded)
+
+	rec := httptest.NewRecorder()
+	wrapped.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Errorf("Status = %d, want 200", rec.Code)
+	}
+}
+
+func TestMiddlewareUnauthorized(t *testing.T) {
+	ver, _, _ := setupVerifier()
+
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+
+	wrapped := Middleware(ver, token.ScopeRelay)(handler)
+
+	// Request without token
+	req := httptest.NewRequest("GET", "/", nil)
+	rec := httptest.NewRecorder()
+	wrapped.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusUnauthorized {
+		t.Errorf("Status = %d, want 401", rec.Code)
+	}
+}
+
+func TestOptionalMiddleware(t *testing.T) {
+	ver, iss, _ := setupVerifier()
+
+	tok, err := issueTestToken(iss, token.ScopeRelay, []int{1})
+	if err != nil {
+		t.Fatalf("issueTestToken failed: %v", err)
+	}
+
+	encoded, _ := tok.Encode()
+
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+
+	wrapped := OptionalMiddleware(ver, token.ScopeRelay)(handler)
+
+	// With token
+	req1 := httptest.NewRequest("GET", "/", nil)
+	req1.Header.Set("X-Cashu-Token", encoded)
+	rec1 := httptest.NewRecorder()
+	wrapped.ServeHTTP(rec1, req1)
+
+	if rec1.Code != http.StatusOK {
+		t.Errorf("With token: Status = %d, want 200", rec1.Code)
+	}
+
+	// Without token
+	req2 := httptest.NewRequest("GET", "/", nil)
+	rec2 := httptest.NewRecorder()
+	wrapped.ServeHTTP(rec2, req2)
+
+	if rec2.Code != http.StatusOK {
+		t.Errorf("Without token: Status = %d, want 200", rec2.Code)
+	}
+}
+
+func TestRequireToken(t *testing.T) {
+	ver, iss, _ := setupVerifier()
+
+	tok, err := issueTestToken(iss, token.ScopeRelay, []int{1})
+	if err != nil {
+		t.Fatalf("issueTestToken failed: %v", err)
+	}
+
+	encoded, _ := tok.Encode()
+
+	// With valid token
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("X-Cashu-Token", encoded)
+	rec := httptest.NewRecorder()
+
+	result := RequireToken(ver, rec, req, token.ScopeRelay)
+	if result == nil {
+		t.Error("RequireToken should return token")
+	}
+
+	// Without token
+	req2 := httptest.NewRequest("GET", "/", nil)
+	rec2 := httptest.NewRecorder()
+
+	result2 := RequireToken(ver, rec2, req2, token.ScopeRelay)
+	if result2 != nil {
+		t.Error("RequireToken should return nil for missing token")
+	}
+	if rec2.Code != http.StatusUnauthorized {
+		t.Errorf("Status = %d, want 401", rec2.Code)
+	}
+}
+
+// Helper to parse point
+func mustParsePoint(data []byte) *secp256k1.PublicKey {
+	pk, err := secp256k1.ParsePubKey(data)
+	if err != nil {
+		panic(err)
+	}
+	return pk
+}