chore(docs): improve docs on how payment works in v8

Author: Ansonhkg

docs/sdk/getting-started/auth-services.mdx

@@ -32,6 +32,25 @@ Lit hosts default Auth Service instances so you can build without deploying infr
   configuration.
 </Note>
 
+## Payment Delegation APIs
+
+The Auth Service also exposes lightweight endpoints that sponsor user requests on the network. These are the same APIs the Lit SDK calls when you use `litClient.authService.registerPayer` / `delegateUsers` from the Payment Manager guide.
+
+- `POST /register-payer`
+  - Headers: `x-api-key`.
+  - Behaviour: generates a random `payerSecretKey`, hashes it with the API key, and derives a child wallet from `LIT_DELEGATION_ROOT_MNEMONIC`.
+  - Response: `{ success, payerWalletAddress, payerSecretKey }`. The service **does not** persist the secret—you must store it securely (KMS, vault, etc.).
+  - Rotation: call the endpoint again with the same API key to rotate the secret and derive a new child wallet.
+- `POST /add-users`
+  - Headers: `x-api-key`, `payer-secret-key`; body is a JSON array of user addresses.
+  - Behaviour: recomputes the same child wallet on the fly and calls `PaymentManager.delegatePaymentsBatch` so the payer sponsors those users.
+
+<Tip>
+  Running the Auth Service yourself keeps the derivation mnemonic and payer secrets inside your infrastructure. The Lit-hosted instance is great for quick starts, but you remain responsible for storing the returned `payerSecretKey`.
+</Tip>
+
+If you prefer not to run an Auth Service at all, you can still sponsor users manually: create a payer wallet, fund it, and call `paymentManager.delegatePayments*` directly from your backend. See [Payment Manager Setup](/sdk/getting-started/payment-manager-setup#sponsoring-your-users-capacity-delegation-replacement) for sample code.
+
 
 ### Install the SDK
 

docs/sdk/getting-started/payment-manager-setup.mdx

@@ -1,6 +1,6 @@
 ---
-title: "Payment Manager Setup"
-description: "Configure payment system for the Lit JS SDK"
+title: 'Payment Manager Setup'
+description: 'Configure payment system for the Lit JS SDK'
 ---
 
 <Warning>
@@ -26,7 +26,7 @@ The Payment Manager demonstrates Lit Protocol's payment system - a billing syste
 - Encryption/Decryption - Secure data with programmable access control
 - PKP Signing - Cryptographic keys that can sign transactions based on conditions
 - Lit Actions - Serverless functions with cryptographic capabilities
-Similar to how you pay AWS for cloud computing, this\system ensures the decentralised network can sustain itself and pay node operators. You can deposit funds, request withdrawals with security delays, and manage balances for yourself or other users (enabling applications to sponsor their users' costs for better UX).
+  Similar to how you pay AWS for cloud computing, this\system ensures the decentralised network can sustain itself and pay node operators. You can deposit funds, request withdrawals with security delays, and manage balances for yourself or other users (enabling applications to sponsor their users' costs for better UX).
 
 <Steps>
   <Step title="Payment Manager Setup">
@@ -42,6 +42,7 @@ const litClient = await createLitClient({ network: nagaTest });
 const paymentManager = await litClient.getPaymentManager({
 account: yourAccount // viem account instance
 });
+
 ````
 
   </Step>
@@ -59,7 +60,7 @@ const { data: myAccount } = useWalletClient();
 
 ```typescript viem/accounts
 // 1. import the privateKeyToAccount function from viem/accounts
-import { privateKeyToAccount } from "viem/accounts";
+import { privateKeyToAccount } from 'viem/accounts';
 
 // 2. Convert your private key to a viem account object that can be used for payment operations.
 const myAccount = privateKeyToAccount(process.env.PRIVATE_KEY as `0x${string}`);
@@ -74,7 +75,7 @@ const myAccount = privateKeyToAccount(process.env.PRIVATE_KEY as `0x${string}`);
 ```typescript Deposit funds to your own account
 // 1. Deposit funds to your own account
 const result = await paymentManager.deposit({
-  amountInEth: "0.1",
+  amountInEth: '0.1',
 });
 
 console.log(`Deposit successful: ${result.hash}`);
@@ -84,8 +85,8 @@ console.log(`Deposit successful: ${result.hash}`);
 ```typescript Deposit for another user
 // 1. Deposit funds for another user
 const result = await paymentManager.depositForUser({
-  userAddress: "0x742d35Cc6638Cb49f4E7c9ce71E02ef18C53E1d5",
-  amountInEth: "0.05",
+  userAddress: '0x742d35Cc6638Cb49f4E7c9ce71E02ef18C53E1d5',
+  amountInEth: '0.05',
 });
 
 console.log(`Deposit successful: ${result.hash}`);
@@ -97,12 +98,84 @@ console.log(`Deposit successful: ${result.hash}`);
 
