The zap tunnel can always just give it's own invoices if it wants to steal. You can't really prevent that
couldn’t that be prevented with a MAC from the destination on the invoice?
Please Login to reply.
Lnurl doesn't really support anything like that
Looks like LUD 12 allows a comment where one could put a MAC associated with an invoice & nsec-derived key. nostr client could verify with the mac that the invoice came from a particular npub