 </Steps>
 
+## Sponsoring Your Users (Capacity Delegation Replacement)
+
+If your app previously minted Capacity Credits and handed users a `CapacityDelegationAuthSig`, the equivalent Naga flow is:
+
+1. **Fund a payer wallet** – call `litClient.getPaymentManager({ account })` and deposit $LITKEY ($tstLPX in testnet) into the ledger contract (see examples above).
+2. **Register the payer** – decide how you want to provision and operate the sponsor wallet:
+   - **Lit-hosted Auth Service** – call `authService.registerPayer`; Lit derives the wallet + `payerSecretKey` for you (ideal for prototypes).
+   - **Self-hosted Auth Service** – deploy the open-source service (see [Auth Services setup](/sdk/getting-started/auth-services)) so derivation stays within your infrastructure. You’ll supply your own `LIT_DELEGATION_ROOT_MNEMONIC`.
+   - **Manual (no Auth Service)** – generate a wallet yourself (e.g. `privateKeyToAccount`) and store the private key securely; you’ll call the Payment Manager directly in the next step.
+3. **Delegate end-user addresses** – map users to the payer:
+   - Using an Auth Service: POST to `authService.add-users`.
+   - Manual route: call `paymentManager.delegatePayments*` with your server-side account; this writes to the same Payment Delegation contract.
+
+<Note>
+  For production environments we recommend running your own Auth Service (self-hosted) so you retain full custody over the `LIT_DELEGATION_ROOT_MNEMONIC` and derivation secrets. The Lit-hosted Auth Service is handy for prototypes and quick starts, but you still remain responsible for storing the returned `payerSecretKey` securely.
+</Note>
+4. **Users decrypt as normal** – the browser still calls `litClient.decrypt` with an auth context; the network draws fees from the delegated payer instead of the user’s wallet.
+
+```typescript server
+// Manual delegation without Auth Service
+import { createLitClient } from '@lit-protocol/lit-client';
+import { privateKeyToAccount } from 'viem/accounts';
+import { nagaTest } from '@lit-protocol/networks';
+
+const payerAccount = privateKeyToAccount(
+  process.env.PAYER_PRIVATE_KEY as `0x${string}`
+);
+const litClient = await createLitClient({ network: nagaTest });
+
+const paymentManager = await litClient.getPaymentManager({
+  account: payerAccount,
+});
+
+// Delegate a single user
+await paymentManager.delegatePayments({ userAddress: '0xUser...' });
+
+// Or delegate multiple users in one transaction
+await paymentManager.delegatePaymentsBatch({
+  userAddresses: ['0xAlice...', '0xBob...'],
+});
+```
+
+```typescript
+// Client-side decrypt with sponsored payments
+const authContext = await authManager.createEoaAuthContext({
+  litClient,
+  config: { account: walletClient },
+  authConfig: {
+    resources: [
+      ['access-control-condition-decryption', '*'],
+      ['lit-action-execution', '*'],
+    ],
+  },
+});
+
+const response = await litClient.decrypt({
+  data: encryptedData,
+  unifiedAccessControlConditions: accs,
+  authContext,
+  chain: 'ethereum',
+  userMaxPrice: BigInt('200000000000000000'), // optional guardrail
+});
+```
+
+Behind the scenes the SDK:
+
+- Builds a pricing context during handshake (product, per-node prices, threshold).
+- Encrypts requests per node using the JIT keyset.
+- Emits per-node max price in the session signature.
+- Lets the validators call `Ledger.chargeUser` against the delegated payer wallet.
+
 ## Auth Service API Endpoints
 
-Leverage the hosted Auth Service to manage delegation without exposing private keys in your application:
+Leverage the hosted Auth Service to manage delegation without exposing private keys in your application. Full request/response details live in the [Auth Services setup guide](/sdk/getting-started/auth-services#payment-delegation-apis). In practice you will:
 
-- `POST /register-payer` - Send your `x-api-key` header to receive a delegated payer address and `payerSecretKey`. Persist this secret securely; it is required for all future delegation calls.
-- `POST /add-users` - Provide headers `x-api-key` and `payer-secret-key` plus a JSON body containing an array of user addresses. The Auth Service uses the Payment Manager internally to delegate payments to each address in a single transaction.
+- Call `authService.registerPayer` (hosted or self-hosted) to derive a payer wallet + `payerSecretKey`.
+- Call `authService.delegateUsers` (`/add-users`) to sponsor a list of user addresses.
+- Or skip the service entirely and use the Payment Manager methods directly (example below).
 
 > The legacy capacity-credit minting flow has been removed. Payment delegation now interacts directly with the Payment Manager contracts.
 
@@ -118,35 +191,28 @@ const apiKey = process.env.LIT_API_KEY!;
 
 // 3. Register a payer wallet (store the secret securely server-side)
 const registerResponse = await litClient.authService.registerPayer({
-authServiceBaseUrl,
-apiKey,
+  authServiceBaseUrl,
+  apiKey,
 });
 
 console.log('Payer wallet:', registerResponse.payerWalletAddress);
 console.log('Payer secret (store securely!):', registerResponse.payerSecretKey);
 
 // 4. Later on, delegate payments for multiple users using the saved secret
 const delegateResponse = await litClient.authService.delegateUsers({
-authServiceBaseUrl,
-apiKey,
-payerSecretKey: registerResponse.payerSecretKey,
-userAddresses: [
-  '0x1234...abcd',
-  '0xabcd...1234',
-],
+  authServiceBaseUrl,
+  apiKey,
+  payerSecretKey: registerResponse.payerSecretKey,
+  userAddresses: ['0x1234...abcd', '0xabcd...1234'],
 });
 
 console.log('Delegation submitted with tx hash:', delegateResponse.txHash);
 
 // 5. Continue to use the same payer secret for future delegation calls
-````
+```
 
 ### How the Auth Service derives payer wallets
 
-- The service holds a single root mnemonic (`LIT_DELEGATION_ROOT_MNEMONIC`).
-- `/register-payer` combines the `x-api-key` header with a freshly generated `payerSecretKey`. That pair is hashed into a deterministic derivation index, which is then used with the root mnemonic to derive a unique child wallet.
-- The response includes the derived wallet address and the random `payerSecretKey`. The server does not store this secret; you must persist it securely on the client side.
-- Later, `/add-users` expects both headers (`x-api-key` and `payer-secret-key`). The service recomputes the same derivation index and wallet on the fly, so the same header pair always maps to the same child wallet.
-- Calling `/register-payer` again with the same API key issues a new random `payerSecretKey`, which leads to a different child wallet. Choose whether to rotate secrets or keep the original one depending on your application needs.
+- For hosted or self-hosted deployments, see the derivation and rotation notes in the [Auth Services guide](/sdk/getting-started/auth-services#payment-delegation-apis). Manual deployments can always provision and delegate entirely via the `PaymentManager` helper without touching these endpoints.
 
 ![](https://www.plantuml.com/plantuml/png/XPAn3jCm48PtFyMfKw8IiKSAQcab1a1K58c1CXpEaLWaJcHVIlFs6DkKcBHYYy-Vl_Floyuo6fxwJh3YZc0_SGjdCbSb2KuuzwGPZjHHWwm6BSJeS2NLYAw-ENJAxMy0BOJFT7ifyz3lGbodv3l5qG3lKMD3nlFn-ndh6RTyr3lSFTN5MYo96Xc_eINOh8F2OT1iKFeUzuKGLGKVgL6MoS28CnceAX5lNhnQ1YpXzE7y2LwQY1SUl-ZiLk2eYXyqvsA1hqw_8Kq6cKARCqb3VD57CkfAy1ExZXY-cw67NbC_Q2LX2quCJfnwdJXSi0ogp_xilguDMNlH2_rRcdt2-0m4aoLZ_viGwxhmv3BSYz2iiDuSAXxwydMLEmwaX8RYBBDSnABR_plY4fmCcToZEbUgMM1Ub0uxGoc7INCk0XNJf509Ibj6pGfvPVyNhUCZnRfzZIpRp4VCHGgxu_TVo1zSlAxuim75WoPy0qEIrCWhPJeBZxPeswUpjvEKP2rix-IET3trtIy0)